This could be due to CredSSP encryption oracle remediation - RDP to Windows 10 pro host

Question

Error

Following Windows security updates in May 2018, when attempting to RDP to a Windows 10 Pro workstation the following error message is displayed after successfully entering user credentials:

An authentication error occurred. The function requested is not supported.

This could be due to CredSSP encryption oracle remediation

Screenshot

Debugging

• We have confirmed user credentials are correct.

• Rebooted the workstation.

• Confirmed on prem directory services are operational.

• Isolated workstations yet to apply the May security patch are not effected.

Can manage in the interim for on perm hosts, concerned about cloud based server access however. No occurrences on Server 2016 yet.

Thank you

Answer 1

Based entirely on Graham Cuthbert's reply I created a text file in Notepad with the following lines, and just double clicked it afterwards (which should add to Windows Registry whatever parameters are in the file).

Just note that the first line varies depending on which Windows version you are using, so it might be a good idea to open regedit and export any rule just to see what's in the first line and use the same version in your file.

Also, I am not concerned about degrading security in this particular situation becase I am connecting to an encrypted VPN and the host Windows does not have access to the internet and thus doesn't have the latest update.

File rd_patch.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

For those who would like something easy to copy / paste into an elevated command prompt:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2 /f

Answer 2

Credential Security Support Provider protocol (CredSSP) is an authentication provider that processes authentication requests for other applications.

A remote code execution vulnerability exists in unpatched versions of CredSSP. An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system. Any application that depends on CredSSP for authentication may be vulnerable to this type of attack.

[...]

March 13, 2018

The initial March 13, 2018, release updates the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible. These changes will require a reboot of the affected systems.

Pay close attention to Group Policy or registry settings pairs that result in “Blocked” interactions between clients and servers in the compatibility table later in this article.

April 17, 2018

The Remote Desktop Client (RDP) update update in KB 4093120 will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated.

May 8, 2018

An update to change the default setting from Vulnerable to Mitigated.

Source: https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018 [1]

See also this reddit thread: https://www.reddit.com/r/sysadmin/comments/8i4coq/kb4103727_breaks_remote_desktop_connections_over/ [2]

Microsoft's workaround:

• Update server and client. (requires restart, recommended)

Not recommended workarounds if your server is publicly available, or if you do NOT have strict traffic control in your internal network, but sometimes restarting RDP server in work hours is a no go.

• Set CredSSP patching policy via GPO or the Registry. (requires restart or gpupdate /force)
• Uninstall KB4103727 (no restart required)
• I think that disabling NLA (Network Layer Authentication) may work too. (no restart required)

Be sure to understand the risks when using those and patch your systems ASAP.

[1] All GPO CredSSP description and registry modifications are described here.

[2] examples of GPO and registry settings in case Microsoft's site goes down.

Answer 3

1. Go to "Local Group Policy Editor > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation", edit and enable it, then set "Protection Level" to "Mitigated".
2. Set registery key (from 00000001 to 00000002) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:
3. Restart you system if needed.

Answer 4

Research

Referring to this article:

https://blogs.technet.microsoft.com/askpfeplat/2018/05/07/credssp-rdp-and-raven/

May 2018 tentative update that could impact the ability to establish remote host RDP session connections within an organization. This issue can occur if the local client and the remote host have differing “Encryption Oracle Remediation” settings within the registry that define how to build an RDP session with CredSSP. The “Encryption Oracle Remediation” setting options are defined below and if the server or client have different expectations on the establishment of a secure RDP session the connection could be blocked.

A second update, tentatively scheduled to be released on May 8, 2018, will change the default behavior from “Vulnerable” to “Mitigated”.

If you notice if both the client and server are patched, but the default policy setting is left at “Vulnerable” the RDP connection is “Vulnerable” to attack. Once the default setting is modified to “Mitigated” then the connection becomes “Secure” by default.

Resolution

Based on this information I am proceeding to ensure all clients are fully patched, I would then expect the issue to be mitigated.

Answer 5

The registry value was not there on my Windows 10 machine. I had to go to the following local group policy and apply the change on my client:

Computer Configuration -> Administrative Templates -> System -> Credentials Delegation--Encryption Oracle Remediation

Enable and set to value to vulnerable.

Answer 6

It's recommended to update client instead of these kind of scripts to just bypass the error, but on your own risk you can do this on client and no need to restart client PC. Also no need to change any thing on server.

1. Open Run, type gpedit.msc and click OK.
2. Expand Administrative Templates.
3. Expand System.
4. Open Credentials Delegation.
5. On the right pannel double click on Encryption Oracle Remediation.
6. Select Enable.
7. Select Vulnerable from Protection Level list.

This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection).

Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability.

If you enable this policy setting, CredSSP version support will be selected based on the following options:

Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. Note: this setting should not be deployed until all remote hosts support the newest version.

Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.

Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.

8. Click Apply.
9. Click OK.
10. Done.

Reference

Answer 7

Simply, try to Disable Network Level Authentication From Remote Desktop. Could you please Check the following image:

Answer 8

I found the answer here, so can't claim it as my own, but adding the following key to my registry and restarting fixed it for me.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

Answer 9

This guy has a solution for your exact issue:

Essentially - you'll have to change the GPO settings and Force an update. But these changes will require a reboot to be in effect.

1. Copy these two files from a freshly updated machine;

   • C:\Windows\PolicyDefinitions\CredSsp.admx (Dtd Did Feb 2018)
   • C:\Windows\PolicyDefinitions\en-US\CredSsp.adml (Dtd Feb 2018 – Your local folder may be different i.e. en-GB)

2. On a DC, navigate to:

   • C:\Windows\SYSVOL\sysvol\<your domain>\Policies\PolicyDefinitions
   • Rename the current CredSsp.admx to CredSsp.admx.old
   • Copy the new CredSsp.admx to this folder.

3. On the same DC navigate to:

   • C:\Windows\SYSVOL\sysvol\<your domain>\Policies\PolicyDefinitions\en-US (or your local language)
   • Rename the current CredSsp.adml to CredSsp.adml.old
   • Copy the new CredSsp.adml file to this folder.

4. Try your group policy again.

https://www.petenetlive.com/KB/Article/0001433

Answer 10

As others have said, this is because of a March patch that Microsoft released. They released a May patch on May 8th that actually enforces the March patch. So if you have a workstation that received the May patch and you're trying to connect to a server that hasn't received the March patch, you'll get the error message in your screenshot.

The Resolution You really want to patch the servers so that they have the March patch. Otherwise, in the meantime you can apply a Group Policy or registry edit.

You can read detailed instructions in this article: How to Fix Authentication Error Function Not Supported CredSSP Error RDP

You can also find copies of the ADMX and ADML files in case you need to find them.

Answer 11

I got the same issue. Clients are on Win7 and RDS servers are 2012R2, Clients received "2018-05 security monthly quality roll up update (kb4019264)". After remove that , all well.

Answer 12

I found some of our machines had stopped performing Windows Update (we run local WSUS across our domain) sometime in January. I'm guessing a prior patch caused the problem (machine would complain about being out of date, but wouldn't install the Jan patches it said it needed). Due to the 1803 update, we couldn't just use Windows Update from MS directly to fix it (would timeout for some reason and updates wouldn't run).

I can confirm that if you patch the machine to version 1803 it contains the fix to this. If you need a fast path to fix this, I used the Windows Update Assistant (top link that says Update) to perform the update directly (seems more stable than Windows Update for some reason).

Answer 13

We removed that latest security update KB410731 and we were able to connect with Window 10 machines at build 1709 and earlier. For PC's we could upgrade to build 1803, this resolved the problem without uninstalling KB4103731.

Answer 14

Open PowerShell as admin and run this command:

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

Try now to connect to the server. It will work.