Microsoft May Security Update - CredSSP

2

1

I'm experiencing something very strange after deploying the May security update on our test machines. Here is the thing -

client machines: Win 7 with May security installed, CredSSP patched

server machines: Win 2008R2, unpatched

We have TWO particular AD user accounts who always fails the FIRST login while trying to RDP from patched client to unpatched servers. The error is "Unknown Username or Password". In event viewer, i can find event 4625 which indicated the same failure reason with status: 0xc0000006c sub status: 0xc0000006a

after some test and research, i figured this has something to do with the CredSSP patch released in May security update. However the error message doesn't match the one listed in Microsoft KB https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

Somehow it doesn't match the Interoperability matrix either.

The strangest part is that this is only affecting these two particular AD accounts (just regular user accounts, i can't think of anything special about these two account). After their first login attempt failed, they could login successfully in the second attempt.

The other solution is to apply the security policy mentioned in Microsoft KB (changing ENcryption Oracle Remediation to Vulnerable)

I believe it is definitely caused by may security patch, but i couldn't figure out why it's only affecting two AD accounts. I would expect the same behavior on all AD users....

Sun Cleverland

Posted 2018-05-31T08:57:36.627

Reputation: 51

Question was closed 2018-06-12T02:47:44.507

1It's likely this is related to the fact the server is behind on patches. Is there a reason you've not tried to solve this by installing available updates? – I say Reinstate Monica – 2018-05-31T10:26:38.043

coz of this unexplainable situation, im a bit hesitated to deploy the patch on server side. i would prefer to have everything figured out rather than go straight to the patches. i worry there might be other potential impacts that i could not fully anticipate. – Sun Cleverland – 2018-05-31T10:34:22.783

2Installing updates to resolve unwanted behavior is one of the first things a sysadmin does. Postponing this step is the equivalent of demanding an explanation as to why your car won't start before trying to fill the gas tank. – I say Reinstate Monica – 2018-05-31T10:41:56.933

Answers

1

The KB4103712 does solve the problem. But it can't explain why particular AD accounts need to login twice before applying the patch.

Sun Cleverland

Posted 2018-05-31T08:57:36.627

Reputation: 51

Asked: 2018-05-31T08:57:36.627

Viewed: 976 times

Active: 2018-06-05T02:52:55.677