RDP Authentication Error: CredSSP Encryption Oracle Remediation
After installing the Windows security updates that issued after May 2018, you may face the CredSSP encryption oracle remediation error during RDP connection to the remote Windows server or computer in the following cases:
-
You are trying to connect to the remote desktop of a computer with a recently installed old Windows version (for example, Windows 10 RTM, or build 1709 or older, Windows Server 2012 R2, Windows Server 2016), on which the latest Windows security updates are not installed;
-
You are trying to connect via RDP to a computer on which Microsoft updates have not been installed for a long time;
-
The remote computer blocked RDP connection because the necessary security updates are missing on your computer.
Let’s try to understand what the RDP error CredSSP encryption oracle remediation means and how to fix it.
So, when trying to connect to the RemoteApp on RDS servers running Windows Server 2016/2012 R2/2008 R2, or to remote desktops of other users using the RDP protocol (on Windows 10, 8.1 or 7), an error appears:
Remote Desktop connection
An authentication error has occurred.
The function is not supported.
Remote Computer: hostname
This could be due to CredSSP encryption oracle remediation.
This error occurs due to the fact that Windows security updates (at least since March 2018) were not installed on remote Windows instance, to which you are trying to connect via RDP.
This error may also look like this: An authentication error has occurred. The function requested is not supported.
In March 2018, Microsoft released updates that block remote code execution using a vulnerability in the CredSSP (Credential Security Support Provider) protocol (bulletin CVE-2018-0886). In May 2018, an additional update was published, which by default prevents Windows clients from connecting to remote RDP servers with a vulnerable (unpatched) version of the CredSSP protocol.
Thus, if you have not installed cumulative security updates on your Windows RDS/RDP servers (computers) since March 2018, and May 2018 updates (or newer) were installed on RDP clients, then when you try to connect to RDS servers with an unpatched version of CredSSP an error appears: This could be due to CredSSP encryption oracle remediation.
The RDP error on clients appears after the following security updates are installed:
-
Windows 7 / Windows Server 2008 R2 — KB4103718
-
Windows 8.1 / Windows Server 2012 R2 — KB4103725
-
Windows Server 2016 — KB4103723
-
Windows 10 1803 — KB4103721
-
Windows 10 1709 — KB4103727
-
Windows 10 1703 — KB4103731
-
Windows 10 1609 — KB4103723
This list shows the KB numbers from May 2018; at the moment you need to download and install the latest cumulative update package for your Windows edition. You can get the latest security updates through Windows Update from Microsoft servers, from a local WSUS server, or manually download hotfix *.msu files from the Microsoft Update Catalog (https://www.catalog.update.microsoft.com/Home.aspx). For example, to search for August 2019 updates for Windows 10 1803, you need to use the following search query: windows 10 1803 x64 8/*/2019. Download and install the Windows cumulative update (in my example, it is “2019-08 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4512509)”.
To restore remote desktop connection, you can uninstall the specified security update on the remote computer (but it is not recommended and you should not do this, there is a more secure and correct solution).
To fix the connection problem, you need to temporarily disable the CredSSP version check on the computer from which you are connecting via RDP. This can be done using the local Group Policy editor.
-
Run the local GPO editor: gpedit.msc;
-
Go to the GPO section Computer Configuration -> Administrative Templates -> System -> Credentials Delegation;
-
Locate the policy with the name Encryption Oracle Remediation, enable the policy and set the Protection level to Vulnerable;
-
Update the policy setting on the computer (run gpupdate /force command) and try to connect to the remote server via RDP. With the Oracle Remediation Encryption policy set to Vulnerable, client applications with CredSSP support will be able to connect even to unpatched RDS/RDP endpoints.
Encryption Oracle Remediation policy offers 3 available values to protect against CredSSP vulnerability:
-
Force Updated Clients — the highest protection level when the RDP server blocks the connection from non-patched clients. Usually, this policy should be enabled after you have completely updated the entire infrastructure and added the latest security updates to the Windows install images for servers and workstations;
-
Mitigated — in this mode, an outgoing remote RDP connection to RDP servers with a vulnerable version of CredSSP is blocked. However, other services using CredSSP work fine;
-
Vulnerable — the lowest level of protection when connecting to an RDP server with a vulnerable version of CredSSP is allowed.
If you do not have a local GPO editor (for example, in Windows Home editions), you can make a directly registry change that allows RDP connection to servers with unpatched version of CredSSP:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2
You can change AllowEncryptionOracle registry parameter on multiple computers in AD using a domain GPO or with such a PowerShell script (you can get a list of computers in the domain using the Get-ADComputer cmdlet from the RSAT-AD-PowerShell module):
$computers = (Get-ADComputer -Filter *).DNSHostName
Foreach ($computer in $computers) {
Invoke-Command -ComputerName $computer -ScriptBlock {
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2
}
}
After successfully connecting to a remote RDP server (computer), you need to install the latest security updates through the Windows Update (verify that the wuauserv service is enabled) or manually. Download and install the latest cumulative Windows updates from the Microsoft Update Catalog website as shown above. If the error “The update is not applicable to your computer” appears when installing the MSU update, read the article using the link above.
For Windows XP/Windows Server 2003 that are no longer supported, you need to install updates for Windows Embedded POSReady 2009. For example: https://support.microsoft.com/en-us/help/4056564.
After installing the updates and rebooting the server, don’t forget to disable the policy on the clients (either switch it to the Force Updated Clients), or return the value of the AllowEncryptionOracle registry parameter to 0. In this case, your computer will not be at risk of connecting to CredSSP unprotected hosts and exploitation of the vulnerability.
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0
There is another scenario in which updates are not installed on your computer. For example, the RDP server is updated, but it has a policy that blocks RDP connections from computers with the vulnerable version of CredSSP (Force Updated Clients policy setting). In this case, you will also see the RDP connection error “This could be due to CredSSP encryption oracle remediation”.
Check the Windows updates last install date on your computer using the PSWindowsUpdate module or through the WMI command in the PowerShell console:
gwmi win32_quickfixengineering |sort installedon -desc
This example shows that the latest Windows security updates were installed on June 17, 2018. Download and install the newer MSU cumulative update file for your Windows edition (see above).