Unable to connect via RDP: CredSSP encryption Oracle remediation

Update: this blog post pretty much says the same, however seems to have some more information on the issue and additional workarounds! If you want the details, check there, if you want the quick fix for Windows 10, this place is as good as it gets 😉

Today I came across several machines where I would not be able to connect via Remote Desktop, using RDP (Remote Desktop Protocol).

This was the error:

1_rdp_error

An authentication error has occurred.
The function requested is not supported

Remote computer: <redacted>
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

The issue did not have anything to do with connecting to an Oracle machine, so I was pretty much in the dark about this.

The link goes to this page: https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018. It explains the CredSSP (Credential Security Support Provider Protocol) and information on a series of Windows security updates since March 2018.

It seems a security patch is the cause of the issue and more specifically, if there is a mismatch between client (the machine you’re working on and the server (your RDP target). However, it seems on some machines it blanks out with the error above and on other it seems to work regardless of patch level. So this might not be the complete reason after all.

Just (un-)installing the patch on my (client) machine will not work, since on some target servers, the patch may be installed, on other it may not.

While digging and googling I found a setting in the Group Policy Editor, to ignore the patch level for Encryption Oracle Remediation:

On your machine (Windows 10), run gpedit.msc and go to:

Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

There, set the setting for Encryption Oracle Remediation, to “Enabled” and Protection Level to “Vulnerable”. Click OK and try again. It should work!

2_gpedit

A warning about Group Policies

Changing the Local Group Policy might not be the best idea and some people might not even have access to it. However, it gets the job done and I’ve set a reminder in my calendar in a few weeks to check if this setting is still needed.

Hope this helps!
Cheers, Pieter

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s