RDP authentication error due to the CredSSP encryption oracle remediation error

When you try to connect to a computer that does not have the CredSSP encryption oracle remediation error update, the Remote Desktop Connection will display the an error message telling that you that an authentication error has occurred due to CredSSP encryption oracle remediation.
Latest posts by Mohamed A. Waly (see all)
Contents of this article

The issue ^

In March, Microsoft released a security update to address vulnerabilities for the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) connections for Windows clients and Windows Server.

Previously, you were able to connect remotely from the updated machine to machines without the update. However, with the latest update released this May, Microsoft hardened security, and you can no longer connect to machines without the update.

You will face the CredSSP encryption oracle remediation error if you have applications or services such as the Remote Desktop Connection that use CredSSP on an updated machine. Authentication will not work and you will get this error message:

An authentication error has occurred. The function requested is not supported. Remote computer: This could be due to CredSSP encryption oracle remediation.

RDP authentication failed

RDP authentication failed

The solution ^

To solve this issue, you have to install the update on the servers. However, if you need to connect to a computer that hasn't received the update, you can downgrade the protection level to Vulnerable. You can do this either via Group Policy or by changing the registry.

The Group Policy setting you need is Encryption Oracle Remediation. It provides three protection levels:

  • Force Updated Clients: This is the highest level of protection because it requires applying the update to all clients you are going to communicate with using CredSSP. Thus, do not choose this option before applying the update to all of your clients and servers.
  • Mitigated: This level blocks applications such as the Remote Desktop Connection to connect to servers that do not have the update. However, services that use CredSSP will work.
  • Vulnerable: This is the lowest level of protection. It will allow you to connect to servers remotely using RDP. However, it will expose the servers to attacks.

To set the protection level to Vulnerable via Group Policy, follow these steps:

  1. Execute gpedit.msc.
  2. Navigate to the following path: Computer Configuration > Administrative Templates > System > Credentials Delegation.
  3. Edit the following setting: Encryption Oracle Remediation.
  4. Set it to Enabled, and set the protection level to Vulnerable.
Change the protection level to Vulnerable

Change the protection level to Vulnerable

Also, you can do it via the registry. This will provide the protection levels via numerical values:

  • Force Updated Clients: 0
  • Mitigated: 1
  • Vulnerable: 2

To change the registry key to Vulnerable, you can run the following commands:

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

23+
avataravataravatar
Share
37 Comments
  1. Rory Schmitz 2 years ago

    Also ran into this in the last couple of weeks.  I found the workaround before I saw this, but thanks for posting an explanation as to the reasoning behind it.

    2+

  2. Good Article Mohamed! I will strongly suggest to read the article and in detail CVE-2018-0886. When I found that issue few weeks ago after the CVE article I've decided to patch immediately few servers, the main reason is that "Any change to Encryption Oracle Remediation requires a reboot." so I preferred to apply the hotfix instead of applying a regkey or create a group policy that should apply the change and after patching revert the change.
    Using Invoke-Command and Get-HotFix is possible to check/scan quickly if servers/hosts are already patched or with get-winevent (System, EventID 6041) on some clients to collect text message of the connection failed without even trying to RDP on each computer on different network or environment.

    5+
    avataravataravatar
    • Author

      Hello Paolo,
      Thank you so much for sharing such  a brilliant idea with me. However, we need to consider that many IT admins do not prefer to apply updates on their servers and clients one shot. They regularly do it in phases to avoid any unexpected behaviors from the update. That's why the first thing you would do would be either changing the group policy or the registry in order to workaround the issue and proceed with your operations. Also, when I tested that either in test labs or in customers sites', it did not require a reboot.

      Finally, when the company decides to update all the clients and servers, it would be better to change the group policy from the DC to avoid repeating the tasks on the all clients/servers they have changed the policy for it earlier.

      In production you cannot just check/scan updates using PowerShell. Commonly, they are using SCCM or WSUS or any third party tool.
      However, your way of thinking about it is very brilliant for Workgroup computers.

      2+
      avatar
      • I agree with you in managing servers with SCCM, that leverages WSUS and I also follow the common sense of applying changes on a test ring and after a positive result move to the next one. Keep in mind that as admins we also apply the same common practice to group policies and registry changes.

        If this issue creates an outage it means that the some of the servers weren't patched and the request or incident needs to be managed according to the service.
        Regarding the production environment, it depends by the kind of access and accountability that you have and most importantly which process to follow to apply any change, if updates are scheduled for patching Tuesday or 1 month behind and so on.

        But in this case really mitigation strategy almost takes longer in total more to test, deploy than fix it once. In my case for workarounds I suggested to rdp to an un-patched client that was offline and use it as a jumpbox to rdp to the un-patched hosts, lucky that in my case the hosts to patch were really infinitely small percentage.

        1+

  3. Rory Schmitz 2 years ago

    Mohamed, once we apply the workaround registry key prior to patch cycle, that leaves us 'vulnerable' so-to-speak.  Once we get around to applying the patches in CVE-2018-0886 (KB 4093120), does make us 'secure' again or do we need to then apply that registry entry to the value of:  0 (zero) to force updated clients?

    I just want to make sure we don't leave ourselves vulnerable even after the patch...

    Thank you.

    0

    • Author

      Hello Rory,

      When you apply the workaround that makes the RDP session exposed for attacks, even when you apply the update, it will not change the protection level automatically. So, you will have to apply a higher protection level again either via registry or group policy.

      4+
      avatar
      • Rory Schmitz 2 years ago

        Thanks for the clarification on that.  I think that's one thing a lot of us IT Admins forget about doing after we apply workarounds.  It's good that Paolo mentioned the Invoke and get-hotfix commands to easily tell if the machine is still vulnerable or not.  Good Stuff!

        0

  4. Tony Bowe 2 years ago

    Let's say we apply the May patch to the client and the server and do nothing else. Do we still need to apply a GPO to the client and the server to 'force updated clients' or is the patch good enough at this point? If anyone can clarify this that would be great.

    0

    • Author

      If the patch is applied for the client and the server, you need to do nothing, but in case you cannot or you are patching your server in phases, you need to consider this workaround.

      1+

  5. Travis 2 years ago

    That worked. Thank you!

    0

  6. Narvert Doyle Del Carmen 2 years ago

    it didn't work 🙁

    0

  7. Good article! I think it is a good workaround as temporary solution waiting to update both side (client and server) in order to be safe from remote attacks.
    For your info, Microsoft has published another article if you get the "CredSSP encryption oracle remediation" error when you are connecting via RDP to Windows VM in Azure from the local client.

    Link : "CredSSP encryption oracle remediation" error when RDP to a Windows VM in Azure

    Consider the following scenario:

    The Credential Security Support Provider protocol (CredSSP) updates for CVE-2018-0886 are applied to a Windows virtual machine (VM) (remote server) in Microsoft Azure or on a local client.
    You try to make a remote desktop (RDP) connection to the server from the local client.

    In this scenario, you receive the following error message:

    An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

    1+
    avatar
  8. J 2 years ago

    What do I do if "Oracle Remediation Delegation" isn't there?

    Please help!

    5+

    • What is exactly your issue ? This article describes workaround  when you get “CredSSP encryption oracle remediation” error message.

      1+
      avatar
  9. Erik 2 years ago

    Hi guys,

    I have same problem, thought was server 2012 R2 having problem. Ended up is easy fixed. Takes less than 2 minutes

    Windows 10

    install Microsoft Remote Desktop from Microsoft Store

    launch it and see if works

     

    4+

    • Brain Akpobome 3 months ago

      It totally worked for me. Thank for sharing. I am using RDP wrapper with Windows 10 and after an update to one of the client system, just that system with the update could not connect Remote Desktop.

      I downloaded the remote desktop client app from Windows app store and everything is fine. 

      Thanks again @Erik, it did took 2 minutes.

      0

  10. Gavin 2 years ago

    I followed all the steps you stated but couldn't find Credentials Delegation after i clicked "SYSTEM". What do I do?

    3+

  11. Gavin 2 years ago

    Hello Mohamed.

    I followed the same step as indicated but there was no option of Credentials Delegation on the settings. What do I do?

    Computer Configuration > Administrative Templates > System > Credentials Delegation.

     

    1+

    • Author

      In that case, you might want to try to PowerShell script I've stated in the article:

      $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\"
      New-ItemProperty -Path $RegPath -Name AllowEncryptionOracle -Value 2 -PropertyType DWORD -Force

      If it displayed an error that CredSSP does not exist, then you need to create it and the CredSSP and Paramerters containers before running the previous script by running the following Cmdlets:
      New-Item HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\
      and
      New-Item HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\

      3+

      • laroche 2 years ago

        Script didn't work. This is unbearably frustrating.

        0

  12. Netha 2 years ago

    Hi

    I am expericing this issue on 300 remote desktops! None of the above workarounds work for me

    My current "workaround" is:

    -Mount Windows OS ISO the machine

    -Run the installed and "Reinstall/Repair" the Windows Installation

    -Run Windows Update

    -Patch Installs and RDP is now working

    Can anyone advise why my process is so long/anything else I can try to remediate the issue for the other 298 machines 🙁

    0

    • Dhana 2 years ago

      http://www.catalog.update.microsoft.com/Search.aspx?q=KB4103723

      Install this patch it will definitely help u...

      if you want to install this patch in all 300 machines from remote support.

      you can also install Microsoft Remote Desktop from Microsoft Store and then take each machine and install this patch..

      hope this will  help you out........

      Dhana

      India-Chennai

       

      3+

      • Rajashekara BM 4 months ago

        Thanks Dhana,

         

        It is working

        0

  13. Adrian Morson 2 years ago

    reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2

    3+

  14. From an elevated command prompt run the following;

    reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2

    You will then be able to log into your server.

    6+

  15. Nethan 2 years ago

    This did not work for me Adrian 🙁

    0

    • Did you run it from an elevated command prompt? Any error messages? It needs to be run on the computer you have launched RDP from.

      1+

      • Hany 1 year ago

        Thanks you are the only one who mention that ( It needs to be run on the computer you have launched RDP from.)

         

        Thanks again

        2+

  16. Terry Clarke 2 years ago

    I have two different parties managing the desktop and the server and have limited access to the configuration information on either side.   It's not entirely clear to my how to tell which side has not been upgraded with the CSSP patch. My working assumption is that it is the server side (running on Azure) that did the upgrade, and that the desktop side has not has CSSP upgraded.

    I have access and control on the server side, but not to the Desktop. Getting the upgrade going for the desktops in the short team is rather an impossible task within a large corporation. So can we just make this change on the server side to downgrade CSSP to vulnerable status. My assumption here is that when corporate IT gets a round TUIT, we will d then get a connection error message again, which will prompt to set the server side CSSP level to a higher level.

     

    0

  17. Shadid 2 years ago

    Incase if want to check patch is installed for each version.

    Note: This last as date of 31/7/2018

    Windows 8.1/Windows Server 2012 R2
    dism /online /get-packages | findstr KB4093120

    Cumulative Update For Windows 10 Version 1607 (Earlier then that required to be updated)
    dism /online /get-packages | findstr KB4093119

    Cumulative Update For Windows 10 Version 1703 April 2018
    dism /online /get-packages | findstr KB4093117

    Cumulative Update For Windows 10 Version 1709 May 2018
    dism /online /get-packages | findstr KB4103714

    Cumulative Update For Windows 10 Version 1709 December 2017
    dism /online /get-packages | findstr KB4054517

    Cumulative Update For Windows 10 Version 1803 May 2018
    dism /online /get-packages | findstr KB4103721

    0

  18. Humberto 1 year ago

    It work but when i restart my pc the value change to 1 again, is there a solution to this?

    0

  19. Faddy 1 year ago

    Hey mate,

    Thanks for sharing the PowerShell Command.

    It didn't work with the GUI, however, worked like a charm with the command.

    Hopefully it won't change back to value 0 or 1.

    Have a good day!

    0

  20. wajdi 8 months ago

    thank you 

    0

  21. Pravin 5 months ago

    @Mr.Mohamed A. Waly you given solution is proper usable...

    Thanks a lot...

    1+
    avatar
  22. Praveen Yadav 4 weeks ago

    gpedit.msc is not working on Windows 10 Home.

    Please help...

    Praveen Yadav

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account