In March 2018, Microsoft released a security update that fixes a vulnerability in the Credential Security Support Provider Protocol (CredSSP). This vulnerability (CVE-2018–0886) allows an attacker to remotely execute arbitrary code on a vulnerable Windows host with an open RDP port (TCP/3389). In May 2018, an update “2018-05 Security only/Monthly Rollup” was released. It blocks the connection to computers with an affected version of CredSSP.
When you try to connect to a remote computer with a vulnerable CredSSP from Windows 10/Windows Server 2016, you receive the Remote Desktop Connection error:
An authentication error has occurred.
The function is not supported.
Remote Computer: hostname
This could be due to CredSSP encryption oracle remediation.
For more information, see link.
On Windows 7, the CredSSP error looks like this:
An authentication error has occurred.
The function requested is not supported.
Remote computer: hostnname
To fix This could be due to credssp encryption oracle remediation error, you need to install the latest Windows security update on the remote computer. You can install the latest Cumulative Update for your Windows version. You can download the update manually via Microsoft Update Catalog or install it via Windows Update or WSUS.
Hint. CredSSP authentication error appears only when you try to connect via RDP from a computer on which the latest security updates are installed to a non-updated computer (for example, a computer that never gets updates, or a clean installed device with a Windows 10/Windows Server 2016 build that was released before March 2018).
Hint. There is a workaround allowing you to connect to a computer with a vulnerable version of CredSSP. To do this, you need to configure a special Group Policy parameter named Encryption Oracle Remediation on your computer from which you are establishing the Remote Desktop connection.
- Press Win+R, type gpedit.msc, and press Enter;
- Go to the following section of the Local Group Policy Editor: Computer Configuration > Administrative Templates > System > Credentials Delegation;
- Open the policy setting Encryption Oracle Remediation;
- Change its state to Enabled, and set Vulnerable in the Protection Level field;
- Update the Group Policy settings using:gpupdate /force
Hint. You can also allow your computer to connect to vulnerable versions of CredSSP through the registry. Run the following command through elevated command prompt:reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /f /v AllowEncryptionOracle /t REG_DWORD /d 2
Now you can connect to the remote host via RDP and install the updates. After upgrading, don’t forget to disable the policy or reset the AllowEncryptionOracle registry value to its original value:
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /f /v AllowEncryptionOracle /t REG_DWORD /d 0
There are 3 options in the “Encryption Oracle Remediation” policy:
- Vulnerable — the client can connect to vulnerable computers;
- Mitigated — the client cannot connect to vulnerable servers, but the servers can allow vulnerable clients to connect;
- Force Updated Clients — secure RDP CredSPP interoperability layer.
If from a computer that doesn’t have the CredSPP security update installed you can’t connect to an updated RDP/RDS host with the “Force updated clients” option enabled, you can allow the server to accept connections with an affected version of CredSPP. To do this, you need to enable the policy with the Mitigated value on the server. In this way, to make changes to the server you can remotely connect to it via PowerShell under admin credentials:
Enter-PSSession -ComputerName Enter-PSSession -ComputerName RDSServer01 -Credential RDSServer01\administrator
And allow the connection:
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
In all cases, Microsoft always recommends installing the latest Windows updates on both the RDP server and the client.