Consider the following scenario:
- The Credential Security Support Provider protocol (CredSSP) updates for CVE-2018-0886 are applied to a Windows virtual machine (VM) (remote server) in Microsoft Azure or on a local client.
- You try to make a remote desktop (RDP) connection to the server from the local client.
In this scenario, you receive the following error message:
An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.
How to verify that the CredSSP update is installed
Check the update history for the following updates, or check the version of TSpkg.dll.
|Operating system||TSpkg.dll version with CredSSP update||CredSSP update|
|Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1||6.1.7601.24117||KB4103718 (Monthly Rollup)|
|KB4103712 (Security-only update)|
|Windows Server 2012||6.2.9200.22432||KB4103730 (Monthly Rollup)|
|KB4103726 (Security-only update)|
|Windows 8.1 / Windows Sever 2012 R2||6.3.9600.18999||KB4103725 (Monthly Rollup)|
|KB4103715 (Security-only update)|
|RS1 - Windows 10 Version 1607 / Windows Server 2016||10.0.14393.2248||KB4103723|
|RS2 - Windows 10 Version 1703||10.0.15063.1088||KB4103731|
|RS3 - Windows 10 1709||10.0.16299.431||KB4103727|
This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed.
See the following interoperability matrix for scenarios that are either vulnerable to this exploit or cause operational failures.
|Updated||Force updated clients||Mitigated||Vulnerable|
|Force updated clients||Blocked||Allowed||Allowed||Allowed|
1 The client has the CredSSP update installed, and Encryption Oracle Remediation is set to Mitigated. This client will not RDP to a server that does not have the CredSSP update installed.
2 The server has the CredSSP update installed, and Encryption Oracle Remediation is set to Force updated clients. The server will block any RDP connection from clients that do not have the CredSSP update installed.
To resolve the issue, install CredSSP updates for both client and server so that RDP can be established in a secure manner. For more information, see CVE-2018-0886,CredSSP Remote Code Execution Vulnerability.
After you change the following setting, an unsecure connection is allowed that will expose the remote server to attacks.
Scenario 1: Updated clients cannot communicate with non-updated servers
The most common scenario is that the client has the CredSSP update installed, and the Encryption Oracle Remediation policy setting does not allow an insecure RDP connection to a server that does not have the CredSSP update installed.
To work around this issue, follow these steps:
- On the client has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane.
- Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.
If you cannot use gpedit.msc, you can make the same change by using the registry, as follows:
- Open a Command Prompt window as Administrator.
- Run the following command to add a registry value:
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
Scenario 2: Non-updated clients cannot communicate with patched servers
If the Azure Windows VM has this update installed, and it is restricted to receiving non-updated clients, follow these steps to change the Encryption Oracle Remediation policy setting:
- On any Windows computer that has PowerShell installed, add the IP of the VM to the "trusted" list in the host file:
Set-item wsman:\localhost\Client\TrustedHosts -value <IP>
- Go to the Azure portal, locate the VM, and then update the Network Security group to allow PowerShell ports 5985 and 5986.
- On the Windows computer, connect to the VM by using PowerShell:
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "<<Public IP>>" -port "5985" -Credential (Get-Credential) -SessionOption $Skip
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "<<Public IP>>" -port "5986" -Credential (Get-Credential) -useSSL -SessionOption $Skip
- Run the following command to change the Encryption Oracle Remediation policy setting by using the registry:
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord