[Fix] CredSSP Patch Causing RDP Authentication Error due to Encryption Oracle Remediation
Recently an AskVG reader contacted me regarding this issue. He was getting “CredSSP encryption oracle remediation” error message while trying to use Remote Desktop Connection program.
Table of Contents
PROBLEM SYMPTOM:
Whenever you try to use Remote Desktop Connection (RDP) to a server from local client, you get following error message:
Remote Desktop Connection
Advertisement
An authentication error has occurred.
The function requested is not supported.
Remote computer: Computer_Name or IP_Address
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660
If you check Event Viewer, you’ll find event ID 6041 from LSA (LsaSrv) source containing following error message text:
A CredSSP authentication to failed to negotiate a common protocol version. The remote host offered version which is not permitted by Encryption Oracle Remediation.
This problem may occur in Windows 10, Windows 8/8.1, Windows 7, Windows Vista, Windows Server 2016, Server 2012 and Server 2008.
If you use a 3rd party remote desktop client or server, you may also face above mentioned problem.
Advertisement
PROBLEM REASON:
This issue occurs due to CredSSP Patch installed in server or client computer. Actually RDP uses CredSSP (Credential Security Support Provider Protocol) which is an authentication provider that processes authentication requests for applications.
Recently Microsoft found that a remote code execution vulnerability (CVE-2018-0886: encryption oracle attack) exists in CredSSP versions. An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system. So any application that depends on CredSSP for authentication was vulnerable to this type of attack.
To patch this security risk, Microsoft released a security update addressing the vulnerability by correcting how CredSSP validates requests during the authentication process. The patch updated CredSSP authentication protocol and Remote Desktop clients for all affected platforms.
After installing the update, patched clients were not able to communicate with unpatched servers. In other words, if the client computer has the security update installed but the server computer was not updated with the security update (or vice versa), the remote connection was unsuccessful and user received above mentioned error message.
PROBLEM SOLUTION:
To solve this problem, it is recommended to install the security patch in both computers (server and client). You can download and install the security update from following link:
Download CredSSP Patch for Remote Code Execution Vulnerability
Once both computers have the CredSSP patch installed, the error message will disappear.
If due to some reasons, you can’t install the security update in server or client computer, you can use following solutions to fix the issue and get rid of the error message:
Microsoft provides a policy to control compatibility with vulnerable clients and servers. With the help of this policy, you can set the level of protection that you want for the encryption oracle vulnerability.
There are 2 ways to fix CredSSP encryption oracle remediation error message issue caused by the patch:
- METHOD 1: Using Group Policy Editor (gpedit.msc)
- METHOD 2: Using Registry Editor (regedit.exe)
Let’s discuss both methods in detail:
METHOD 1: Using Group Policy Editor (gpedit.msc)
1. Press WIN+R keys together to launch RUN dialog box. Now type gpedit.msc and press Enter. It’ll open Group Policy Editor.
2. Now go to:
Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
3. In right-side pane, look for following option:
Encryption Oracle Remediation
The option is set to Not Configured by default. Double-click on the option and set it to Enabled. Now select “Vulnerable” from “Protection Level” drop-down box.
Click on Apply button and then OK button to exit. Restart your computer to take effect.
Now you’ll be able to establish remote connection between server and client without any problem.
PS: If you want to restore default settings in future, simply set the option in Group Policy Editor to “Not Configured” again.
METHOD 2: Using Registry Editor (regedit.exe)
If you are using Home edition of Windows, you’ll not be able to run gpedit.msc command because this edition doesn’t come with Group Policy Editor.
If you can’t use or don’t want to use Group Policy Editor, you can take help of Registry Editor for the same task. Just follow these simple steps:
1. Press WIN+R keys together to launch RUN dialog box. Now type regedit and press Enter. It’ll open Registry Editor.
2. Now go to following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. Create a new key under System key and set its name as CredSSP
4. Create another new key under CredSSP key and set its name as Parameters
5. Now select Parameters key and in right-side pane create a new DWORD AllowEncryptionOracle and set its value to 2
Restart your computer to take effect.
Now you’ll be able to use remote connection between server and client without any issue.
PS: In future if you want to restore default settings, simply delete the DWORD created in above steps.
Thanks. Problem is fixed with above steps.
Encryption Oracle Remediation was missing on my Windows 7, fixed authentication error by installing KB2830477 update.