Wednesday, 9 May 2018

Remote Desktop Client: An authentication error has occurred. *Workaround

Updates last night included one for CredSSP CVE-2018-0886.

For those of us that are hesitant to patch our servers the instant a patch is available we'll be seeing RD Clients unable to connect for the period prior to our regression testing and release cycle.

Remote Desktop Connection

An authentication error has occurred.
The function requested is not supported.

Remote Computer: SERVERNAME
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

For now, the workaround on the remotely connecting RD Clients is to set the following registry key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

Copy and paste the above into Notepad and Save As "CredSSP.REG" in a quickly accessible location.

Double click on the created file and MERGE. An elevated Registry Editor session would also allow for import via the FILE menu.

Once the above registry setting is in-place reboot the client machine and the connection should work.

Happy Patching! :)

UPDATE 2018-05-09 @ 10:47 MST: A caveat:

It is better to update the server backend, if possible, before making the above registry change.

If that is _not_ possible, then after the updates have been applied on the server(s) make sure to _change_ the registry setting to its most secure setting.

UPDATE 2018-05-10 @ 17:38 MST:

Update sources:

Philip Elder
Microsoft High Availability MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book
Our Web Site
Our Cloud Service

4 comments:

  1. Thanks for this. I did the patch Tuesday updates yesterday on my desktop because I'm crazy, and just experienced this on my desktop an hour ago... I thought it might have been due to the 1803 feature update. But my laptop is still on 1709 and installing yesterday's updates on it caused the same issue.

    ReplyDelete
  2. The catch is that this error is telling us that the endpoint being connected _to_ is the culprit due to not being patched for this vulnerability.

    It was pointed out via Twitter that the patch has been on the server side for two months.

    Well, in some cases we're behind by more than two months depending on client maintenance window availability and season.

    ReplyDelete
  3. Oh, and if the error is happening between two PCs then the destination PC needs to be updated. Then the error will no longer happen.

    ReplyDelete
  4. Yes. I'm only seeing this on very few servers, so now have to find out why they didn't update. Those that have the March updates are OK as you say. There was another blog from MS about this today at https://blogs.technet.microsoft.com/yongrhee/2018/05/09/after-may-2018-security-update-rdp-an-authentication-error-occurred-this-could-be-due-to-credssp-encryption-oracle-remediation/

    Thanks!

    ReplyDelete

NOTE: All comments are moderated.