Updates last night included one for CredSSP CVE-2018-0886.
For those of us that are hesitant to patch our servers the instant a patch is available we'll be seeing RD Clients unable to connect for the period prior to our regression testing and release cycle.
Remote Desktop Connection
An authentication error has occurred.
The function requested is not supported.Remote Computer: SERVERNAME
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660
For now, the workaround on the remotely connecting RD Clients is to set the following registry key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002
Copy and paste the above into Notepad and Save As "CredSSP.REG" in a quickly accessible location.
Double click on the created file and MERGE. An elevated Registry Editor session would also allow for import via the FILE menu.
Once the above registry setting is in-place reboot the client machine and the connection should work.
Happy Patching! :)
UPDATE 2018-05-09 @ 10:47 MST: A caveat:
It is better to update the server backend, if possible, before making the above registry change.
If that is _not_ possible, then after the updates have been applied on the server(s) make sure to _change_ the registry setting to its most secure setting.
UPDATE 2018-05-10 @ 17:38 MST:
Update sources:
- Windows Server 2012 R2 Updates List
- KB4103725 fixes the issue but may require a manual from the console/desktop reboot!
- Windows Server 2016 Updates List
- KB4103723 fixes the issue but requires a reboot
Philip Elder
Microsoft High Availability MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book
Our Web Site
Our Cloud Service
Thanks for this. I did the patch Tuesday updates yesterday on my desktop because I'm crazy, and just experienced this on my desktop an hour ago... I thought it might have been due to the 1803 feature update. But my laptop is still on 1709 and installing yesterday's updates on it caused the same issue.
ReplyDeleteThe catch is that this error is telling us that the endpoint being connected _to_ is the culprit due to not being patched for this vulnerability.
ReplyDeleteIt was pointed out via Twitter that the patch has been on the server side for two months.
Well, in some cases we're behind by more than two months depending on client maintenance window availability and season.
Oh, and if the error is happening between two PCs then the destination PC needs to be updated. Then the error will no longer happen.
ReplyDeleteYes. I'm only seeing this on very few servers, so now have to find out why they didn't update. Those that have the March updates are OK as you say. There was another blog from MS about this today at https://blogs.technet.microsoft.com/yongrhee/2018/05/09/after-may-2018-security-update-rdp-an-authentication-error-occurred-this-could-be-due-to-credssp-encryption-oracle-remediation/
ReplyDeleteThanks!