Remote Desktop Authentication Error – CredSSP Workaround


To totally unlock this section you need to Log-in


Login

Starting May 9 2018, you could have received many reports of Remote Desktop connections failing globally. Users could receive error messages like the following when they try to remote to machines they connected to successfully for a long time:

Remote Desktop Authentication Error - CredSSP Workaround

This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed.

Caused by a Microsoft Security Patch

The Microsoft Security patch issued on Tuesday, May 8th, triggered the problem by setting and requiring remote connections at the highest level (CredSSP Updates for CVE-2018-0886).

It changed the default setting from Vulnerable to Mitigated which means that any PC using CredSSP is not be able to use insecure versions. If your PC received the May update but the target PC hasn’t implemented the CredSSP update, the PC receives the error message when it tries to connect to that PC.

The automatic Windows patch to raise the security level is not implemented if the PC doesn’t allow automatic updates. This mismatch between the implementation of a security requirement (which is not optional) without the corresponding automatic update may be the source of this problem.

However, there are many situations such as development, testing, build, staging, and deployment environments which require a stable environment that would be destroyed by automatic Windows updates.

Symptoms

The symptoms are rather strange because you could found that some machines successfully connect while others don’t.

For instance, you could have a Windows 7 machine that hosted Remote Desktop. A Windows 7 PC had no problem connecting to it, but the same user connecting from a Windows 10 machine failed when that was never an issue before and the host machine allowed remote connection for years.

There are also reports of problems with Windows 10 machines connecting to Windows 10 machines, and people locked out of their Azure VMs.

Workaround Solution

One could rollback the security update, but rather than risking other security problems, there’s a quick fix.

Simply adjust the Remote Desktop settings on the host machine to a lower security level. From File Explorer, choose Computer, right-click and select Properties, then click Change Settings, and go to the Remote tab.

From Windows 10, uncheck the option to “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”:

Remote Desktop Authentication Error - CredSSP Workaround

From Windows 7, it’s setting the option to the Less Secure option rather than More Secure:

Remote Desktop Authentication Error - CredSSP Workaround

Alternative Solutions

This section has been added after our initial workaround solution based on the experience of many users struggling with this problem.

The problem is often caused because the local machine is patched with the Windows Update and the machine it’s connecting to is not patched for the CredSSP issue. If both systems were patched then this error would not occur. There are two options:

Update the Target Machine

Update the target machine with the patch for the CredSSP issue (preferable).

Update the Local Machine GPO

In many cases, you don’t have the option to modify anything on the target machine. You may even be prevented from modifying your own machine, but assuming you have administrator rights, you can change the Group Policy on your local machine to use the Vulnerable setting.

Enter run “gpedit.msc” to edit group policy, or from Windows start, enter “Group Policy” and select “Edit group Policy”:

Remote Desktop Authentication Error - CredSSP Workaround

Remote Desktop Authentication Error - CredSSP Workaround

From the tree view, choose Computer Configuration -> Administrative Templates -> System -> Credentials Delegation:

Remote Desktop Authentication Error - CredSSP Workaround

Select “Encryption Oracle Remediation” from the right pane (if it’s not there, it probably means your machine wasn’t patched):

Remote Desktop Authentication Error - CredSSP Workaround

Enable it and set the Protection Level to Vulnerable:

Remote Desktop Authentication Error - CredSSP Workaround

If you cannot use gpedit.msc, you can make the same change by using the registry, as follows:

  • Open a Command Prompt window as Administrator.
  • Run the following command to add a registry value:
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

Using Powershell, run the following command to change the Encryption Oracle Remediation policy setting by using the registry:

Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord