Remote Desktop (RDP) Connections Fail
In May of 2018 reports of failed connections through RDP began to propagate globally on machines that had no issue prior. Please read on if you have encountered an error like this:
An authentication error has occurred. The function requested is not supported Remote computer: <computer name> This could be due to CredSSP encryption oracle remediation. For more information, see https:/go.microsoft.com/fwlink/?linkid=866660
This link will redirect you to this page https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018, which explains the Credential Security Support Provider protocol (CredSSP). It offers extensive information on a series of updates since 2018.
The page offers some recommendations, though it’s not clear what the changes are or if they need to be made globally thru group policies or group policies on every PC and VPS/VM. Technet (now on solveazure) posted an excellent article on giving a more clear picture of the reasons behind the update and a clear set of options for a resolution or work-around (as we describe here) depending on your situation.
May 2018 Microsoft Security Patch
The Microsoft Security patch issued on Tuesday, May 8th, 2018 triggered the problem by making a default setting that requires remote connections at the highest level (CredSSP Updates for CVE-2018-0886):
This changed the default setting from Vulnerable to Mitigated which means that any PC using CredSSP is not able to use insecure versions. If your PC received the May update but the target PC hasn’t implemented the CredSSP update, the PC receives the error message when it tries to connect to that PC.
This is not an issue if Automatic updates are enabled in both environments (your windows PC and the VPS). As many of us already know development, testing, build, staging, and deployment environments require a stable environment which could be rendered useless by enabling automatic Windows updates. Consequently, many VPS /VM's have not been updated.
The symptoms are somewhat sporadic though as it has been reported that some machines successfully connected, while others did not.
a) A windows 7 machine hosting Remote Desktop: A client Windows 7 PC had no problem connecting to it, but the same user connecting from a Windows 10 machine failed.
b) If the client is not patched while the server is updated, RDP can still work. But the session will be exposed to the attack.
c) If both client & server are patched with the default setting (Mitigated), RDP will work in a secure way.
Update both the client and VPS/VM (although not necessarily practical)
- Rollback the security update, but this is problematic leaving you open to a security vulnerability and not recommended.
- Adjust RDP settings on your local machine to a lower security level.
To do this open File Explorer, choose Computer, right-click and select Properties, then click Change Settings, and go to the Remote tab.
From Windows 10, uncheck the option to “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”:
In Windows 7, set the option to “Allow connection from computers running any version …” (Less Secure):
Once these are set, you should be able to remote into the machine again.
Update the Local Machine
Assuming you have administrator rights, you can adjust the Group Policy on your local machine to use the less secure setting.
It’s not prudent to lower one’s security settings in order to connect to a machine that wasn’t updated. And, It would be much better if we were prompted or automatically connected to lower level machines without turning off the higher security level for everything else on our local machine. But it only takes is one target machine that you can’t modify to force this change on your machine. These changes will at least allow you to complete your work.
Windows 10 Pro or above
Enter run “gpedit.msc” to edit group policy, or from Windows start, enter “Group Policy” and select “Edit group Policy”:
Windows 10 Home
If it is not possible to access to Local Group Policy Editor on the client (i.e. Windows Home versions), same change can be done through the registry:
REG ADD HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 2
After that, whether the established RDP session is secure or not depends on whether the server is patched. Remember to undo this when all the servers are patched.
From the treeview, choose Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
Select “Encryption Oracle Remediation” from the right pane (if it’s not there, it probably means your machine wasn’t patched):
Enable and set the Protection Level to Vulnerable:
Cannot Connect via VPN
There are also problems with VPN connection if the PC has Remote set to the higher security level.
The network connection fails with error: Cannot load the Remote Access Connection Manager service. Error 711:
Lower Your Remote Desktop Security to have the Security to Make the VPN Connection
The Remote Desktop setting on the client side can also impact its ability to connect via VPN to the host side.
By lowering the setting to less secure for others to connect to the PC, the PC can now successfully connect to the VPN.