Remote desktop connection authentication error due to CredSSP encryption oracle remediation

Recently, when connecting to another Windows machine with RD, I got the following RDP authentication error due to CredSSP encryption oracle remediation:

image

An authentication error has occurred.
The function requested is not supported

Remote computer: <computer name>
This could be due to CredSSP encryption oracle remediation.
For more information, see https:/go.microsoft.com/fwlink/?linkid=866660

Windows client

Following the above link, and searching around, this seems caused by the client Windows is patched with a CredSSP (Credential Security Support Provider protocol) update for CVE-2018-0886, while the remote Windows is not. The solution is certainly patching the remote Windows. However, if you do not have the permission to patch the remote Windows (In this case, I am connecting to a build VM provided by AppVeyor), then you have to compromise the client.

Windows Pro Edition (with group policy editor)

The workable solution I found is to edit client Windows’ local group policy (gpedit.msc):

image

Under Computer Configuration -> Administrative Templates -> System -> Credentials Delegation, there is a setting “Encryption Oracle Remediation”. Its default value is “Not configured”. Just change it to “Enabled”, and set “Protection Level” as “Vulnerable”.

Windows 10:

image

Windows 7:

image

Now your remote desktop should be able to connect. Remember to revert the setting after you are done.

Windows Home Edition client (without above option)

If your Windows client does not have group policy editor or above “Oracle Remediation” option (like Windows Home Edition), then you can temporarily uninstall the security update patch in May 2018, KB41037XX:

etc.

Windows 10:

image

Windows 7:

image

Remember to reinstall it when you are done.

Windows server

In the comment area, @Rome mentioned that, on server side, this can be mitigated by disabling “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)” in server’s system properties.

Windows Server 2016:

image

I strongly suggest not to compromise the server-side security, but mitigate it from client Windows temporarily. You should patch the server-side or ask server administrator to patch it.

47 Comments

  • Thank you for this post. It saves me alot of time. I started experiencing this issue about 5 days ago. Now I'm fine as your solution fix the issue.

  • THANK YOU. An unfortunate Windows10 update issue (yet again).

  • Thanks this worked for me on one PC, but i have another system it doesn't have Encryption Oracle Delegation under Credentials Delegation what can i do for that i am still unable to use remote on that?

  • Hello Dear,

    I am also facing the exact same issue but I am unable to fix it as I have gone through the entire process described in this post but unfortunately I am unable to see the settings as they are mentioned here. I am unable to see the option "ENCRYPTION ORACLE REMEDIATION". Can you help me with that so that I can resume my work?

    I have windows 7 installed on the remote pc.

    Thank you in advance



  • Hello dear,

    Where do I do this stuff? I am not a system side guy I dont remember where to set this all. Do you want to go to gpedit again or should I switch to REGEDIT?

  • Okay I did what you sent me in the email:

    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

    I tried to locate the options but I am at a dead end after the following options

    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

    There is no such thing a Credd SSP\parameter.

    After system\
    Audit
    UIPI

    only they are there

  • Hello Good Day!

    Easy and Fast instructions.. Thank you..

  • This is what worked for me, The remote computer you are trying to connect to, "In my case my server". follow these steps
    1: Go to computer you trying to get connected to
    2: Control Panel
    3: System
    4: Remote Settings
    5: Select Don't Allow Remote Connections to this Computer and Click Apply
    6: Select Allow Remote Connections to this Computer and Click Apply
    **Allow Remote Connections through NLA is unchecked.

  • @Samiullah Unfortunately I cannot reproduce and troubleshoot this for you, because all my computer has that option.

    I am using Windows 7 Ultimate and Windows 10 Pro. What edition of Windows client are you using? Can you install the latest updates for your client Windows and see if the option appear?

  • @Rome It is "workable" but I strongly suggest not to compromise the server side, but temporarily compromise the client. You should patch the server or ask the server's administrator to patch it.

  • Really helpfull its working for me.

  • I rolled back the update the KB4103727 on both of my laptops that were having the problem since yesterday (5/14/2018). This worked for me.

  • I need a solution for Window 8.1 Users. Please give me some solution.

  • Uninstall the Win - patch KB4103731 to fix this issue.

  • It's worked fine .Thank you for sharing the information

  • This worked for me. Thanks. Patching now to see if that will alleviate the issue for good.

  • I have Win 10 Home edition so I dont have access for Local Group Policy Editor. I would like change it in reg editor but I cannot change it there too because I cannot find a Credd SSP\parameter
    I have had no problems with remote desktop until now.

    Could you help me, please?

  • It's Worked, great!!

    Thank you

  • great thank you it works fine in windows 10

  • Saved lot of time. thanks :)

  • hello,,
    i am using windows 10..but can't find "ENCRYPTION ORACLE REMEDIATION". i really thank you if you can help me with that.....
    thx

  • Powershell remove NLA from RDP
    (Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName ***computername*** -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

  • thank you

    It's working,

  • many thanks for powershell - it is working !

  • For my Windows server 2012
    This is what worked for me, follow these steps again
    1: Go to computer you trying to get connected to
    2: Control Panel
    3: System
    4: Remote Settings
    5: Select Don't Allow Remote Connections to this Computer and Click Apply
    6: Select Allow Remote Connections to this Computer and Click Apply
    ###Allow Remote Connections through NLA is unchecked

  • Please i need a solution for Window 8.1 Users. Please give me some solution. Thanks

  • It's worked fine .Thank you for sharing the information
    Actually i have face this issue last one week but online not found quick solution by the way still issue resolve get complete information on this site

  • Thanks, it works fine in windows 10

  • I followed this instructions and uninstalled all KB41037XX and that fixed the issue. BUT on Thursday I received a windows update that took about 45 minutes to install and now I am back to the same issue. I can't use my Remote Desktop to remote into my work computer thru VPN. I can connect to VPN with no issue. I checked and there are no KB41037XX listed. My winver is Version 1803 (OS Build 17134.81)

    Any one have any ideas.... Thanks

  • Thank you. Best working advice.

  • Hi Samiullah the registry key works, but those entries are not there after the patch is applied, you have to add them so CredSSP is added as a new key under System, i.e it appears as a yellow folder under it in Regedit, then you need to do the same again with Parameters, it of course will be a child under CredSSP, finally within the Parameters key, you add new DWORD (32-bit) Value, and you give it a value of 2

    Unfortunately I think its going to stop working on Friday because Samiullah https://support.microsoft.com/en-gb/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018 says that a 2nd update on this coming Friday will arrive will change the behaviour to Mitigated. I'm not totally sure I'm correct on this point, read the above link and see if you agree!

  • You can simple do all the registry changes by click on one file.
    Download it from
    http://www.sjtechnics.com/remote-desktop-connection-authentication-error-due-to-credssp-encryption-oracle-remediation/
    100 percent working

  • If you are missing the registry key, your system maybe missing patches. Check for updates related to Security & Remote Desktop Client.

  • You save my day

  • <a herf="http://fkrtricks.com/download-free-gbwhastapp-apk-latest-version-for-android/">Sonu Verma</a> pls i will try this mehod but it is not work for me pl sgive me best suggetion bro pls

  • It worked! Thanks

  • Hi,

    I am unable to see the option "ENCRYPTION ORACLE REMEDIATION" in the group policy.

    My Remote computer is Windows 8.1 Pro & client PC is Windows 8.1

    Thank you in advance

  • Hi,

    I am unable to see the option "ENCRYPTION ORACLE REMEDIATION" in the group policy.

    My Remote computer is Windows 8.1 Pro & client PC is Windows 8.1

    Thank you in advance

  • Fast and simple fixed

    If you are running Windows 10
    Install Microsoft Remote Desktop from Microsoft Store.
    Launch it and see if works

  • I cannot sign in with my rdp

  • Very helpful. Thanks for the informative post.

  • <a herf="http://fkrtricks.com/download-free-gbwhatsapp-apk-latest-version-for-android/">gbwhatsapp</a> is a single app to save status

  • <a herf="http://fkrtricks.com/what-is-gb-facebook-or-gb-messenger/">gb facebook</a> is a aosome app try

  • aosome app bro try it

  • gb facebook is really aosome app for swith account

  • This solution worked for me as well. However, I am unsure if there is any security threat as I am connecting to our corporate PC through my Home PC. If so, then the threat is at which level? I.e., is it at client level or server level?

  • Thanks, this worked for me .. gpedit.msc

Add a Comment

As it will appear on the website

Not displayed

Your website