After installing the update KB4103718 on my Windows 7 computer, I can’t remotely connect to the server using the Remote Desktop. After I specify the RDP server address in the mstsc.exe window and click “Connect”, an error occurs:
An authentication error has occurred.
The function requested is not supported.
After I uninstalled the update KB4103718 and rebooted the computer, the RDP connection started working fine. But, as I understand, this is only a temporary workaround, next month a new patch will arrive and the error will return. Can you advise something?
Answer
You are absolutely right. It’s pointless to solve the problem by removing Windows updates, because you are exposing your computer to the risk of exploiting the various vulnerabilities that this update closes.
First of all I recommend to read carefully the article “RDP authentication error: CredSSP Encryption Oracle Remediation”. In this article, I described in detail why, after installing the latest (May 2018) security updates on Windows clients, users may have problems connecting to remote computers / servers via RDP. The fact is that in May security updates Microsoft fixed a serious vulnerability in the CredSSP protocol used for authentication on RDP servers (CVE-2018-0886). If the latest patches aren’t installed on the RDP/RDS server and the old version of the CredSSP protocol is used on it, this connection is blocked by the client.
What can you do to fix this problem?
- The most correct way to solve the problem is to install the actual cumulative security updates on the remote computer / RDS server (to which you connect via RDP).
- Temporary Workaround 1. You can disable NLA (Network Level Authentication) on the RDP server side (as described below).
- Temporary Workaround 2. You can re-configure clients by allowing them to connect to the Remote Desktop with an unsafe version of CredSSP, as described in the article above (the AllowEncryptionOracle registry parameter or the local policy Encryption Oracle Remediation = Vulnerable).
Disabling RDP Network Level Authentication (NLA)
If NLA is enabled on the RDP server, this means that CredSPP is used for pre-authentication. You can disable Network Level Authentication in the System Properties on the Remote tab by unchecking the options “Allow connection only from computers running Remote Desktop with Network Level Authentication (recommended)” (Windows 10 / Windows 8).
In Windows 7, this option is called differently. On the Remote tab, select the option “Allow connections from computers running any version of Remote Desktop (less secure)“.
You can also disable Network Level Authentication (NLA) by using the Local Group Policy Editor (gpedit.msc). To do this, go to the section Computer Configuration –> Administrative Templates –> Windows Components –> Remote Desktop Services – Remote Desktop Session Host –> Security, you need to disable the policy “Require user authentication for remote connections by using Network Level Authentication“.
You also need to select the RDP Security Layer in the “Require use of specific security layer for remote (RDP) connections” policy.
To apply the RDP settings, you need to update the policies (gpupdate / force) or restart the computer. After that, you must successfully connect to the remote desktop.
2 comments
Thanks for update its work for me.:)
great thanks! it helped!