The “CredSSP encryption oracle remediation” error when connecting to the remote computer’s desktop over RDP indicates that the remote host (most likely) or your computer is missing a security update that fixes a critical vulnerability in the CredSSP protocol.
Remote Desktop connection An authentication error has occurred. The function is not supported. Remote Computer: hostname This could be due to CredSSP encryption oracle remediation.
The Credential Security Support Provider (CredSSP) protocol is used to pre-authenticate users when the Network Level Authentication (NLA) protocol is enabled for Remote Desktop (RDP) connections. A critical vulnerability in the CredSSP protocol, which could lead to remote code execution via an open RDP port, was discovered and fixed in 2018 (CVE-2018-0886).
There are two possible scenarios if you receive this error:
- Your computer with the CredSSP update installed blocks connection to an unpatched RDP host with a vulnerable version of CredSSP. This is the most common case. This is usually because the operating system on the remote RDP host is being deployed from an old distro (RTM versions of Windows Server 2016/2012 R2/2008 R2, Windows 7, 8.1, or Windows 10 up to build 1803).
- A patched remote RDP (RDS) server blocks unpatched clients from connecting. It’s an opposite scenario. The client is running an old Windows build and the enforced mode is enabled on the Remote Desktop host to block vulnerable versions of CredSSP.
The recommended way to fix the CredSSP error is to download and install the latest cumulative security update rollup for your version of Windows released after May 2018 on the remote RDP host (or client, depending on the scenario). To check the latest Windows update installation date on a computer, use the PSWindowsUpdate module or the following WMI command in the PowerShell console:
gwmi win32_quickfixengineering |sort installedon -desc
If there are no updates installed after 2018, you can manually download the MSU update from the Microsoft Update Catalog or install it via Windows Update or the WSUS update server.
There is a temporary workaround that allows connecting a remote desktop with a vulnerable CredSSP version (not recommended for continuous use due to security reasons).
- Open the local GPO editor (
gpedit.msc) on the client computer (from which you are trying to establish an RDP connection) - Navigate to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
- Enable the policy Encryption Oracle Remediation and set the Protection Level to Vulnerable
- Update the group policy setting on the computer (run
gpupdate /forcecommand) - Attempt to connect to the remote host via RDP.
- Force Updated Clients – the most secure mode, which blocks vulnerable computer connections. If this option is enabled on the RDP host, it will block RDP connections from client computers with a vulnerable version of CredSSP.
- Mitigated – (used by default) in this mode, outbound RDP connections to remote hosts with a vulnerable version of CredSSP are not allowed. Incoming connections are allowed even from unpatched clients;
- Vulnerable – connections to RDP hosts with a vulnerable version of CredSSP are allowed (unsafe mode).
If you do not have a local GPO editor (for example, in Windows Home editions), you can make a direct registry change to allow RDP connections to servers with an unpatched version of CredSSP:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2
Once you have successfully connected to an RDP host, install the latest security updates on it. Then disable the Encryption Oracle Remediation policy on the client machine, or return the value 0 for the AllowEncryptionOracle registry parameter.
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0
8 comments
Hi,
I have seen that problem yesterday on a server that I can’t update.
What I did to fix for the client to be able to connect to the server was to deselect the box “Allow connections only from computers running Remote Desktop with Network Level Authetication (recommended)”.
Hi,
Thanks for the info! Please clarify:
Have you disabled NLA on the server side?
Do you use Windows Server 2003 / Win XP or something similar as an RDP server?
What is the Windows version on the client? Did you enable the policy Oracle Remediation Encryption = Vulnerable on the client computer?
RADJ,
Sorry… I’ve just seen your reply…
Q: Have you disabled NLA on the server side? A: Yes
Q: Do you use Windows Server 2003 / Win XP or something similar as an RDP server? A: No
Q: What is the Windows version on the client? A: Windows 7
Q: Did you enable the policy Oracle Remediation Encryption = Vulnerable on the client computer? A: No
As the server can’t be updated, it doesn’t has that group policy to configure…
So the quick fix was to deselect that box.
In this other site I saw a regedit solution:
http://jermsmit.com/credssp-encryption-oracle-remediation/
Is there a solution how to connect to the RDS farm from a computer running Windows XP Sp3?
Most likely the AllowEncryptionOracle = 2 registry parameter on computers with Windows XP will not work. Most likely, to connect to RDS from clients on XP, you need to switch the Encryption Oracle Remediation policy to the Mitigated/ Vulnerable level on terminal servers. However, the RDS server will be vulnerable to the exploitation of the CredSSP vulnerability (CVE-2018-0886). You will also have to disable the Network Level Authentication on RDS server (however, there is also a workaround for enabling NLA in Windows XP SP3). Those, it should be used only as a temporary solution, until you update the OS on clients to Windows 10 / 8.1 / 7.
You can also connect via windows 10 ‘remote desktop’ app .. just to get you in and run updates
thanks it work in my win 10 home
Please sync your time and location first