In some cases, you may receive the CredSSP encryption Oracle remediation error when trying to connect to a remote Windows machine via RDP. This error is caused by the Windows security updates released in 2018 to fix a critical vulnerability in the Credential Security Support Provider (CredSSP) protocol. This protocol is used to pre-authenticate users when Network Level Authentication (NLA) is enabled for Remote Desktop (RDP). The CredSSP Remote Code Execution Vulnerability (CVE-2018-0886) allows an attacker to remotely execute arbitrary code on the Windows host via an open RDP port.
Windows blocks RDP connections to computers with a vulnerable version of CredSSP after you install any cumulative security updates released after May 2018:
Remote Desktop connection An authentication error has occurred. The function is not supported. Remote Computer: hostname This could be due to CredSSP encryption oracle remediation.
The presence of a CredSSP error indicates that you are trying to connect to a computer that is missing security updates that fix the RDP vulnerability.
Recommended way to fix the error: download the latest security Windows update rollup released after May 2018 and install it on the RDP host. You can get the update through the Windows Update or the WSUS update server, or manually download and install the MSU update file from the Microsoft Update Catalog.
[/alert]
This problem should not occur if your computer is configured to automatically receive and download security patches via the Windows Update. Typically, this error occurs after a clean install of one of the following RTM Windows distros:
- Windows Server 2016, 2012 R2, or 2008 R2
- Windows 7, 8.1, or Windows 10 1803 (or one of the earlier builds, including LTSB)
There is a temporary workaround that allows you to connect to a remote computer with a vulnerable RDP version of CredSSP (not recommended for continuous use due to security reasons).
- Open the local GPO editor:
gpedit.msc; - Navigate to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation;
- Enable the policy Encryption Oracle Remediation and set the Protection Level to Vulnerable;
- Update the policy setting on the computer (run
gpupdate /forcecommand) - Attempt to connect to the remote host via RDP.
- Force Updated Clients — the most secure mode, where the client and server block vulnerable client connections;
- Mitigated – in this mode, outbound RDP connections to remote hosts with a vulnerable version of CredSSP are not allowed. Incoming connections are not blocked;
- Vulnerable – connections to RDP hosts with a vulnerable version of CredSSP are allowed.
If you do not have a local GPO editor (for example, in Windows Home editions), You can make a direct registry change to allow RDP connections to servers with an unpatched version of CredSSP:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2
Once you have successfully connected to an RDP host, install the latest security updates on it. Then disable the Encryption Oracle Remediation policy on the client machine, or return the value 0 for the AllowEncryptionOracle registry parameter.
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0
There is another scenario in which updates are security updates are not installed on your computer. For example, the RDP server is patched, but it has a policy that blocks RDP connections from computers with the vulnerable version of CredSSP set to Force Updated Clients. In this case, you will also see the error “This could be due to CredSSP encryption oracle remediation” during the RDP connection.
Use PSWindowsUpdate or the WMI command in the PowerShell console to check the latest Windows Update installation date on your computer. Download and install Windows updates.
gwmi win32_quickfixengineering |sort installedon -desc
8 comments
Hi,
I have seen that problem yesterday on a server that I can’t update.
What I did to fix for the client to be able to connect to the server was to deselect the box “Allow connections only from computers running Remote Desktop with Network Level Authetication (recommended)”.
Hi,
Thanks for the info! Please clarify:
Have you disabled NLA on the server side?
Do you use Windows Server 2003 / Win XP or something similar as an RDP server?
What is the Windows version on the client? Did you enable the policy Oracle Remediation Encryption = Vulnerable on the client computer?
RADJ,
Sorry… I’ve just seen your reply…
Q: Have you disabled NLA on the server side? A: Yes
Q: Do you use Windows Server 2003 / Win XP or something similar as an RDP server? A: No
Q: What is the Windows version on the client? A: Windows 7
Q: Did you enable the policy Oracle Remediation Encryption = Vulnerable on the client computer? A: No
As the server can’t be updated, it doesn’t has that group policy to configure…
So the quick fix was to deselect that box.
In this other site I saw a regedit solution:
http://jermsmit.com/credssp-encryption-oracle-remediation/
Is there a solution how to connect to the RDS farm from a computer running Windows XP Sp3?
Most likely the AllowEncryptionOracle = 2 registry parameter on computers with Windows XP will not work. Most likely, to connect to RDS from clients on XP, you need to switch the Encryption Oracle Remediation policy to the Mitigated/ Vulnerable level on terminal servers. However, the RDS server will be vulnerable to the exploitation of the CredSSP vulnerability (CVE-2018-0886). You will also have to disable the Network Level Authentication on RDS server (however, there is also a workaround for enabling NLA in Windows XP SP3). Those, it should be used only as a temporary solution, until you update the OS on clients to Windows 10 / 8.1 / 7.
You can also connect via windows 10 ‘remote desktop’ app .. just to get you in and run updates
thanks it work in my win 10 home
Please sync your time and location first