CredSSP encryption oracle remediation

We have not made any changes to our GPOs, however, today upon attempting to remote desktop to a few servers we are getting the following error:

An Authentication error has occurred.
The function requested is not supported.
Remote computer: <servername>
This could be due to CredSSP encryption oracle remediation


Is there a patch I need to install on my servers to fix?  Or is there a workaround for this message?
rdperror.png
sbalawajderAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ryan ConfoyCommented:
The following updates break remote desktop connection

KB4103725 (Windows 8/10)
KB4103727 (Server 2016/2012)
KB4103718 (Windows 7)
4
Tango SierraCommented:
well shesh.  How will I remotely update the server if I can't RDP to it.  Way to go MS
0
Alien FourCommented:
Maybe use an unpatched client? Yet if you patch the server, how will unpatched clients react afterwards - will they be blocked that time around?
0
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Charles MCommented:
Some of our users have Win7 and started to have that issue today. I can tell that KB4103718 was installed earlier today so I truly beleive it is related to that.

However, when I try to uninstall that KB4103718, I get an error saying that it was not successfully uninstalled and it still show in the list of installed updates. Any idea?
0
Ryan ConfoyCommented:
If you can't update your servers since it requires a reboot, you could add this to your clients Registry, send it out via GPO and all it takes is that the clients get an reboot:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002
20
Sam HaqueSr EngineerCommented:
It is better to block those updates from your WSUS server.
0
Sam HaqueSr EngineerCommented:
3

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Danny KravtsovCommented:
@Ryan Confoy thanks man! your a life saver.
1
Paul DeaneCommented:
Argh!  Can't connect to my Hyper-V servers.  That registry key, should that exist already on the clients?  I only need to set it on mine for remote admin for now.
0
Danny KravtsovCommented:
Nope, you will need to create both the CredSSP and Parameters , and then create the AllowEncryptionOracle dword and give it a value of 2, worked for me on both win7 and win10 freshly patched computers.
1
Juan MachadoCommented:
You have to update your windows clients and your AD servers. Make sure you apply this one in your server(s):

May 8, 2018
An update to change the default setting from Vulnerable to Mitigated.
0
Paul DeaneCommented:
Also no reboot needed on the client with the Reg change.  That is if you only need to accommodate a couple of PCs.
0
sbalawajderAuthor Commented:
Whats strange-  I can remote connect to the server via a RDP connection from another server (which happens to be the AD machine)

I will be patching the server in question tonight, will let you know how it goes
0
Dominic BoschCommented:
I fired up a VM that didn't had that update installed yet and connected over RDP.
0
Sheldyn BuchmanCommented:
Thanks Ryan,  you saved me from a world of pain!
0
Guilherme KinzelCommented:
I was having the same issue today (09 MAY 2018).
Uninstalling the latest Windows Update solved the problem. I didn't write down the KB[number], but I know that its not the 4093112.

Windows Update Settings > View Installed Update History > Unistall Updates

Windows 10, x64
1
CorySystems AdministatorCommented:
Same issue. Cant get in any of my server via rdp
0
MrSlikCommented:
If uninstalling the problematic client update does not work for you, give the registry key above a shot; I can confirm it worked for me.  Thanks again for posting this.
1
tonyPerryCommented:
The registry value was not there on my windows 10 machine.  I had to go to the following local group policy and apply the change on my client:

Computer Configuration -> Administrative Templates -> System -> Credentials Delegation--Encryption Oracle Remediation

enable and set to 'vulnerable'.
4
MrSlikCommented:
It typically will not be present if you're having this issue.  You have to create the new keys "CredSSP" and "Parameters" in the above-referenced location before creating the DWORD.

Glad the local group policy approach worked for you as well.
0
Travis MooreCommented:
My PC was ahead of my Azure server with these patches. I want to apply patches to the server to get it up to date. I have unpatched clients that I could use to access.

If my server is fully patched. Is there a possibility that I might not be able to log in with any client PCs?

Thanks!
0
Chris BrownCommented:
Registry Fix was helpful!  Thanks.  Anyone planning to apply the Windows Updates on the Server Side (RDS farm) as a result?
2
CorySystems AdministatorCommented:
Reg Fix worked great. Thank you. Have this as an emergency backup. We have about 100 users that rely on RDS.
0
JeffMyersUSCommented:
Reg Fix worked for us as well. Experts Exchange comes to the rescue again!!!
0
Anzif AzeezCommented:
Update windows and reboot. This fixed the issue for me.
0
Mitch PCommented:
this is just fucking bullshit i dont expect in 2018. what about the gateway/server side workaround for non-domain workstations without IT support to resolve? is there a patch that supersedes that can be pushed?
0
Jose OcasioCommented:
Thanks, this was fast as many of us woke up to this random affected computers nightmare. Thanks @Ryan Confoy
0
xjpmauricioCommented:
Can someone POST a complete solution for this?
0
JoeyWinterrowdCommented:
The Remote Desktop App from the MS Store, appears to be un-affected.   It's just the traditional Remote Desktop Connection (%windir%\system32\mstsc.exe).

See the following from Microsoft:  Microsoft TechNet Article

I concur with @Mitch P--  This is a hurdle I thought that we had finally cleared with Microsoft and Patch Day.  Unbelievable, but believable.   Thanks MS.

Thank you for the diagnosis and solutions above, folks.
2
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
For those wondering about what to do with machines not on the domain, use the following to create a .REG file (we call it CredSSP.REG):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

Open in new window


If using Notepad make sure to name it "CredSSP.REG" with the quotes to keep the extension.

We put ours on a shared OneDrive location that we send the link to for anyone that needs it.

For uses running in Standard User Mode:
 1: Click START
 2: Type: Regedit
 3: Right click and Run As Admin
 4: Credential
 5: FILE
 6: IMPORT
 7: Choose the CredSSP.REG file
 8: Close the registry editor and reboot

NOTE: This is a mitigation step! Once the servers are up to date remove this registry entry!
3
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
SIDE NOTE: Microsoft released the server-side update two patch cycles ago (2 months) with plenty of warning.

We were bit because we have maintenance windows that span longer than that.

Make sure to update those servers!
1
WiReDWolfCommented:
No I agree, this is bullshit.  In the last few months there have been a number of Microsoft Update 'surprise!' days.  I still have clients getting a BSOD from KB4088875.  Even after removing the update, when some users log out the system blue screens.  Microsoft even ended up pulling the patch with no real explanation, and issued a new patch that did nothing to fix the damage caused.

I also experienced this problem from my now-patched Windows 10 x64 workstation.  It was a cumulative update

May 8, 2018—KB4103727 (OS Build 16299.431)
https://support.microsoft.com/en-ca/help/4103727/windows-10-update-kb4103727

Addresses an issue that may cause an error when connecting to a Remote Desktop server. For more information, see CredSSP updates for CVE-2018-0886.

Another thing about Microsoft Updates - they often link back to link back links, weaving a web of confusion that I simply do not have time to try to decipher.  If I had to read through every bulletin on every patch and update released by Microsoft I'd never get any work done.

Having ranted, it's also noted that RDP attacks have been ramping up a lot lately, so at least Microsoft is trying to address vulnerabilities.  Always a silver lining somewhere if you look for it.

Personally I'm angling to have all my clients ditch RDP and switch to something more secure.
1
Richard BelisarioCommented:
Please Help, I follow the steps using regedit but i could not find CredSSP on HKLM and im using windows 10
0
MrSlikCommented:
Hi Richard, the CredSSP and Parameters keys aren’t actually there yet, you have to create them under the local machine hive. Give @Philip Elder‘s instructions above a shot if you’d rather not manually create the keys (the “folders” in the registry hive are called keys), he’s got it pretty well covered and the paths needed to import the keys are already present in the the file he provides.
0
barnabas kgIT SupportCommented:
Thanks @Ryan
0
Nikolay PetyukhCommented:
Just remove latest Security update for Microsoft Windows KB4103721
[RDP] This could be due to CredSSP encryption oracle remediation
1
Michael DementevQA EngineerCommented:
Temp fix (changes on client side)
https://habrastorage.org/webt/rz/1i/bz/rz1ibzh1wcxq9ss97lyyrvczrk8.png
1
Rani AlmohammedCommented:
Ryan Confoy ,

Greate it's working
0
Paul GroblerNOC EngineerCommented:
Hi All, the reg fix is working :)

Thanks all.
0
sbalawajderAuthor Commented:
I ran the updates on my affected servers, and all is working now!   I have a few other servers I need to install the updates on, but thats for Friday night

Thanks for your help guys
0
Syed Nasir AbbasCommented:
https://www.youtube.com/watch?v=hrqESgJaS9M

Just Uninstall Windows update KB4103727 from your Windows 10
0
Mitch PCommented:
Updating the servers is the best way to resolve if you can restart them during the week. All my client workstations can now connect.
0
D SpenikCommented:
How abou that server cannot install that update. Running Win2k8 R2 standart. After downloading and installing patch I get an error.  (ERROR:  https://ctrlv.cz/cLcn ). After running windows update helper it gave me this result (result:  https://ctrlv.cz/IslY ).
Also tried manual install and installation failed. Any advice?
0
CuddyIT AdminCommented:
Go to this link    https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886


Scroll down till you see the server you want, select "Security Update" to the right.

 It will show several downloads. Download the appropriate software and install on the server. Mine was a 2016, installation took an hour for me.

It worked for me.

i tested the work around that was discussed above, creating the registry on the client computer, and it worked as well. I then deleted the registry, and it was back to the error. I installed the update from  
the site above on the server, did not put the registry back on the client, and i was able to log on to the server thru RDP.
0
taxbusterCommented:
Thank you!!!!

Not an IT pro - just a dumb accountant using a remote server....you saved me a LOT of trouble! Appreciate all the smart people out there who share their knowledge.
0
D SpenikCommented:
Thank you for your advice. I found security update which worked for me (11MB). Now is RDP working for users who have newest update installed.
But I can't still fully install hole update. Still seeing same errors after installing via windows update.
0
CuddyIT AdminCommented:
NP,

You said "I found security update which worked for me", then "But I can't still fully install hole update. Still seeing same errors after installing via windows update" so i'm not sure what your saying,( that you can't install whole update on clients computers?)


i didn't have to install any updates on clients computers if that helps.
0
D SpenikCommented:
I am still talking abou win server 2k8 r2 standart. For this machine I found update witch is 11MB but the hole update from Windows Update manager have 200MB+. This update from WU I am still not able to install.

This small update fixed my issue with RDP.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
For Windows Server 2016 download the full Cumulative Update and install on the Remote Desktop Session Hosts and Remote Desktop Gateway servers.

For Windows Server 2012 R2 download the latest Monthly Update and install on both RD Role sets.

Both require reboots.

We finished the last of our stragglers last night. No more CredSSP errors for remotely connecting systems.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
NOTE: There is no excuse for this. Microsoft released the updates on the server side two months ago with plenty of explanations about what was coming. In fact, they released iterative patches to clients as a warning over both months!

Complaining that it's Microsoft's fault that we're caught by the situation is not right.

It's our responsibility to stay on top of our I.T. Thus, we are the ones culpable, or the I.T. orgs supporting our systems are responsible, for keeping things up to date and regression testing all patches so as to be aware of what would blow up where.
0
CuddyIT AdminCommented:
From the look at the MB size, it sounds like your talking about the monthly roll out. 2016 didn't have one, just the security update.
Not sure about 2008R2, i'm running several TS's with 2008R2 and haven't had an issue. I've only had a problem with 2016, i don't have 2012.

When you say you can't install, need a little more detail. Are you getting an error, is it saying it's not compatible, it won't open?
0
D SpenikCommented:
Here are two screenshots.

1. error after downloading and installing update
error after downloading and installing update
2. after checking WUT
after checking WUT
0
Philipp MaxCommented:
Dear Philip Elder

NOTE: There is no excuse for this. Microsoft released the updates on the server side two months ago with plenty of explanations about what was coming. In fact, they released iterative patches to clients as a warning over both months!

WHAT A TOTAL BULLCRAP! Sorry to say. But this is such so deep nonsense.

All of my server are up to date. Patched via wsus and aditionally checked via online search. Still
SOME of the servers wont let my fully patched client throug.
So dont blame any Sysadmin and this protecting microsoft is just so ridiculous.

I m looking since hours to resolve the issue with "patching the servers" and not with the group policy workaround.
On the servers i try to connect i cant find those updates that need to be installed. They are not there but its approved on wsus.
I tried to manually download them via Catalogue - getting the message that the updates is not designed for the system.
This is just absolute bullshit that Microsoft messed up. Sorry to say. But if its working in your environment, doesnt mean it works in others.
Still i followed ALL recommendations from microsoft and hundreds of blogs i actually read about it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.