RDP Connection Error: CredSSP encryption oracle remediation

The Symptom:

[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occurred.
The function requested is not supported

Remote computer: 1.1.1.1
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

[OK]
The Cause:

There’s this thing called Encryption Oracle Remediation (EOR) that would be installed on the client, server, or both. If the client has the CredSSP update installed, and Encryption Oracle Remediation is set to Mitigated. Then, this client will not allow insecure connections. On the same token, if the server has the CredSSP patched and is set to Force updated clients. That server will block any RDP connection from clients that do not have the CredSSP update installed. Here are the details of these compatibilities.

Interoperability Matrix:

CAUSE
Server
UpdatedForce updated clientsMitigatedVulnerable
ClientUpdatedAllowedBlocked 2AllowedAllowed
Force updated clientsBlockedAllowedAllowedAllowed
MitigatedBlocked 1AllowedAllowedAllowed
VulnerableAllowedAllowedAllowedAllowed

Source: Microsoft

The Solutions:
  • Option 1: patch both clients and servers
  • Option 2: Set the Server EOR to Mitigated
    • Not recommended
  • Option 3: Set the Client to Vulnerable
    • How To Execute ‘Option 3’
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

How to Revert ‘Option 3’

Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 1 -Type DWord

Key value table:

  1. Force Updated Clients
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
    Value NameAllowEncryptionOracle
    Value TypeREG_DWORD
    Value0
  2. Mitigated
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
    Value NameAllowEncryptionOracle
    Value TypeREG_DWORD
    Value1
  3. Vulnerable
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
    Value NameAllowEncryptionOracle
    Value TypeREG_DWORD
    Value2

Leave a Reply

Your email address will not be published. Required fields are marked *