All Products
Search

This Product

    :How to handle an authentication error when connecting to a Windows instance remotely

    Document Center

    :How to handle an authentication error when connecting to a Windows instance remotely

    Last Updated:Dec 15, 2020

    Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

    Problem description

    When you connect to a Windows instance remotely through The Microsoft RDP client, The system prompts "an authentication error occurred and The required function is not supported (The function requested is not supported)".

     

    Possible cause

    In May 2018, Microsoft released an update for Credential Security Support Provider protocol (CredSSP) and changed the authentication method. This connection error occurs when the next scenario occurs.

    • Scenario one: the client has not installed the CredSSP update. The server has installed the CredSSP update, and encryption Oracle remediation is set to force updated clients.
    • Scenario two: the client has installed the CredSSP update, and encryption Oracle remediation is set to force updated clients. The server has not installed the CredSSP update.
    • Scenario Three: the client has installed the CredSSP update, and encryption Oracle remediation is set to mitigated. The server has not installed the CredSSP update.
      Note:
      • The preceding description that no CredSSP update is installed means no CredSSP update version released since May 2018 is installed.
      • The preceding description that a CredSSP update is installed means any CredSSP update version released since May 2018 is installed.
      • The policy steps for encryption Oracle remediation are to click on the computer configuration >Manage templates > System> Credential assignment > Encrypt Oracle remediation. For more information, see document steps.

     

    Solution

    Alibaba Cloud reminds you that:

    • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
    • If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
    • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

     

    Fix one: Set the server to allow connections from computers running any version of the Remote Desktop

    There are many versions of Windows Server. The operations supported by these versions vary slightly. The following takes mainstream Windows Server versions: Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 as examples.

     

    Windows Server 2008 R2 system version

    1. Log on to a Windows instance through a remote connection. In the dialog box that appears, start, right-click your computer, and choose properties from the shortcut menu.
    2. In the system control panel, click remote settings in the displayed remote desktop options allows running any version of remote desktop computer connection (less secure), And then click determined.

     

    Windows Server 2012 R2 system version

    1. Log on to a Windows instance through a remote connection. Click the start window. Right-click this PC and select properties.
    2. In the system control panel, click remote settings. In the remote option that appears, deselect only allow connections from computers running remote desktop with network level authentication (recommended) and click OK.

     

    Windows Server 2016 System version

    1. By remote connection log on to the Windows instance to open start interface, click Windows system, right-click on this PC select More> properties.
    2. In the System Control Panel, click Remote Settings. In the Remote tab that appears, deselect Only allow connections from computers running Remote Desktop with Network Level Authentication (recommended) and click OK.

     

    Fix two: Install Windows updates

    Note:

    • Following is Windows Server 2016 system as an example, other Windows system release similar to that.
    • If your client computer is running a Windows system, perform the following operations on the client computer:
    1. Log on to the Windows instance through a remote connection. Open the Windows update page, and click check updates to download updates.
    2. Wait for the download and installation to complete.
      Note: If you need to manually install CredSSP security update packages, download the corresponding security update packages based on the official website of Microsoft.
    3. Restart the instance or restart the local computer to complete the installation of updates.

     

    Fix three: Modify the Windows registry

     

    Note: this example shows how to Windows Server 2016 the system version. The operations for other Windows systems are similar.

    After clients or servers update CredSSP-related patches, select one of the following methods to modify its registry.

    Warning:

    • If you modify the registry improperly, serious problems may occur, and you need to modify the registry at your own risk. Before you modify the registry, we recommend that you create a snapshot to back up your data to avoid possible data loss. For more information, see Create a snapshot.
    • This fix can make your instance less secure. We recommend that you use method 2 .

     

    Manually modify a whitelist

    1. Log on to a Windows instance or a local computer, and click start. > Run, enter regedit, and click OK.
    2. Click HKEY_LOCAL_MACHINE. > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System > CredSSP > Parameters.
    3. If CredSSP item or Parameters entry does not exist, create CredSSP item or Parameters items in Parameters item create reg_ DWORD Type of   AllowEncryptionOracle value and set the data for 2.
    4. Restart the instance or the local computer.

     

    Run a PowerShell script to modify the registry

    1. Log on to a Windows instance or local computer, run WindowsPowerShell as the administrator, and run the following script: 
      New-Item -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name CredSSP -Force New-Item -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP -Name Parameters -Force Get-Item -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters | New-ItemProperty -Name AllowEncryptionOracle -Value 2 -PropertyType DWORD -Force
    2. Restart the instance or the local computer.
      Note: If you run the script to modify the registry first and then install security updates on the client computer and ECS instance, we recommend that you set AllowEncryptionOracle value to 0 Or 1 For higher security.

     

    Reference

    For more questions about CredSSP, see the following documents.

     

    Application scope

    • ECS