All Products
Search
Document Center

How to solve authentication errors caused by CredSSP encryption oracle remediation when connecting to Window instances

Last Updated: Dec 21, 2018

Problem description

When using a Microsoft RDP client to remotely connect to a Windows instance, the following error message appears: An authentication error has occurred. The function that you have requested is not supported.

Cause

In May 2018, Microsoft released an update for Credential Security Support Provider Protocol (CredSSP) and changed the authentication method. As a result, the authentication error occurs in the following scenarios:
  • Scenario one: The client has not installed the CredSSP update. The server has installed the CredSSP update, and Encryption Oracle Remediation is set to Force Updated Clients.
  • Scenario two: The client has installed the CredSSP update, and Encryption Oracle Remediation is set to Force Updated Clients. The server has not installed the CredSSP update.
  • Scenario three: The client has installed the CredSSP update, and Encryption Oracle Remediation is set to Mitigated. The server has not installed the CredSSP update.
    Note:
    • If a computer has not installed the CredSSP update, it means this computer has not installed any version of CredSSP updates released since May 2018.
    • If a computer has installed the CredSSP update, it means this computer has installed any or all CredSSP updates released since May 2018.
    • To modify the Encryption Oracle Remediation policy setting, navigate to Computer Configuration > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation. For more information, see related documents.

Fixes

Fix one: Set the server to allow connections from computers running any version of the Remote Desktop

Windows Server 2008 R2

  1. Log on to a Windows instance through a Remote Desktop Connection.
  2. Click Start, right-click Computer, and select Properties.
  3. In the System Control Panel, click Remote settings. In the Remote tab that appears, select Allow connections from computers running any version of Remote Desktop (less secure), and click OK.
    Warning: This operation allows insecure remote desktop connections. To ensure the security of information, we recommend that you use Fix two.

Windows Server 2012 R2

  1. Log on to a Windows instance through Remote Desktop Connection.
  2. From the Start menu, right-click This PC and select Properties.
  3. In the System Control Panel, click Remote Setting. In the Remote tab that appears, deselect Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended) and click OK.
    Warning: This operation allows insecure remote desktop connections. To ensure the security of information, we recommend that you use Fix two.

Windows Server 2016

  1. Log on to a Windows instance through Remote Desktop Connection.
  2. Click Start > Windows System, right click This PC, and select More > Properties.
  3. In the System Control Panel, click Remote Settings. In the Remote tab that appears, deselect Only allow connections from computers running Remote Desktop with Network Level Authentication (recommended) and click OK.
    Warning: This operation allows insecure remote desktop connections. To ensure the security of information, we recommend that you use Fix two.

Fix two: Install Windows updates

  1. Log on to a Windows instance through Remote Desktop Connection.
    Note: If your client computer is running a Windows system, perform the following operations on your client computer too.
  2. Search and open Windows Update.
  3. Click Check for updates to check for and download updates.
  4. Wait for the download and installation to complete.
  5. Restart the instance for the updates to take effect.
You can also use the following links to download and install CredSSP updates on your Windows instance and client computer.

Fix three: Modify the Windows registry

For clients and servers that have installed CredSSP updates, you can manually modify the Windows registry or run a PowerShell script to modify the registry.
Warning:
  • Incorrect use of the Registry Editor and improper changes to the registry can cause serious problems. You are responsible for all consequences resulting from these operations. Before you modify the registry, we recommend that you create a snapshot to backup your data to avoid possible data loss.
  • This fix can make your instance and local computer less secure. We recommend that you use Fix two.

Manually modify the registry

  1. Log on to the instance or local computer.
  2. Click Start > Run, enter regedit, and click OK.
  3. Locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters key. If CredSSP or Parameters does not exist, create the CredSSP or Parameters key first.
  4. Under the Parameters key, create a DWORD type parameter AllowEncryptionOracle and set its value to 2.
  5. Restart the instance or local computer.

Run a PowerShell script to modify the registry

  1. Log on to the instance or local computer.
  2. Start Windows PowerShell as an administrator.
  3. Run the following script:
    New-Item -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name CredSSP -Force
    New-Item -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP -Name Parameters -Force
    Get-Item -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters | New-ItemProperty -Name AllowEncryptionOracle -Value 2 -PropertyType DWORD -Force
    
  4. Restart the instance or local computer.
    Note: If you run the script to modify the registry first and then install security updates on the client computer and ECS instance, we recommend that you set AllowEncryptionOracle to 0 or 1 to enhance security.

References