When using a Microsoft RDP client to remotely connect to a Windows instance, the following error message appears: An authentication error has occurred. The function that you have requested is not supported.
In May 2018, Microsoft released an update for Credential Security Support Provider Protocol (CredSSP) and changed the authentication method. As a result, the authentication error occurs in the following scenarios:
- Scenario one: The client has not installed the CredSSP update. The server has installed the CredSSP update, and Encryption Oracle Remediation is set to Force Updated Clients.
- Scenario two: The client has installed the CredSSP update, and Encryption Oracle Remediation is set to Force Updated Clients. The server has not installed the CredSSP update.
- Scenario three: The client has installed the CredSSP update, and Encryption Oracle Remediation is set to Mitigated. The server has not installed the CredSSP update.Note:
- If a computer has not installed the CredSSP update, it means this computer has not installed any version of CredSSP updates released since May 2018.
- If a computer has installed the CredSSP update, it means this computer has installed any or all CredSSP updates released since May 2018.
- To modify the Encryption Oracle Remediation policy setting, navigate to Computer Configuration > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation. For more information, see related documents.
Fix one: Set the server to allow connections from computers running any version of the Remote Desktop
- Log on to a Windows instance through a Remote Desktop Connection.
- Click Start, right-click Computer, and select Properties.
- In the System Control Panel, click Remote settings. In the Remote tab that appears, select Allow connections from computers running any version of Remote Desktop (less secure), and click OK.
- From the Start menu, right-click This PC and select Properties.
- In the System Control Panel, click Remote Setting. In the Remote tab that appears, deselect Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended) and click OK.
- Click Start > Windows System, right click This PC, and select More > Properties.
- In the System Control Panel, click Remote Settings. In the Remote tab that appears, deselect Only allow connections from computers running Remote Desktop with Network Level Authentication (recommended) and click OK.
- Note: If your client computer is running a Windows system, perform the following operations on your client computer too.
- Search and open Windows Update.
- Click Check for updates to check for and download updates.
- Wait for the download and installation to complete.
- Restart the instance for the updates to take effect.
You can also use the following links to download and install CredSSP updates on your Windows instance and client computer.
For clients and servers that have installed CredSSP updates, you can manually modify the Windows registry or run a PowerShell script to modify the registry.
- Incorrect use of the Registry Editor and improper changes to the registry can cause serious problems. You are responsible for all consequences resulting from these operations. Before you modify the registry, we recommend that you create a snapshot to backup your data to avoid possible data loss.
- This fix can make your instance and local computer less secure. We recommend that you use Fix two.
- Log on to the instance or local computer.
- Click Start > Run, enter
regedit, and click OK.
- Locate the
Parametersdoes not exist, create the
- Under the
Parameterskey, create a
AllowEncryptionOracleand set its value to
- Restart the instance or local computer.
- Log on to the instance or local computer.
- Start Windows PowerShell as an administrator.
- Run the following script:
New-Item -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name CredSSP -Force New-Item -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP -Name Parameters -Force Get-Item -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters | New-ItemProperty -Name AllowEncryptionOracle -Value 2 -PropertyType DWORD -Force
- Restart the instance or local computer.Note: If you run the script to modify the registry first and then install security updates on the client computer and ECS instance, we recommend that you set
1to enhance security.