Introduction
We have recently had some issues accessing a few client servers and found it is related to a Windows security update that was released earlier in May 2018. The problem is when you try to RDP to a server you can receive an error similar to this:An authentication error has occurred. The function requested is not supported Remote computer: <computer/hostname> This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660[caption id="attachment_104142" align="aligncenter" width="483"]
![](https://www.pythian.com/hs-fs/hubfs/Imported_Blog_Media/rdpissue_error.png?width=483&height=209&name=rdpissue_error.png)
CVE details
This update applies to Windows 7 and up for desktop and Windows Server 2008 and higher. In Windows Server 2016 and 2012 R2, we found this update included in the May rollup update. The following are the two KB links for Windows 8.1 up to Windows Server 2016. If these get applied to your Windows 8.1 or Windows 10 desktop and not the servers, you will lose RDP access:Resolution
The end result is to apply the update to all of the target servers to ensure the security vulnerability is patched properly. If you utilize any management system for Windows Update (e.g. WSUS) you can push the update to the specific targets using that service. The update will require a reboot of the target server before it is applied. An interim approach is to set the Credential Delegation back to vulnerable on your workstation and this will open access back until you can apply the same patch to your servers.Change credential delegation to vulnerable
You will need to do this logged in as a domain account that has elevated privileges on the workstation or server. Open a run prompt (Windows Key + R) and entergpedit.msc
. Go to Computer Configuration > Administrative Templates > System > Credentials Delegation: [caption id="attachment_104143" align="aligncenter" width="298"]
![](https://www.pythian.com/hs-fs/hubfs/Imported_Blog_Media/rdpissue_gpedit_1.png?width=298&height=406&name=rdpissue_gpedit_1.png)
![](https://www.pythian.com/hs-fs/hubfs/Imported_Blog_Media/rdpissue_gpedit_2.png?width=440&height=384&name=rdpissue_gpedit_2.png)
Add registry key
If you are not able to access Group Policy editor on the source/client machine you can simply add a registry key to perform the same task as above to temporarily regain access to your servers.New-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion' -Name AllowEncryptionOracle -Value 2 -PropertyType DWORD -Force
Post patch deployment
Once you have pushed the patch out to the servers you will need to "unconfigure" the Group Policy. Simply go back into that setting and select "Not Configured" and click OK. You will then regain access to all the servers again. If you used the registry option you can remove the registry key created using the following command:Remove-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion' -Name AllowEncryptionOracle -Force
Share this
Previous story
← Why is my Forms 12c Application so slow?
You May Also Like
These Related Stories
Postgres Security Patches Related to the Search Path
Postgres Security Patches Related to the Search Path
Aug 19, 2020
1
min read
Fixing Windows RAC listener to listen on IP address of Hostname
Fixing Windows RAC listener to listen on IP address of Hostname
Sep 3, 2014
2
min read
Using Kerberos configuration manager to resolve Microsoft SQL server SPN issues
Using Kerberos configuration manager to resolve Microsoft SQL server SPN issues
Feb 20, 2018
3
min read
No Comments Yet
Let us know what you think