[Solved] How to Fix RDP Authentication Error due to CredSSP Encryption Oracle Remediation


Problem: When attempting to perform RDP from Windows 10 to remote computer Windows Server 2012 R2 or Windows Server 2016, below error message show:

An authentication error has occurred.
The function requested is not supported.

Remote computer: {name}
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

Remote Desktop Connection error This could be due to CredSSP encryption oracle remediation

An authentication error has occurred.
The function requested is not supported

Remote computer: {name}

Remote Desktop Connection error The function requested is not supported

Solution: This issue happen after you have applied a windows security update included Credential Security Support Provider protocol (CredSSP) updates for CVE-2018-0886.

This security update breaks Remote Desktop connections to Server 2016 and 2012R2 when using the Remote Desktop Gateway role. In the Event Viewer of the gateway, under App and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager you can see Event ID 41 (with user name of affected user) and Event ID 40 (w/ reason code 0) immediately afterwards.

Option 1: In order to resolve this issue patch the Remote Desktop gateway and host servers themselves and performing a reboot. That’s KB4103723 for Server 2016, KB4103725 for Server 2012 R2 and KB4103718 for Windows Server 2008 R2, as well as installing the client side patches of KB4103727 for Windows 10 Version 1709, KB4103721 for Windows 10 Version 1803, KB4103725 for Windows 8.1 or KB4103718 for Windows 7 SP 1. More affected product at Microsoft Security TechCenter.

Option 2: Set Encryption Oracle Remediation Security Policy to ‘Vulnerable‘ to get things working, get EVERYTHING patched, then change it back to ‘Mitigated‘ or ‘Force Updated‘.

Policy path: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

Encryption Oracle Remediation Security Policy

Option 3: To resolve this without patching the servers, on the client Windows 10 OS, remove KB4103727. On Windows 7, remove KB4103718. Removing these updates and rebooting will restore functionality, but is not recommended.

Option 4: You can also set the encryption related GPO on the client side back to vulnerable and reboot the client, this is also not recommended: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] “AllowEncryptionOracle”=dword:00000002

Reference: CVE-2018-0886