[Solved] How to Fix RDP Authentication Error due to CredSSP Encryption Oracle Remediation

Problem: When attempting to perform RDP from Windows 10 to remote computer Windows Server 2012 R2 or Windows Server 2016, below error message show:

An authentication error has occurred.
The function requested is not supported.

Remote computer: {name}
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

Remote Desktop Connection error This could be due to CredSSP encryption oracle remediation

An authentication error has occurred.
The function requested is not supported

Remote computer: {name}

Remote Desktop Connection error The function requested is not supported

Content Summary

Solution 1: Apply Patch
Solution 2: Encryption Oracle Remediation Policy
Solution 3: Remove Patch
Solution 4: AllowEncryptionOracle Policy
Reference

This issue happen after you have applied a windows security update included Credential Security Support Provider protocol (CredSSP) updates for CVE-2018-0886. This security update breaks Remote Desktop connections to Server 2016 and 2012R2 when using the Remote Desktop Gateway role. In the Event Viewer of the gateway, under App and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager you can see Event ID 41 (with user name of affected user) and Event ID 40 (w/ reason code 0) immediately afterwards.

Solution 1: Apply Patch

Patch the Remote Desktop gateway and host servers themselves and performing a reboot. That’s KB4103723 for Server 2016, KB4103725 for Server 2012 R2 and KB4103718 for Windows Server 2008 R2, as well as installing the client side patches of KB4103727 for Windows 10 Version 1709, KB4103721 for Windows 10 Version 1803, KB4103725 for Windows 8.1 or KB4103718 for Windows 7 SP 1. More affected product at Microsoft Security TechCenter.

Solution 2: Encryption Oracle Remediation Policy

Set Encryption Oracle Remediation Security Policy to ‘Vulnerable‘ to get things working, get EVERYTHING patched, then change it back to ‘Mitigated‘ or ‘Force Updated‘.

Policy path: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

Encryption Oracle Remediation Security Policy

If you do not have Group Policy Editor on computer then you can use registry editor to add this key:

Step 1: Press Windows + S, type cmd in the dialogue box, right-click on the application and select Run as administrator.

Step 2: Execute the following command:
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

Solution 3: Remove Patch

On the client Windows 10 OS, remove KB4103727. On Windows 7, remove KB4103718. Removing these updates and rebooting will restore functionality, but is not recommended.

Solution 4: AllowEncryptionOracle Policy

Set the encryption related GPO on the client side back to vulnerable and reboot the client, this is also not recommended: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] “AllowEncryptionOracle”=dword:00000002

Reference

CVE-2018-0886