Published: May 2018
In the past couple of weeks, following the recent Windows update CVE-2018-0886, we have had multiple occurrences of ourselves and our customers having issues connecting to some of their servers via Remote Desktop Protocol (RDP). When trying to RDP to certain servers, we are presented with the error message:
"An authentication error has occurred....This could be due to CredSSP encryption Oracle Remediation".
Microsoft released this update in order to tackle a vulnerability with CredSSP which has been documented and explained by the Microsoft team, but this update in some cases has broken RDP between servers that have had this patch installed and ones that haven't.
This can be fixed by patching all of your servers with this Windows update and for some, this is an easy task. However, for many, this is difficult to arrange on such short notice; business requirements may mean that patching can only be done on specific servers, at certain times meaning that this problem might take weeks to resolve. Even worse, you will actually be unable to actually RDP onto one of your servers in order to patch and fix it because of this update. You can't RDP, so can't patch, so can't resolve the problem and so still can't RDP, leaving you stuck.
A fix for this issue has not yet been released, but if you are experiencing this issue with CredSPPS protocol for RDP following the recent Windows security update then there is a way to get around this little problem.
This issue can be circumnavigated by adding the following registry key to the server you can access and one that has already been patched.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredSSP\Parameters :
DWORD "AllowEncryptionOracle", Set the value to '2'
The CredSSP\Parameters key will likely not exist and so you will need to create them yourself first. This change won't require a restart of the server.
Adding this key basically disables the CVE-2018-0886 security update, allowing you to access and RDP to your servers again and will allow you to update those that haven't been yet. However, once you have been able to access and patch all of your servers so that they all have had the 'CVE-2018-0886' update installed, you must remember to either set the "AllowEncryptionOracle" parameter to 1 or you remove the 'CredSSP\Parameters' folder.