CredSSP updates for CVE-2018-0886 breaks mstsc/rdp

09 May 2018

You’re unable to connect/RDP to a Windows box. You get “The function required is not supported… This could be due to CredSSP encryption oracle remediation.” and it sends you to https://go.microsoft.com/fwlink/?linkid=866660 (which is, unhelpfully, not clickable in the dialog box.)

Error Message

A CredSSP authentication to failed to negotiate a common protocol version. The remote host offered version which is not permitted by Encryption Oracle Remediation. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660

Cause

Your client has been patched, your server isn’t, and your client is refusing to connect to an unpatched server.

Solution

Temporarily make the client susceptible to attack, connect to the server, patch it, then secure the client again.

1. Allow your client to connect to insecure/unpatched servers, making the client vulnerable to attack:

   reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2
   

   While this is set, you should not connect to RDP over insecure/untrusted networks. And RDP should never be open on WAN anyway, right? :)

2. Now that your client will agree to connect to this unpatched server, login to it, run Windows Update and apply patches, and reboot.

3. Then secure yourself afterwards, so your workstation will refuse to connect to unpatched servers again.

   reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 0