Fix for “This could be due to CredSSP encryption oracle remediation”

Table of Contents

Symptoms

When you try to connect to a remote Windows server using Remote Desktop Connection Client after May 8, 2018 you get this error:

CredSSP encryption oracle remediation error window
CredSSP encryption oracle remediation error window
[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occurred.
The function requested is not supported

Remote computer: XXX.XXX.XXX.XXX
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

Why?

This is because of security vulnerability CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability .

On May 8th Microsoft released update which changes Encryption Oracle Remediation default behavior setting from Vulnerable to Mitigated option.

That means that: "client applications that use CredSSP will not be able to fall back to insecure versions".

Now, if you try to connect to a machine which does not have this update (maybe machine was suspended) it will have Encryption Oracle Remediation set to Vulnerable which means that:

"client applications that use CredSSP will expose remote servers to attacks by supporting fallback to insecure versions".

Solution

If you are system administrator I suggest that you read more about possible solutions at CredSSP updates for CVE-2018-0886

If you just want to make it work and you are trying to connect to a server which is out of your reach and you can't physically access it to install updates, follow this solution.

Perform these steps, install updates on remote server and to stay secure revert changes back to what it was.

  1. Open Local Group Policy Editor< by typing gpedit in Start Menu

    windows-start-gpedit
  2. Navigate to policy path: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation and double click setting name: Encryption Oracle Remediation

    gpedit-encrypted-oracle-remediation
    Click to enlarge
  3. Enable it and set Protection Level to Vulnerable. Click OK

    encrypted-oracle-remediation-enabled-vulnerable
    Click to enlarge
  4. Now you will be able to connect to remove server and install updates. After that, set Encryption Oracle Remediation back to Not Configured

21 thoughts on “Fix for “This could be due to CredSSP encryption oracle remediation””

  1. I found this the easiest way :

    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

    Reply

Leave a Comment