Microsoft released an update on May 8, 2018 which changed the CredSSP authentication protocol and updated default settings from Vulnerable to Mitigated. This caused issues in Remote Desktop connection with unpatched systems. After May 2018 Windows Update, many Windows 10 users get following error while trying to connect to an unpatched server using Remote Desktop Connection-
An authentication error has occurred.
The function requested is not supported.
Remote computer: <computer name or IP>.
This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.
This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed.
Better and recommended solution for this problem is to patch both the machines between which remote desktop connection is required. But patching may not be possible due to policies applied by your organization.
There is a good workaround available for this issues which changes CredSSP authentication protocol settings in Remote Desktop to the same as it was before the May 2018 update. However, it is not recommended and leaves your system vulnerable.
There are two methods for changing CredSSP authentication protocol settings in Remote Desktop connection – Group Policy Editor Method & Registry Editor method. Group Policy Method works only on Windows 10 Pro version as Windows 10 home doesn’t have Group Policy Editor available. But you can use Registry Editor Method on both Windows 10 Pro and Windows 10 Home.
Make sure Remote Desktop Connection is enabled on the machine you are taking remote of. You can enable Remote Desktop Connection in System Properties. Let’s start with Group Policy Editor Method.
How to Solve CredSSP authentication error using Group Policy Editor?
First you need to open Group Policy Editor. Go to Run type gpedit.msc and press Enter.
Group policy editor window will open where you can configure local policies for your computer.
In Group Policy Editor follow this path:
Computer Configuration > Administrative Templates > System > Credentials Delegation
On the right pane, change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.
Close the Group Policy Editor window. You can now successfully connect to un-patched system.
How to Solve CredSSP authentication error using Registry Editor?
If you are using Windows 10 Home version, then you cannot use gpedit.msc, you can make the same change by using the Registry Editor.
First open Registry Editor. To open Registry Editor, go to Run type regedit and press Enter. Registry Editor window will open.
Go to following location in Registry Editor:
If you don’t see last two keys (CredSSP\Parameters), then you have to create those two Keys. Right-click on System and select New Key. Name this new key as CredSSP.
Then Right-click on the newly created CredSSP key and select New Key. Name this new key as Parameters.
After creating Parameters Key, select it and on the right pane, create a new DWORD with AllowEncryptionOracle name.
Now right-click newly created DWORD and select Modify… Change the value of this DWORD to 2 (Decimal). After changing the value of DWROD, close the Registry Editor and restart your PC.
You can also use command prompt to modify registry settings and make required changes. Open Command Prompt window as Administrator and run the following command to add a registry value:
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
Now you have successfully bypassed the Encryption Oracle Remediation security. You can now connect to unpatched systems without any error. However we recommend you to patch all your servers and client system with latest security patches. Enjoy, have fun!