RDP connection error “CredSSP encryption Oracle remediation”
If you are trying to connect to a server (or host in general) which has a recent Windows Update, and if the client machine you are connecting from is not patched to the latest level, you may receive the following error.
An authentication error has occurred.
The function requested is not supported.
Remote computer: xxxxxxxx
This could be due to CredSSP encryption oracle remediation.
For more information, see https://...
Here’s a version matrix between Windows 10 clients and Windows Server 2016, but the error can exist also in different version combinations:
- Win10 1709 can RDP directly to 14393.2068 and 2248
- Win10 1803 17134.1 can RDP directly to 14393.2068 and 2248
- Win10 1803 17134.48 and 81 can RDP directly only to 2248
This error has been quite common since the latest release of May Windows Updates. Indeed, the latest Windows RDP server-side no longer considers older (pre-May) versions of RDP clients.
Microsoft recommends that you update your Windows client to the latest version and updates. However, in some cases this is not practical. Be it due to your organization’s OS updating process or the fact you are in need of a quick RDP access. Here is a quick workaround for those of you who wish not to update the entire OS in order to connect to a picky RDP server. There are different ways for applying this workaround:
Method 1: regedit
Run “regedit.exe” and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
There, add a DWORD value “AllowEncryptionOracle” and set it to 2.
Method 2: command line
Alternatively, you can launch the following from an elevated (administrator-launched) command line:
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
Method 3: local group policy editor
Run the command “gpedit.msc”. There, go to
Local Computer Policy\Computer Configuration\Administrative Templates\System\Credentials Delegation
Double-click the line “Encryption Oracle Remediation”. Set it to Enabled with Protection Level = “Mitigated”:
If you need RDP for your users to run a specific set of programs, products such as Cameyo allow you to avoid this sort of issues altogether. Cameyo transforms Windows / Active Directory sessions (such as performed by RDP) into cloud-friendly sessions that support modern authentication methods such as OAuth2 (Google ID, Microsoft ID, Azure Active Directory) or email / passwords. It optionally allows multi-factor authentication (MFA). This simplifies cloud & Web migration, with less maintenance and more security.
Click here to start your free trial of Cameyo.