Can’t RDP to Server after Windows Patch (CredSSP)

I was preparing to remote into a virtual machine to do some maintenance when I encountered an error.

“An authentication error has occurred.
The function requested is not supported

Remote computer: [Computer Name]
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660”

Information from the link in the error:

Credential Security Support Provider protocol (CredSSP) is an authentication provider that processes authentication requests for other applications.

A remote code execution vulnerability exists in unpatched versions of CredSSP. An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system. Any application that depends on CredSSP for authentication may be vulnerable to this type of attack.

This security update addresses the vulnerability by correcting how CredSSP validates requests during the authentication process.

Options:

The bottom line is that in order to RDP into the target server both computers need to have the update installed.  In my case, my local machine was updated, but the target machine was not yet updated.  This target machine did not have automatic updates turned on and was an Azure VM.  I could have contacted support, or turned on automatic updates from the portal, but the reality was I needed to get into the machine quickly to handle an emergency fix.  Due to the simple architecture (stand-alone VM) I could not push the patch via SCCM or GPO.

Work-around 1:

Roll back the update on the local machine.  This is a temporary fix but will let you get into the remote machine.  After this is done you should patch the target machine and then reapply the patch locally.

Work-around 1.5:

Optionally, you can change the RDP settings on the target machine after applying the previous work-around so that you can continue to remote into this machine without patching it.

Go to: Control Panel\System and Security\System\Remote Settings

Select “Allow remote connections to this computer (should already be selected)
Un-check the box that says “Allow connections only from computers running Remote Desktop with Network Level Authentication”

Long-Term Fix:

Stay on top of your patching and patch the target machine and then the local machine.  Make things easier on yourself by setting up architecture to allow you to push patching to computers remotely.

Leave a Reply

Your email address will not be published. Required fields are marked *