Menu Close

CredSSP Encryption Oracle remediation: Remote Desktop Connection Error

CredSSP

Before going on to the CredSSP Error solution, let’s understand what is CredSSP and how does it works.

What is CredSSP?

CredSSP stands for ‘Credential Security Support Provider’. It is a security support provider protocol developed using the Security Support Provider Interface. It helps an application to authenticate user’s credential from client to remote system while attempting a remote connection.

CredSSP provides an encrypted TLSP (Transport Layer Security Protocol) channel. The client is authenticated over the encrypted channel by using the Simple and Protected Negotiate (SPNEGO) Protocol with either Microsoft NTLM or Microsoft Kerberos.

After the client and servers are successfully authenticated, the client passes the user’s credentials to the server. The credentials are twice encrypted under the SPNEGO and TLS session. CredSSP supports two types of logon i.e. password based logon and smart card based logon.

To know more about CredSSP, visit the link.

Error:

CredSSP Encryption Oracle remediation: Remote Desktop Connection Error

Error mentioned in above image maybe occurred while trying to make a Windows 10 or Windows Server 2012 host RDP Connection.

Understanding:

Assume that you are having two hosts with operating system Windows 10 and Windows 2012. Now you are trying to take an RDP of Windows Server 2012 host from Windows 10 host and got the error as mentioned in above image.

It means, the remote host (Windows Server 2012) is recently updated with authentication vulnerabilities fixes. It cannot be only occurred on client operating system but also can be occurred on server operating systems as well.

Cause:

This error due to windows updates to resolve vulnerabilities in windows authentication. This vulnerability applies to all modern versions of windows operating system.

Solution:

To resolve this error, use group policy to change credential delegation on client (Windows 10 host)

  1. Windows + R -> gpedit.msc (It will open Group Policy Editor)

gpeditcmd

2. Computer Configuration -> Administrative Templates -> System -> Credential Delegation

CredSSPGPPath

3.Enable ‘Encryption Oracle Remediation’ policy by double clicking on it and set ‘Protection Level’ = ‘Vulnerable’. Apply the changes.

CredSSP-Enable Encryption Oracle Remediation

4.Run the following command in ‘Run’ wizard to update group policy. ‘gpupdate /force’

gpupdatecmd

5. You will get following message after successfully updating group policy.GPSuccessMsg