Fixed CredSSP Authentication Error in RDP

Microsoft had released a security patch in 2018 to fix some of the vulnerabilities from the CredSSP (Credential Security Support Provider Protocol) used by the RDP (Remote Desktop Protocol) in Windows Server.

While attempting to connect to say a Windows Server 2016 or Windows Server 2019 hosted in Azure, you might end up seeing an error:

Now, this error is happening due to the update to Windows to resolve the vulnerabilities in Windows Authentication. This vulnerability applies to all the modern versions of Windows OS and allows for remote code execution. More details on this issue can be found here:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0886

Microsoft also released a Support article on this issue:
https://support.microsoft.com/en-us/help/4295591/credssp-encryption-oracle-remediation-error-when-to-rdp-to-azure-vm

What is CredSSP?

“CredSSP” or “Credential Security Support Provider Protocol” is a security support provider that helps to securely delegate user credentials from a client computer to a windows server by using TLS (Transport Layer Security) as an encrypted pipe.

Fixing CredSSP Issue

In order to fix this issue, we will try to do a workaround using the Group Policy Editor in the Client Computer. Please do not try to uninstall the update as it’s not the best way to fix it.

  1. Open Run dialog (WIN Key + R)
  2. Type gpedit.msc and press Enter or click on OK
  1. In the left panel, expand to the following path:
    Local Computer Policy > Computer Configuration > Administrative Templates
    > System > Credentials Delegation
  1. From the right pane, double-click Encryption Oracle Remediation
  2. In the Encryption Oracle Remediation window, set the option to Enabled on the left side.
  3. Once done, in the bottom pane, set the Protection Level to Vulnerable.
  1. Click on OK then close the other Window
  2. Try again to connect to the Azure VM using RDP

Hope it fixes the issue for you.

Leave a Comment

%d bloggers like this: