Internet Windows Android
Expand
home

Rdp windows 7 the specified function is not supported. An authentication error has occurred

After installing the May security updates (dated May 8, 2018 on Windows 7/8/10 platforms and server platforms on Windows Server 2008 R2 / 2012 R2 / 2016), users cannot access the remote machine via RDP and RemoteApp, and the following occurs error:

Screenshot: CredSSP error window after making an RDP connection to the server from the client machine.

In early spring 2018, Microsoft released an update that prevents remote code execution using a vulnerability in the CredSSP protocol, and in May, an update was released after the installation of which, by default, client machines are prohibited from connecting to remote RDP servers with a vulnerable version of the CredSSP protocol. Accordingly, if the spring updates are installed on clients, but not installed on servers running Windows Server, then we will receive an error when connecting:

“An authentication error has occurred. The specified function is not supported. The CredSSP fix may be causing the error. "

Or the English version:

"This could be due to CredSSP encryption oracle remediation."

RDP client error appears after installing security updates:

  • Windows 7 / Windows Server 2008 R2 - KB4103718 update
  • Windows 8.1 / Windows Server 2012 R2 - KB4103725 update
  • Windows 10 1803 - KB4103721 update
  • Windows 10 1709 - KB4103727 update
  • Windows 10 1703 - KB4103731 update
  • Windows 10 1609 - KB4103723 update
  • Windows Server 2016 - update KB4103723

To restore the connection, you can simply remove the above updates, but this action will open the vulnerability found, so the plan of action to resolve the problem will be as follows:

  1. We will temporarily, on the computer from which we are connecting via RDP, remove the security notification that blocks the connection;
  2. Let's connect to it using the already restored RDP connection, and install the necessary security patch;
  3. Let's turn back the security notification that was temporarily disabled in the first paragraph of the action plan.
  • Open the local group policy editor: Start - Run - gpedit.msc;
  • Go to the Computer Configuration - Administrative Templates - System - Credentials Delegation section;
  • Find the policy named Encryption Oracle Remediation Vulnerability Fix. Enable the Enabled policy, select Vulnerable as a parameter in the drop-down list;

Screenshot: Enable GPO option - Fix encryption oracle vulnerability
  • It remains to update the policies on the computer (to do this, open Cmd and use the gpupdate / force command) and try to connect via RDP. With the policy enabled, CredSSP-enabled client applications will be able to connect even to unpatched Remote Desktop servers.

If this is a home computer with a stripped-down version of Windows, and you do not have access to the local group policy console, it does not matter, we will use the registry editor (Regedit). We launch it, and we go along the path:

HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ CredSSP \ Parameters

and set the value of the AllowEncryptionOracle parameter to 2 (0x00000002).

Then, you need to download and install the security updates that are suitable for your system (I publish direct links to updates for Windows Server for your convenience, which I highly recommend installing):

  • Windows Server 2016 / Windows 10 1607 - KB4103723
  • Windows Server 2012 R2 / Windows 8 -

After installing update KB4103718 on my Windows 7 computer, I cannot remotely connect to a server running Windows Server 2012 R2 via RDP Remote Desktop. After I specify the address of the RDP server in the mstsc.exe client window and click "Connect", an error appears:

Remote Desktop Connection

An authentication error has occurred.

The specified function is not supported.
Remote computer: computername

After I uninstalled the KB4103718 update and rebooted my computer, the RDP connection started working fine. If I understand correctly, this is only a temporary workaround, will a new cumulative update package arrive next month and the error will return? Any advice?

Answer

You are absolutely right that it is pointless to solve the problem, because you thereby expose your computer to the risk of exploiting various vulnerabilities that are closed by the patches in this update.

You are not alone in your problem. This error can appear on any Windows or Windows Server operating system (not only Windows 7). For users of the English version of Windows 10, when trying to connect to the RDP / RDS server, a similar error looks like this:

An authentication error has occurred.

The function requested is not supported.

Remote computer: computername

The RDP error “An authentication error has occurred” may also appear when trying to launch RemoteApp applications.

Why is this happening? The fact is that your computer has the latest security updates (released after May 2018), which fix a serious vulnerability in the CredSSP (Credential Security Support Provider) protocol, which is used for authentication on RDP servers (CVE-2018-0886) (I recommend read the article). At the same time, on the side of the RDP / RDS server to which you connect from your computer, these updates are not installed and the NLA protocol (Network Level Authentication) is enabled for RDP access. NLA uses CredSSP mechanisms to pre-authenticate users over TLS / SSL or Kerberos. Your computer, due to the new security settings that the update you installed, simply blocks the connection to the remote computer that uses the vulnerable version of CredSSP.

What can be done to fix this error and connect to your RDP server?

  1. Most right the way to solve the problem is to install the latest Windows security updates on the computer / server to which you connect via RDP;
  2. Temporary method 1 ... You can disable Network Level Authentication (NLA) on the RDP server side (described below);
  3. Temporary method 2 ... You can, on the client side, allow connections to RDP servers with an insecure version of CredSSP, as described in the article at the link above. To do this, you need to change the registry key AllowEncryptionOracle(REG ADD command
    HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ CredSSP \ Parameters / v AllowEncryptionOracle / t REG_DWORD / d 2) or change local policy settings Encryption Oracle Remediation/ Fix encryption oracle vulnerability) by setting its value = Vulnerable / Leave vulnerability).

    This is the only way to access a remote server via RDP if you do not have the ability to log into the server locally (via the ILO console, virtual machine, cloud interface, etc.). In this mode, you will be able to connect to a remote server and install security updates, so you will go to the recommended 1 method. After updating the server, do not forget to disable the policy or return the key value AllowEncryptionOracle = 0: REG ADD HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ CredSSP \ Parameters / v AllowEncryptionOracle / t REG_DWORD / d 0

Disable NLA for RDP on Windows

If NLA is enabled on the side of the RDP server you are connecting to, this means that CredSPP is used to pre-authenticate the RDP user. You can disable Network Level Authentication in the system properties on the tab Remote access(Remote) by unchecking the box "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)" (Windows 10 / Windows 8).

Windows 7 has a different name for this option. In the tab Remote access you need to select the option " Allow connections from computers with any version of Remote Desktop (dangerous)/ Allow connections from computers running any version of Remote Desktop (less secure) ".

It is also possible to disable Network Level Authentication (NLA) using the Local Group Policy Editor - gpedit.msc(in Windows 10 Home, the gpedit.msc policy editor can be launched) or using the Domain Policy Management Console - GPMC.msc. To do this, go to the section Computer Configuration -> Administrative Templates -> ComponentsWindows-> Remote Desktop Services - Remote Desktop Session Host -> Security(Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services - Remote Desktop Session Host -> Security), disconnect policy (Require user authentication for remote connections by using Network Level Authentication).

Also needed in politics “ Require a specific security level for remote RDP connections»(Require use of specific security layer for remote (RDP) connections) select the Security Layer - RDP.

To apply the new RDP settings, you need to update the policies (gpupdate / force) or restart the computer. After that, you should successfully connect to the server's remote desktop.

This error is related to the installation of CredSSP updates for CVE-2018-0886. The problem is solved by installing an update.

Introduction

On March 13, 2018, a Windows security update for the CredSSP authentication protocol was released covering the CVE-2018-0886 vulnerability. A vulnerability in the Credential Security Support Provider (CredSSP) could allow arbitrary code to run remotely on an affected system.

On May 8, 2018, Microsoft changed the security level of the connection from Vulnerable to Mitigated, and RDP connection issues started to connect to Remote Desktop.

After entering credentials, an error appears:

An error occurred during authentication.
The specified function is not supported.
Correction of CredSSP encryption may be the cause of the error

Solution 1. Install Windows security update on the server.

  • Visit CVE-2018-0886 Vulnerability Page
  • In the Affected Products section from the Downloads column, select the appropriate file, download and install.

Solution 2. Remove Windows security update on the client.

Solution 3. Edit the security policy on the client / server.

It is worth using if there is no way to connect to the server and install the update. After installing the update, the policy must be returned to its original state.

Open the Local Group Policy Editor:

  • Press Win + R
  • Enter the command gpedit.msc and press Enter

Change your security settings:

  • Computer Configuration> Administrative Templates> System> Credentials Delegation
  • Open the Encryption Oracle Remediation option
  • Select "Enabled".
  • Set the protection level to "Vulnerable".

The policy has 3 options:

  • Vulnerable - Clients can connect to vulnerable machines.
  • Mitigated - Clients cannot connect to vulnerable servers, but servers can accept vulnerable clients.
  • Force Updated Clients is a secure level of client interaction.

If there is no Local Group Policy Editor on the client machine, the change is made to the registry.

Content of the article:

After May 8, 2018, many users of Windows operating systems have encountered a problem, as a result of which, when trying to access another computer running Windows through Remote Desktop (or when using remoteapp), they receive the following error:

An error occurred during authentication.
The specified function is not supported.
Fixing CredSSP encryption could be the cause of the error.

general information

Screenshot with error text

In this article, we will look at 3 ways to fix this error. The first method is the most correct and it is necessary to use it if you are faced with this problem. The second and third methods, although it allows you to remove the error, should only be used if there is no way to install the patch.

Method 1: Install the update to fix CreedSSP encryption

The reason for this error is the absence of the CVE-2018-0886 update on the server side or on the computer to which you are trying to connect using Remote Desktop (RDP). To fix it, you just need to install this update on the computer that acts as a server. You can get an update for the required OS version by following the links below:

Method 2: Disable CreedSSP Encryption Error Notification via Group Policy

If for some reason it is impossible to install updates, you can disable this error notification. To do this, on the computer that acts as a client, we carry out the following actions:

Method 3: Disable CreedSSP Encryption Error Notification by Editing the Registry

In the event that your edition of Windows does not have a group policy editor (for example, Windows 10 Home), then you will have to make the necessary edits to the registry manually. To do this, on the computer that acts as a client, we carry out the following actions:

  1. Open the registry editor, and go to the following path: HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ CredSSP \ Parameters
  2. We are looking for a parameter DWORD entitled AllowEncryptionOracle, and set the value 2 ... If there is no such parameter, then create it.
  3. Restart your computer

For those who do not want to mess with the registry, just run the command below, in the command line with administrator rights:

REG ADD HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ CredSSP \ Parameters / v AllowEncryptionOracle / t REG_DWORD / d 2

Did not find an answer to your question? Look at here
Grinding machine made of hard disk (emery)Grinding machine made of hard disk (emery)
How to connect a game console to a computer monitor Description of the joystick protocolHow to connect a game console to a computer monitor Description of the joystick protocol
Pros and cons of using a TV as a monitorPros and cons of using a TV as a monitor