May 10

Remote Desktop Authentication Error Has Occurred. The function requested is not supported. CredSSP Workaround

Remote Desktop Connections Fail

Starting May 9, we received many reports of Remote Desktop connections failing globally. Users received error messages like this when they tried to remote to machines they connected to successfully for a long time:

Remote Desktop Connection Error

An authentication error has occurred.
The function requested is not supported

Remote computer: <computer name>
This could be due to CredSSP encryption oracle remediation.
For more information, see https:/go.microsoft.com/fwlink/?linkid=866660

The link goes to this page, https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018, and explains the Credential Security Support Provider protocol (CredSSP). It offers extensive information on a series of updates since March 2018. It recommends some steps but isn’t very clear what those changes are nor whether those changes are needed to be made by network administrators globally via group policies, or group policies on every PC and VM.

Caused by a Microsoft Security Patch

The Microsoft Security patch issued on Tuesday, May 8th triggered the problem by setting and requiring remote connections at the highest level (CredSSP Updates for CVE-2018-0886)::

Security update deployment information: May 08, 2018

It changed the default setting from Vulnerable to Mitigated which means that any PC using CredSSP is not be able to use insecure versions. If your PC received the May update but the target PC hasn’t implemented the CredSSP update, the PC receives the error message when it tries to connect to that PC.

The automatic Windows patch to raise the security level is not implemented if the PC doesn’t allow automatic updates. This mismatch between the implementation of a security requirement (which is not optional) without the corresponding automatic update may be the source of this problem.

However, there are many situations such as development, testing, build, staging, and deployment environments which require a stable environment that would be destroyed by automatic Windows updates.

We continue to research this.

Symptoms

The symptoms are rather strange because we found that some machines successfully connected while others didn’t.

For instance, we had a Windows 7 machine that hosted Remote Desktop. A Windows 7 PC had no problem connecting to it, but the same user connecting from a Windows 10 machine failed when that was never an issue before and the host machine allowed remote connection for years.

There are also reports of problems with Windows 10 machines connecting to Windows 10 machines, and people locked out of their Azure VMs.

Workaround Solution

One could rollback the security update, but rather than risking other security problems, there’s a quick fix.

Simply adjust the Remote Desktop settings on the host machine to a lower security level. From File Explorer, choose Computer, right-click and select Properties, then click Change Settings, and go to the Remote tab.

From Windows 10, uncheck the option to “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”:

From Windows 7, it’s setting the option to the Less Secure option rather than More Secure:

Once these are set, users can remote to the machine again.

Microsoft Comment

Based on this blog post, a Microsoft colleague told us this:

“I double checked the Windows bug database and they are aware of the problem. No ETA on a fix yet unfortunately. Your workaround is what’s suggested to temporarily get around the error, although it is not suggested as a long-term fix.”

Alternative Solutions

This section was added after our initial workaround and is based on the experience of many users struggling with this problem.

The problem is often caused because the local machine is patched with the Windows Update and the machine it’s connecting to is not patched for the CredSSP issue. If both systems were patched then this error would not occur.

There are two options:

Update the Target Machine

Update the target machine with the patch for the CredSSP issue (preferable).

Update the Local Machine

In many cases, you don’t have the option to modify anything on the target machine. You may even be prevented from modifying your own machine, but assuming you have administrator rights, you can change the Group Policy on your local machine to use the Vulnerable setting.

Big picture, it’s ridiculous to lower one’s security settings to connect to a machine that wasn’t updated. It would be much better if it prompted or automatically connected to lower level machines without turning off the higher security level for everything else. All it takes is one target machine that you can’t modify to force this change on your machine. But at least you can get your work done.

  1. Enter run “gpedit.msc” to edit group policy, or from Windows start, enter “Group Policy” and select “Edit group Policy”:
    1. Windows 10
    2. Windows 7
  2. From the treeview, choose Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
  3. Select “Encryption Oracle Remediation” from the right pane (if it’s not there, it probably means your machine wasn’t patched):
  4. Enable and set the Protection Level to Vulnerable:

Hope this helps.


Additional Problem: Cannot Connect via VPN

We’ve discovered problems with VPN connection if the PC has Remote set to the higher security level.

The network connection fails with error: Cannot load the Remote Access Connection Manager service. Error 711:

Lower Your Remote Desktop Security to have the Security to Make the VPN Connection

Apparently, the Remote Desktop setting on the client side impacts its ability to connect via VPN to the host side.

By lowering the setting to less secure for others to connect to the PC, the PC can now successfully connect to the VPN. What a mess.

Additional Discussions

I’ve also been involved in other online discussions:

Summary

It’s late August, and it’s shocking that this problem remains after so many months. I am extremely frustrated by the Windows update policies and Microsoft’s inadequate testing before these security patches are deployed. This is very disruptive and dangerous to many organizations trying to fulfill their missions expecting their PCs to be reliable.

Microsoft security “purists” claim the current approach is necessary to address the serious threats facing users. I guess it wouldn’t be an issue if the updates worked without disruption. However, the downside of this medicine may exceed the illnesses they are trying to prevent.

Hope you are able to resolve this and move on.


Additional Remote Desktop Connection Resources

Mar 07

Tips and Techniques for Setting Up Remote Desktop Connections and Using Multiple Displays

Remote DesktopWe have a new paper on Remote Desktop Connections describing how to:

  • Setup Remote Desktop Connections
  • Troubleshoot problems connecting to a remote computer
  • Tip to simplify logging in
  • Tip for using multiple display monitors

display-multiple

Remote Desktop Connections are Great for Running another PC On Site or Off Site

It’s very convenient to run another PC from your current PC. Whether it’s another machine in your office, network, or physical location, Windows offers a Remote Desktop Connection feature to do so. This is particularly useful to:

  • Run a PC on your network without having to physically go to it.
  • Run a Virtual Machine (HyperV or VMWare Workstation) hosted on another machine.
  • Run a PC next to you without needing a KVM switch to share monitors, keyboards and mouse. Common if you have older PCs lying around. Just remote to it.
  • From offsite, run the PC in your office (or network). You can run it as if you were on site with the benefit of the speed of your internal network rather than data coming to your PC over your Internet connection. You will need VPN authentication to connect to your network
  • Offer PCs with Windows applications that people can run without having to install anything on their PC. This avoids the issues with installations on individual machines, conflicts with other programs, Windows updates, etc. Easily manage Windows applications like Microsoft Access, Visual Basic 6, .NET and other legacy apps and let any user, including Macs, run them.

Learn more from our paper: Tips and Techniques for Setting Up Remote Desktop Connections and Using Multiple Displays

Mar 30

Using Terminal Services and RemoteApp to Extend Your Microsoft Access and other Windows Applications Over the Internet

Terminal Services RemoteApp and Microsoft AccessRead our new paper on using Terminal Services and RemoteApp to Extend Microsoft Access and Other Windows Applications Over the Internet.

One of the features of Microsoft Windows Server that is increasingly popular over the last few years is the Terminal Server and more recently RemoteApp. With few exceptions, most Windows applications work within a Terminal Server environment. By doing so, your investment in existing applications, and the power of Windows desktop features and interoperability, can be exposed over the Internet.

This is particularly powerful for database applications such as Microsoft Access since it eliminates the need to send large amounts of data over the Internet for Access to process and users do not need to install Access on their machine. With RemoteApp, you can set up a terminal server experience where your users can only run your application without running other applications or browsing your network. Easily web enable all your desktop applications.