[CyberArk] [PSM] Authentication error has occurred, the function requested is not supported

Modified on Thu, 23 Aug, 2018 at 2:25 PM

Symptom:

When trying to initiate a session via PSM, the following error appears:


Cause:

This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed. This is to solve the following CVE: CVE-2018-0886

 


Solution:
To correctly solve this, both server and client need to have the CredSSP KB update installed. For the correct update visit:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886


If an update to the OS is currently not an option, the following workaround can be applied by enabling connections from vulnerable machines:

Mitigation 1

If you cannot RDP to  VMs from your patched client, we can consider changing the policy settings on the client to temporarily gain RDP access to the servers. You can change the settings in Local Group Policy Editor. Execute gpedit.msc and browse to Computer Configuration / Administrative Templates / System / Credentials Delegation in the left pane:

Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable:

 

Mitigation 2

If it is not possible to access to Local Group Policy Editor on the client (i.e. Windows Home versions), same change can be done through the registry:

REG  ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2


After that, whether the established RDP session is secure or not depends on whether server is patched. Remember to un-do this when all the servers are patched.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article