Symptom:
When trying to initiate a session via PSM, the following error appears:
Cause:
This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed. This is to solve the following CVE: CVE-2018-0886
Solution:
To correctly solve this, both server and client need to have the CredSSP KB update installed. For the correct update visit:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886
If an update to the OS is currently not an option, the following workaround can be applied by enabling connections from vulnerable machines:
Mitigation 1
If you cannot RDP to VMs from your patched client, we can consider changing the policy settings on the client to temporarily gain RDP access to the servers. You can change the settings in Local Group Policy Editor. Execute gpedit.msc and browse to Computer Configuration / Administrative Templates / System / Credentials Delegation in the left pane:
Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable:
Mitigation 2
If it is not possible to access to Local Group Policy Editor on the client (i.e. Windows Home versions), same change can be done through the registry:
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
After that, whether the established RDP session is secure or not depends on whether server is patched. Remember to un-do this when all the servers are patched.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article