Shulou(Shulou.com)06/02 Report--

Friends who use mstsc Windows remote desktops these days may encounter errors:

The reason is that recently windows quietly made a mandatory update, and then some computers logged in remotely with an error like this:

An authentication error occurred.

The required function is not supported.

Remote computer: xxx.xxx.xxx.xxx

Remote computer this may be due to CredSSP encryption oracle correction.

For more information, visit https://go.microsoft.com/fwlink/?linkid=866660

An authentication error occurred. The required function is not supported. Remote computer this may be due to CredSSP encryption oracle correction.

This is all rubbish translation, bullshit.

In fact, the thing is this:

Remote Desktop uses the credential Security support provider Protocol (CredSSP), which is vulnerable in unpatched versions.

So Microsoft addressed this issue in a patch on March 13, 2018, but did not force the use of the new protocol by default, because once it was enforced, if the server and client did not match, they would not be able to connect. So users don't feel it.

On May 8, 2018, Microsoft tightened the client policy a little bit in the patch, and there will be a prompt for mstsc login, an error like this will occur, and users will know about it.

further more

With regard to this Microsoft update, there is a configuration that can be changed to determine whether to use the previous connection or the patched connection. This problem affects both the server and the client, so this configuration is configurable on both the server and the client.

For the server side

If this value is 0, then the client must be patched with CredSSP. If this value is 1, then the client can be required to be unpatched CredSSP. If this value is 2, then the client can be required to be unpatched CredSSP. (same as 1)

On May 8, 2018, Microsoft changed this default value to 1.

For client

If this value is 0, then the server must be patched with CredSSP. (same as 1) if this value is 1, then the server must be patched with CredSSP. If this value is 2, then the server can be required to be unpatched CredSSP.

On May 8, 2018, Microsoft changed this default value to 1.

In other words:

0: both the server side and the client side must have patched CredSSP. 1: the server side does not require the client side, but the client side requires the server side to fix the CredSSP. 2: both the server side and the client side can be unpatched CredSSP.

What should I do with it?

Change this value according to the requirement, for example, if you are not ready to patch it all, then change it to 2.

Law 1, in the server-side, client-side running gpedit.msc: "computer configuration"-> "Administrative template"-> "system"-> "credential allocation", there is a "encryption Oracle correction", change it.

Law 2. If it is Windows 10 Home Edition and there is no gpedit.msc, then change the registry directly:

HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System\ CredSSP\ Parameters

Create a new 32-bit AllowEncryptionOracle of type DWORD and set the appropriate value for it.

Note:

There may be no corresponding key in the registry, so create a new one. For a 64-bit system, a new 32-bit value will not take effect. Finally, it needs to be restarted.

Progressive solution:

The client downloads the Microsoft patch solution, download address: https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2018-0886, select the patch package matching your own machine to download, and then you can use remote Desktop connection after installation.

This method conforms to Microsoft's way of dealing with vulnerabilities, and the server client updates the system with patches at the same time. Therefore, it is named progressive solution.

Method 3: (engineer mode) system administrator please see the following:

(the following content is taken from: http://www.cftea.com/m/c.asp?docID=8182)

With regard to this Microsoft update, there is a configuration that can be changed to determine whether to use the previous connection or the patched connection. This problem affects both the server and the client, so this configuration is configurable on both the server and the client.

[for server side]

If this value is 0, then the client must be patched with CredSSP.

If this value is 1, then the client can be required to be unpatched CredSSP.

If this value is 2, then the client can be required to be unpatched CredSSP. (same as 1)

On May 8, 2018, Microsoft changed this default value to 1.

[for clients]

If this value is 0, then the server must be patched with CredSSP. (same as 1)

If this value is 1, then the server must be patched with CredSSP.

If this value is 2, then the server can be required to be unpatched CredSSP.

On May 8, 2018, Microsoft changed this default value to 1.

In other words:

0: both the server side and the client side must have patched CredSSP.

1: the server side does not require the client side, but the client side requires the server side to fix the CredSSP.

2: both the server side and the client side can be unpatched CredSSP.

What should I do with it?

Change this value according to the requirement, for example, if you are not ready to patch it all, then change it to 2.

Method 1, run gpedit.msc on the server and client: "computer configuration"-> "Administrative template"-> "system"-> "credential assignment", which has a "encrypted Oracle correction", change it.

Method 2. If it is Windows 10 Home Edition without gpedit.msc, then change the registry directly:

HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System\ CredSSP\ Parameters

Create a new 32-bit AllowEncryptionOracle of type DWORD and set the appropriate value for it.

Note:

There may be no corresponding key in the registry, so create a new one.

And I am a 64-bit system, but the new 64-bit value is not valid. I created a new 32-bit value to take effect.

Finally, it needs to be restarted.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.