Getting Oracle CredSSP RDP Error on Server 2016 1607. Server says no update is pending.

  • 137 Views
  • Last Post 2 weeks ago
bshwjt posted this 3 weeks ago

Team,
Client & server are from different domain. 
This could be due to CredSSP encryption oracle remediation.For more information, see https://go.microsoft.com/fwlink/?linkid=866660
Please let me know what other stuffs you need to know & how to fix this ?  
Thanks

Order By: Standard | Newest | Votes
bshwjt posted this 2 weeks ago

I tried that but not working. My Laptop is in different domain & trying to login a DC to a different domain. Remote DC & remote DA account is present in Silo.
Thanks 
On Fri, 5 Oct 2018 at 12:44, Barth, Alex <alexbarth@xxxxxxxxxxxxxxxx> wrote:
















We found that users in an authentication silos could only RDP after we configured Remote Credential Guard:



https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

 

For your hosts/servers, you have to enable this on all systems that you’ll connect to via a registry key or group policy. See the link above for details on how

to set that. Once your hosts are configured correctly, you can then manually launch the RDP client with the /remoteguard switch and connect as the logged in user with Kerberos authentication. You can configure your clients to prefer or require remote credential

guard via group policy as well.

 

ALEX BARTH | ITS Systems - Shared Infrastructure

The University of Texas at Austin

|

alexbarth@xxxxxxxxxxxxxxxx | utexas.edu

 

show

alexbarth posted this 3 weeks ago

We found that users in an authentication silos could only RDP after we configured Remote Credential Guard:



https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

 

For your hosts/servers, you have to enable this on all systems that you’ll connect to via a registry key or group policy. See the link above for details on how

to set that. Once your hosts are configured correctly, you can then manually launch the RDP client with the /remoteguard switch and connect as the logged in user with Kerberos authentication. You can configure your clients to prefer or require remote credential

guard via group policy as well.

 

ALEX BARTH | ITS Systems - Shared Infrastructure

The University of Texas at Austin

|

alexbarth@xxxxxxxxxxxxxxxx | utexas.edu

 

show

bshwjt posted this 3 weeks ago

We have Authentication Policy & Authentication Silo is

in place and Silo accounts are not able to RDP . Able to login via console with

SILO accounts but can’t RDP.



SILO excluded accounts are able to RDP.   
Thanks  
On Thu, 4 Oct 2018 at 22:14, Susan E Bradley, CPA/CITP/CFF, GSEC <susan@xxxxxxxxxxxxxxxx> wrote:










If you've modified the reg key and it still isn't connecting then

it doesn't look to me to be the same root cause.  You said this

"could be".  What is the exact error you are getting?







On 10/3/2018 9:45 PM, Biswajit Biswas

wrote:








Those servers are cleaned install.






Thanks








On Thu, 4 Oct 2018 at 10:07, Danny CS <daemonroot@xxxxxxxxxxxxxxxx>

wrote:










Just wondering… were those systems a

clean install or in-place upgraded?

Cheers,

 

~danny

 






show

Bitzie posted this 3 weeks ago

If you've modified the reg key and it still isn't connecting then

it doesn't look to me to be the same root cause.  You said this

"could be".  What is the exact error you are getting?







On 10/3/2018 9:45 PM, Biswajit Biswas

wrote:








Those servers are cleaned install.






Thanks








On Thu, 4 Oct 2018 at 10:07, Danny CS <daemonroot@xxxxxxxxxxxxxxxx>

wrote:










Just wondering… were those systems a

clean install or in-place upgraded?

Cheers,

 

~danny

 






show

janegilring posted this 3 weeks ago

Did you configure the remediation settings on the client (where you are RDP`ing from) or the server?

It needs to be configured on the client.

 

Jan

 

show

bshwjt posted this 3 weeks ago

Those servers are cleaned install.
Thanks
On Thu, 4 Oct 2018 at 10:07, Danny CS <daemonroot@xxxxxxxxxxxxxxxx> wrote:
















Just wondering… were those systems a clean install or in-place upgraded?

Cheers,

 

~danny

 






show

daemonr00t posted this 3 weeks ago

Just wondering… were those systems a clean install or in-place upgraded?

Cheers,

 

~danny

 






show

bshwjt posted this 3 weeks ago

Thanks all. Oracle repudiation settings did not help. 
Thanks 
On Thu, 4 Oct 2018 at 03:30, Omar Droubi <omar@xxxxxxxxxxxxxxxx> wrote:
















Not sure if you want to fix it or get around it.

 

If get around:

 

More info:

https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

 

Open an MMC window, add the Group Policy snap in for the local computer, and set this:

 

Policy path: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

Setting name: Encryption Oracle Remediation

 

Enable it, and set to “Vulnerable”

 

 

 

 

show

odroubi posted this 3 weeks ago

Not sure if you want to fix it or get around it.

 

If get around:

 

More info:

https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

 

Open an MMC window, add the Group Policy snap in for the local computer, and set this:

 

Policy path: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

Setting name: Encryption Oracle Remediation

 

Enable it, and set to “Vulnerable”

 

 

 

 

show

Rajeev Chauhan posted this 3 weeks ago

Check client and server for tls setting. Chrome 63 had similar issue with introduction of tls 1.3

show

bshwjt posted this 3 weeks ago

Done but that is not yet fixed .
On Tue, 2 Oct 2018 at 9:52 PM, <rdmclean55@xxxxxxxxxxxxxxxx> wrote:

show

Ray McLean posted this 3 weeks ago

Just run windows update, reboot and it will fix your issue 

show

bshwjt posted this 3 weeks ago

Hello ,
I am getting that error from my work station & from servers as well while RDP.Tried the below key but no luck . Problematic servers says no updates pending. 
New-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion' -Name AllowEncryptionOracle -Value 2 -PropertyType DWORD -Force
Regards 
On Tue, 2 Oct 2018 at 11:00, Danny CS <daemonroot@xxxxxxxxxxxxxxxx> wrote:
















Could be your workstation that’s triggering this… how’s the Oracle remediation reg key looking?

Regards,

 

 

~danny










show

daemonr00t posted this 3 weeks ago

Could be your workstation that’s triggering this… how’s the Oracle remediation reg key looking?

Regards,

 

 

~danny










show

Close