Monday 12 November 2018

CredSSP encryption oracle remediation error when you try to RDP to a Windows VM in Azure

Scenario 1: Updated clients cannot communicate with non-updated servers

The most common scenario is that the client has the CredSSP update installed, and the Encryption Oracle Remediation policy setting does not allow an insecure RDP connection to a server that does not have the CredSSP update installed.
To work around this issue, follow these steps:
  1. On the client has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane. 
  2. Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.
If you cannot use gpedit.msc, you can make the same change by using the registry, as follows:
  1. Open a Command Prompt window as Administrator.
  2. Run the following command to add a registry value:
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2


Scenario 2: Non-updated clients cannot communicate with patched servers

If the Azure Windows VM has this update installed, and it is restricted to receiving non-updated clients, follow these steps to change the Encryption Oracle Remediation policy setting:
  1. On any Windows computer that has PowerShell installed, add the IP of the VM to the "trusted" list in the host file:
    Set-item wsman:\localhost\Client\TrustedHosts -value <IP>
  2. Go to the Azure portal, locate the VM, and then update the Network Security group to allow PowerShell ports 5985 and 5986.
  3. On the Windows computer, connect to the VM by using PowerShell:
    For HTTP:
    $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "<<Public IP>>" -port "5985" -Credential (Get-Credential) -SessionOption $Skip

    For HTTPS:
    $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "<<Public IP>>" -port "5986" -Credential (Get-Credential) -useSSL -SessionOption $Skip
  4. Run the following command to change the Encryption Oracle Remediation policy setting by using the registry:
    Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)