Tuesday 18 August 2020

How to fix RDP Authentication Error

It’s pointless to solve this problem by removing installed Windows update because you are exposing your computer to the risk of exploiting the various vulnerabilities that this update fixes. The RDP error “An authentication error has occurred” can also appear when trying to run a Remote App application.

Why is this happening? The fact is that the latest security updates (released after May 2018) are installed on your Windows 10 desktop. These updates fix a serious vulnerability in the CredSSP protocol (Credential Security Support Provider) used for authentication on RDP servers (CVE-2018-0886 – read carefully the article RDP authentication error: CredSSP Encryption Oracle Remediation). These updates are not installed on your RDP/RDS server side, and the NLA (Network Level Authentication) is enabled for remote desktop access. NLA uses CredSSP mechanisms to pre-authenticate RDP users over TLS/SSL or Kerberos. Your computer simply blocks the remote desktop connection to a server that uses the vulnerable version of CredSSP.

What can you do to fix this problem and connect to your RDP server?

The most correct way to solve the problem is to install the latest cumulative Windows security updates on a remote computer or RDS server (to which you are trying to connect via RDP);
Workaround 1. You can disable NLA (Network Level Authentication) on the RDP server side (as described below);
Workaround 2. You can re-configure your desktops by allowing them to connect to the Remote Desktop with an unsafe version of CredSSP (as described in the article at the link above). To do this, change the registry parameter AllowEncryptionOracle (use the command: REG ADD
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2) or change the local policy Encryption Oracle Remediation by setting its value to Vulnerable. This is the only way to access a remote server via RDP if you can’t log in on the server locally (via the ILO, virtual machine console or cloud provider web-interface). You can connect to a remote server in this mode and install the latest security updates. After updating the server, don’t forget to disable the policy or return the value of the registry parameter AllowEncryptionOracle to 0 (REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0).
Disable NLA for Remote Desktop in Windows

If NLA is enabled on your RDP server, this means that CredSSP is used for RDP users’ pre-authentication. You can disable Network Level Authentication in the System Properties on the Remote tab by unchecking the options “Allow connection only from computers running Remote Desktop with Network Level Authentication (recommended)” (Windows 10 /8.1 or Windows Server 2012R2/2016).

In Windows 7 (Windows Server 2008 R2), this option is called differently. On the Remote tab, select the option “Allow connections from computers running any version of Remote Desktop (less secure)“.

You can also disable Network Level Authentication (NLA) using the Local Group Policy editor – gpedit.msc (you can run the gpedit.msc in Windows 10 Home edition like this) or using the domain group policy management console – GPMC.msc. In the policy editor go to the section Computer Configuration –> Administrative Templates –> Windows Components –> Remote Desktop Services –> Remote Desktop Session Host –> Security, find and disable the policy “Require user authentication for remote connections by using Network Level Authentication“.

You also need to select the RDP Security Layer in the “Require use of specific security layer for remote (RDP) connections” policy settings.

To apply new RDP settings, you need to update the group policies on a local computer (gpupdate / force) or reboot your desktop. After that, you should successfully connect to the remote desktop.


Post a Comment