Solved: RDP authentication error “CredSSP encryption oracle remediation”

Sometimes you may face “CredSSP encryption oracle remediation” error While attempting to make an RDP connection to another Windows client you may face error

An authentication error has occurred.
The function requested is not supported

<computer name or IP> This could be due to CredSSP encryption oracle remediation

Note: CredSSP is an authentication provider that processes authentication requests for other applications. any application which depends on CredSSP for authentication may be vulnerable to this type of attack.

Why is encryption oracle remediation missing?

This error is due to a recent update  (KB4093492) to windows to resolve vulnerabilities in windows authentication. Specifically a vulnerability in the Windows subsystem, Credential Security Support Provider protocol (CredSSP). This vulnerability applies to all modern versions of Windows Operating systems and allows for a remote code execution vulnerability. However, post patching caused an issue where the patched clients were blocked from communicating with unpatched servers over RDP protocols. Let’s take a look at the Windows RDP CredSSP encryption oracle remediation error fix.

Use group policy to change the Credential Delegation at the client

Use the group policy settings changes described below to roll back the changes to the ‘Vulnerable’ state to allow RDP access.

• Press Windows + R, type gpedit.msc and ok
• On the group policy, the editor window navigate the following path
•  Computer Configuration > Administrative Templates > System > Credentials Delegation
• Double click on the policy named “Encryption Oracle Remediation”
• Here change the policy enabled,
• Then change Protection Level to Vulnerable. (see image below)

Once the change is made in the group policy editor it is put into effect immediately. No restart was required to apply the change.

Now try to reconnect the RDP client check there is no more RDP authentication error “CredSSP encryption oracle remediation”.

Tweak Windows registry editor

If you are windows home basic user, you don’t have a group policy editor option to change the Credential Delegation at the client. But don’t worry you can apply the following registry tweak to fix the Windows RDP CredSSP encryption oracle remediation error.

• Press Windows + R, type regedit and ok
• This will open Windows registry editor, navigate the following subkey
• HKEY_LOCAL_MACHINE > Software > Microsoft > Windows > CurrentVersion > Policies > System
• Right-click on System, select New > Key and name it as CredSSP.
• Now right click on CredSSP and create a new key with the name Parameters.
• In Parameters, you have to create new DWORD (32-bit) value with the name AllowEncryptionOracle.
• right-click on AllowEncryptionOracle and choose Modify
• Here change its value data to “2” and Base to “Decimal“.
• That’s all, click ok and close registry editor.

Now try connecting to other systems using RDP and you can now see the successful connection.