CredSSP RDP Error Workaround
Updated: Jun 17, 2021
You may find yourself on an engagement and you try to use Remote Desktop (RDP) to connect to a server and you get a weird "CredSSP" error that prevents the connection. This quick posting will explain why and how to bypass this error.
Basically Credential Security Support Provider (CredSSP) is a protocol that processes authentication requests for other applications. RDP is one such application and when you try and use RDP to connect to another host, the RDP application takes the credentials you enter and passes it to CredSSP to handle the authentication between the you (the client) and the target (the server). It's slightly more complicated than that under the hood but for the sake of simplicity we'll leave it at that. You can read more here.
Well, back in 2018 a remote code execution vulnerability was discovered that could allow an attacker to relay known credentials and execute code on the target system. The details of this are documented in CVE-2018-0886 that can be read about here.
All Windows systems required an update to fix this issue and for the fix to work both the client and the server must have this fix applied. Now, every system that has internet access or has a Windows Service Update Server (WSUS) configured probably got the fix for this issue. The side effect of this is that not all servers or hosts are connected to the internet or have a WSUS server configured in their environments which leaves them unpatched. This can happen in secure environments quite often where all patching is done manually and only as required. So, when you land at a customer site, and they haven’t applied this patch for whatever reason, and you try to connect via RDP to their server you will likely get the dreaded CredSSP error.
To get around this there are two potential tweaks you can make to your system. One involves a simple local group policy change, and the other is a little more complex and involves adding some registry keys.
WARNING!! THESE CHANGES ARE CONSIDERED INSECURE SO CHANGE THEM BACK WHEN YOU’RE FINISHED!!
The easiest way to fix this is to open the Group Policy editor either by searching for it in the Windows start menu search box or using the run command prompt and typing in gpedit.msc. Once open navigate to the following entry:
Computer Configuration -> Administrative Templates -> Credential Delegation -> Encryption Oracle Remediation:
Double click it and select Enable from the radial options, then within the Options section set the Protection Level to “Vulnerable” as shown:
This will now allow you to connect to the server/target that hasn’t had the fixes applied.
Alternatively, if changing the GPO doesn't work or you do not have access to it for some reason you can also input a registry entry to work around this issue:
Open registry editor by searching for it in the Windows menu search bar or typing “regedit” in the run prompt and navigate to the following:
HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> CurrentVersion -> Policies -> System
Then right-click on System and create a new Key called CredSSP. The right-click CredSSP and create a new Key called Parameters:
Then create a new DWORD entry called “AllowEncryptionOracle”
Next set the “Value data” to 2 and the “Base” radial option to Decimal
Remember, both options will bypass the connection error you are receiving however, these options are insecure and should be reset once you have finished working on the server/target. Additionally, any host that does not have the Microsoft patch applied should also be updated at the earliest convenience to ensure that the security issues associated with this fix cannot be leveraged by an attacker.