Rdp windows 7 this function is not supported. An authentication error occurred

On March 13, Microsoft published a description of the vulnerability CVE-2018-0886 in the CredSSP authentication protocol, which is particularly used when connecting via RDP to terminal servers. Microsoft later published that it would block connections to unpatched servers that have this vulnerability. As a result, many customers have encountered problems connecting via RDP.

Specifically, in Windows 7 you may see the error: "An authentication error occurred. The specified feature is not supported"
In Windows 10, the error is described in more detail, in particular it says “The error may be caused by a fix to the CredSSP encryption”:


To bypass the error on the client side, many advise disabling Group Policy by setting the value Encryption Oracle Remediation V Vulnerable:
using gpedit.msc in Computer Configuration / Administrative Templates / System / Transfer of credentials, on the left select “Fixing the encryption oracle vulnerability” (a funny translation, of course), set “Enabled” in the settings and select “Leave vulnerability”.


or through the registry (since, for example, in Windows Home no gpedit.msc command):

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2


BUT! There is no need to do this! Because Thus, you leave vulnerability and risks of interception of your traffic and other confidential data, including passwords. The only time this might be necessary is when you have no other way to connect to the remote server at all other than via RDP to install updates (although any cloud provider should have the ability to connect to the server console). Immediately after installing the updates, the policies must be returned to their original state.

If you have access to the remote server, then, as a temporary measure, you can disable the NLA (Network Level Authentication) requirement, and the server will stop using CredSSP. To do this, just go to System Properties, on the Remote Connections tab, uncheck the corresponding box “Allow connections only from computers running Remote Desktop with network-level authentication”:

But this is also the wrong approach.

The correct approach is just to install the necessary updates on the operating system that close the CVE-2018-0886 vulnerability in CredSSP, both the server one you are connecting to and the client one you are connecting from.

List of updates for all operating systems, starting with Windows 7 and Windows Server 2008 available at: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886
Select the desired version of the operating system, download the appropriate update from the catalog, install and reboot. After this, the error should disappear.
For example, on Windows Server 2016 the download link will be like this:

Article content:

After May 8, 2018, many users of Windows operating systems encountered a problem whereby, when trying to log into another Windows computer via remote desktop (or using remoteapp), they received the following error:

An authentication error occurred.
The specified function is not supported
The error may be caused by a fix to CredSSP encryption.

general information

Screenshot with error text

In this article we will look at 3 ways to fix this error. The first method is the most correct and is what you should use if you encounter this problem. The second and third methods, although they allow you to remove the error, should be used only if it is not possible to install the patch.

Method 1: Install an update to fix CreedSSP encryption

The cause of this error is the lack of a CVE-2018-0886 update on the server side or on the computer you are trying to connect to using Remote Desktop (RDP). To eliminate it, simply install this update on the computer that acts as a server. You can download the update for the required OS version using the links below:

Method 2: Disable CreedSSP encryption error notification through Group Policy

If it is impossible to install updates for some reason, you can disable this error notification. To do this, on the computer that acts as a client, we carry out the following actions:

Method 3: Disable CreedSSP encryption error notification by editing the registry

In the event that in your Windows edition there is no group policy editor (for example, Windows 10 Home), then you will have to make the necessary changes to the registry manually. To do this, on the computer that acts as a client, we carry out the following actions:

  1. Open the registry editor and go to the following path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
  2. Looking for a parameter DWORD entitled AllowEncryptionOracle, and set the value 2 . If there is no such parameter, then create it.
  3. Reboot the computer

For those who don't want to mess with the registry, just run the command below in command line with administrator rights:

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2

After installing the May security updates (dated May 8, 2018 on Windows 7/8/10 platforms and server platforms on Windows Server 2008 R2 / 2012 R2 / 2016), users do not gain access to the remote machine via RDP and RemoteApp, and next error:

Screenshot: CredSSP error window after making an RDP connection to the server from the client machine.

In early spring 2018, Microsoft released an update that prevented remote execution code using a vulnerability in the CredSSP protocol, and in May an update was released after installation of which, by default, client machines are prohibited from connecting to remote RDP servers with a vulnerable version of the CredSSP protocol. Accordingly, if spring updates are installed on clients, but not installed on servers running Windows Server OS, then we will receive an error when connecting:

"An authentication error occurred. The specified function is not supported. The error may be caused by a CredSSP fix."

Or the English version:

"This could be due to CredSSP encryption oracle remediation."

RDP client error appears after installing security updates:

  • Windows 7 / Windows Server 2008 R2 - update KB4103718
  • Windows 8.1 / Windows Server 2012 R2 - update KB4103725
  • Windows 10 1803 - update KB4103721
  • Windows 10 1709 - update KB4103727
  • Windows 10 1703 - update KB4103731
  • Windows 10 1609 - update KB4103723
  • Windows Server 2016 - update KB4103723

To restore the connection, you can simply uninstall the above updates, but this action will open the found vulnerability, so the action plan to solve the problem will be as follows:

  1. We will temporarily remove the security notification that blocks the connection on the computer from which we connect via RDP;
  2. Let's connect to it via the already restored RDP connection and install the necessary security patch;
  3. Let's turn back the security notification that was temporarily disabled in the first point of the action plan.
  • Open the local group policy editor: Start - Run - gpedit.msc;
  • Go to the section Computer Configuration - Administrative Templates - System - Credentials Delegation - English;
  • We find a policy named Encryption Oracle Remediation. Enable the Enabled policy and select Leave Vulnerable as an option in the drop-down list;

Screenshot: Enabling GPO Option - Fixing Encryption Oracle Vulnerability
  • All that remains is to update the policies on the computer (to do this, open Cmd and use the gpupdate/force command) and try to connect via RDP. When the policy is enabled, client applications that support CredSSP will be able to connect even to unpatched Remote Desktop servers.

If this home computer If you have a stripped-down version of Windows and you don’t have access to the Local Group Policy console, it doesn’t matter, we’ll use the registry editor (Regedit). Let's launch it and follow the path:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters

and set the AllowEncryptionOracle parameter value to 2 (0x00000002).

Then, you need to download and install security updates suitable for your system (I am publishing direct links to updates for Windows Server for your convenience, which I highly recommend installing):

  • Windows Server 2016 / Windows 10 1607 - KB4103723
  • Windows Server 2012 R2 / Windows 8 -

After installing update KB4103718 on my Windows 7 computer, I cannot remotely connect to a server running Windows Server 2012 R2 via RDP. After I specify the RDP server address in the mstsc.exe client window and click “Connect”, the error appears:

Remote Desktop Connection

An authentication error occurred.

The specified function is not supported.
Remote computer: computername

After I uninstalled the KB4103718 update and rebooted the computer, the RDP connection began to work fine. If I understand correctly, this is only a temporary workaround, next month a new cumulative update package will arrive and the error will return? Can you recommend anything?

Answer

You are absolutely right that it is pointless to solve the problem, because you thereby expose your computer to the risk of exploitation of various vulnerabilities that are closed by patches in this update.

You are not alone in your problem. This error can appear in any operating room Windows system or Windows Server (not only Windows 7). For English users Windows versions 10, when trying to connect to an RDP/RDS server, a similar error looks like this:

An authentication error has occurred.

The function requested is not supported.

Remote computer: computername

The RDP error “An authentication error has occurred” may also appear when trying to launch RemoteApp applications.

Why is this happening? The fact is that your computer has the latest security updates (released after May 2018), which correct a serious vulnerability in the CredSSP (Credential Security Support Provider) protocol used for authentication on RDP servers (CVE-2018-0886) (I recommend read the article). However, on the side of the RDP / RDS server to which you connect from your computer, these updates are not installed, and the NLA (Network Level Authentication) protocol is enabled for RDP access. The NLA protocol uses CredSSP mechanisms to pre-authenticate users via TLS/SSL or Kerberos. Your computer, due to the new security settings introduced by the update you installed, simply blocks the connection to remote computer, which uses a vulnerable version of CredSSP.

What can you do to fix this error and connect to your RDP server?

  1. Most correct way to solve the problem - installation latest updates Windows security on the computer/server you are connecting to via RDP;
  2. Temporary method 1 . You can disable Network Level Authentication (NLA) on the RDP server side (described below);
  3. Temporary method 2 . You can, on the client side, allow connections to RDP servers with an insecure version of CredSSP, as described in the article linked above. To do this you need to change the registry key AllowEncryptionOracle(REG ADD command
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2) or change settings local politics Encryption Oracle Remediation/ Fix encryption oracle vulnerability), setting its value = Vulnerable / Leave vulnerability).

    This is the only way to access a remote server via RDP if you do not have the ability to log into the server locally (via the ILO console, virtual machine, cloud interface, etc.). In this mode, you will be able to connect to a remote server and install security updates, thus moving to the recommended method 1. After updating the server, do not forget to disable the policy or return the key value AllowEncryptionOracle = 0: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0

Disabling NLA for RDP on Windows

If NLA is enabled on the side of the RDP server you are connecting to, this means that CredSPP is used to pre-authenticate the RDP user. You can disable Network Level Authentication in the system properties on the tab Remote access (Remote) , unchecking the “Allow connection only from computers running Remote Desktop with Network Level Authentication (recommended)” checkbox (Windows 10 / Windows 8).

In Windows 7 this option is called differently. On the tab Remote access you need to select the option " Allow connections from computers running any version of Remote Desktop (dangerous)/ Allow connections from computers running any version of Remote Desktop (less secure)".

You can also disable Network Level Authentication (NLA) using the Local Editor group policy - gpedit.msc(in Windows 10 Home, the gpedit.msc policy editor can be launched) or using the domain policy management console - GPMC.msc. To do this, go to the section Computer Configuration –> Administrative Templates –> ComponentsWindows–> Remote Desktop Services – Remote Desktop Session Host –> Security(Computer Configuration –> Administrative Templates –> Windows Components –> Remote Desktop Services – Remote Desktop Session Host –> Security), turn off policy (Require user authentication for remote connections by using Network Level Authentication).

Also needed in politics " Require the use of a special security level for remote connections via RDP protocol» (Require use of specific security layer for remote (RDP) connections) select Security Layer - RDP.

To apply the new RDP settings, you need to update the policies (gpupdate /force) or restart the computer. After this, you should successfully connect to the remote desktop server.

Windows OS owners know that the developer provides mandatory support for its operating systems for a certain time. Most often this is because Microsoft periodically releases updates that either automatically or manual mode transferred to a computer and installed there.

Unfortunately, sometimes this leads to not the best consequences. Yes, such updates solve certain problems, but sometimes they create new ones.

For example, installing the KB4103718 package, according to the observations of many users, leads to the fact that an attempt to connect to the server using the RPR remote desktop does not work, but only causes a message on the screen: an error occurred during authentication - the specified function is not supported.

Naturally, this cannot suit a person, who is thus deprived of some of the functionality that is necessary and very important to him. What should I do? Of course - fix it.

So, if Windows 7 RDP authentication failed, then the easiest solution would be to go back to Operating System Update and uninstall recently installed packages. As practice shows, this action is quite enough to get rid of the failure.

True, there are several “buts”:

  • Next time automatic update everything will come back.
  • If you prevent Windows from running such functionality, then operating system may turn out to be extremely vulnerable, since it will not be able to receive the most important protective developments from developers.

Therefore, you need to look alternative solutions. Experienced users, when asked “An authentication error occurred” - how to fix it, recommend the following actions:

  1. Install all the most important, latest update packages not only on your equipment, but also on the computer and server to which the user plans to connect remotely via this protocol. This is practically the only and complete solution to this problem. All others are only temporary.
  2. You can deactivate NLA or provide access to a remote server with a so-called insecure version of CredSSP.

How can you stop using NLA? The following steps must be followed:

  1. Go through the control panel to all elements, then to the system.
  2. Open the “Properties” window and go to the “Remote Access” tab.
  3. At the very bottom you can see a line that begins with the words “Allow connections only from computers...”. Uncheck the box next to it.