Problem Description
When a Remote Desktop Connection is used to log in to a Windows instance, an error is displayed.
An authentication error has occurred. The token supplied to the function is invalid.
An authentication error has occurred. The function requested is not supported.
Problem Analysis
Microsoft published a security update in March 2018. By correcting how the Credential Security Support Provider protocol (CredSSP) validates requests during authentication, this update fixes the remote code execution vulnerability in the CredSSP. Both the client and server need to install the security update, or the preceding error may occur.
Remote connection fails in the following three scenarios:
Scenario 1: The security update is installed on the server but not on the client, and the "force updated clients" policy is configured.
Scenario 2: The security update is installed on the client but not on the server, and the "force updated clients" policy is configured.
Scenario 3: The security update is installed on the client but not on the server, and the "mitigated" policy is configured.
Solution
Logging in to CVM via VNC
2. On the Instances page, find the target CVM instance and click Log in.
3. In the Standard Login | Windows Instance pop-up window, select Login via VNC.
4. In the login pop-up window, select Send remote command in the top-left corner and press Ctrl-Alt-Delete to open the system login window as shown below:
5. Enter the login password and press Enter to log in to the Windows CVM instance.
Solution 1. Install the security update (recommended)
Install the security update on the unpatched client or server. For updates for different operating systems, see CVE-2018-0886 | CredSSP remote code execution vulnerability. This solution uses Windows Server 2016 as an example.
In other operating systems, you may use the following methods to enter Windows Update: Windows Server 2012: > Control Panel > System and Security > Windows Update Windows Server 2008: Start > Control Panel > System and Security > Windows Update
Windows 10: > Settings > Update & Security Windows 7: > Control Panel > System and Security > Windows Update 1. On the desktop, click and select Settings. 2. In the Settings pop-up window, select Update & Security.
3. In Update & Security, select Windows Update and click Check for updates.
4. Click Start Installation.
5. After the installation is complete, restart the instance to finish the update.
Solution 2. Modify the policy
In a CVM instance that has the security update installed, set the Encryption Oracle Remediation policy to Vulnerable. This solution uses Windows Server 2016 as an example. Follow the steps below:
Note:
If no group policy editor is available in the Windows 10 Home operating system, you can modify the registry to edit the policy as instructed in Solution 3. Modify the registry. 1. On the desktop, click , enter "gpedit.msc", and press Enter to open Local Group Policy Editor. Note:
You can also press Win+R to open the Run window.
2. On the left sidebar, select Computer Configuration > Administrative Templates > System > Credentials Delegation and double-click Encryption Oracle Remediation.
3. In the Encryption Oracle Remediation pop-up window, select Enabled and set Protection level to Vulnerable.
4. Click OK.
Solution 3. Modify the registry
1. On the desktop, click , enter "regedit", and press Enter to open the Registry Editor. Note:
You can also press Win+R to open the Run window.
2. On the left sidebar, select Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System > CredSSP > Parameters.
Note:
If the directory path does not exist, create one manually.
3. Right-click Parameters, select New > DWORD (32-bit) value, and name the file AllowEncryptionOracle.
4. Double-click the newly created "AllowEncryptionOracle" file, set Value data to "2", and click OK.
5. Restart the instance.
References
Was this page helpful?