Fix Windows VM Issue – CredSSP Encryption Oracle Remediation

CredSSP Encryption Oracle Remediation

Credential Security Support Provider protocol (CredSSP) is an authentication provider, which handles authentication requests from other applications. A remote code execution vulnerability exists in the CredSSP. Any application that relies on CredSSP for authentication may be vulnerable to this type of attack.

If you have an application or service (such as the remote desktop connection) that uses CredSSP on the updated computer, you will face a CredSSP encryption oracle repair error.

Authentication will not work and you will receive the following error message – A verification error occurred. The requested feature is not supported. Remote computer: This may be caused by the CredSSP encryption oracle repair.

The group policy setting you need is encryption oracle remediation. It provides three levels of protection:

Mandatory client update: This is the highest level of protection because it requires the update to be applied to all clients that want to communicate with CredSSP. Therefore, do not select this option until the update is applied to all clients and servers.

Mitigation: This level prevents applications such as Remote Desktop Connection from connecting to servers that have not been updated. However, services using CredSSP will work.

Fragile: This is the lowest level of protection. It will allow you to connect to the server remotely using RDP. However, it will expose the server to attacks.

How to Fix CredSSP Encryption Oracle Remediation  

Then, let’s see how to fix the CredSSP encryption oracle remediation issue.

Case 1: The Updated Client Cannot Communicate with the Unupdated Server

To fix the “this could be due to CredSSP encryption oracle remediation” issue, you need to do the following steps.

Step 1: Run gpedit.msc on the client that has the CredSSP update installed,

Step 2: Then, navigate to the following:

Computer Configuration > Administrative Templates > System > Credentials Delegation 

Step 3: Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

Step 4: If you cannot use gpedit.msc, you can use the registry to make the same change.

Step 5: Open the Command Prompt window as Administrator. Then, run the following command to add a registry value:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

Case 2: Clients that Are Not Updated Cannot Communicate with Patched Servers

If Azure Windows VM has already installed this update and is limited to receiving an updated clients, follow the steps below to fix CredSSP encryption oracle remediation.

Also see: Best Virtual Machine for Windows, Linux, and Mac Systems

Step 1: Add the IP of the VM to the trusted list in the host file on the Windows computer that has installed PowerShell.

Set-item wsman:\localhost\Client\TrustedHosts -value <IP>

Step 2: Go to the Azure portal, locate the VM, and then update the Network Security group to allow PowerShell ports 5985 and 5986.

Step 3: On the Windows computer, connect to the VM by using PowerShell:

For HTTP:

$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName “<<Public IP>>” -port “5985” -Credential (Get-Credential) -SessionOption $Skip 

For HTTPS: 

$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName “<<Public IP>>” -port “5986” -Credential (Get-Credential) -useSSL -SessionOption $Skip

Step 4: Run the following command to change the Encryption Oracle Remediation policy setting:

Set-ItemProperty -Path ‘HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters’ -name “AllowEncryptionOracle” 2 -Type DWord

Final Words

To sum up, this post has shown how to fix CredSSP encryption oracle remediation issue. If you have the same problems, try these solutions. If you have any better ideas to fix it, you can share them in the comment zone.