top of page
carpcrisexaser

Client failed to RDP to RDS server following Windows Server Patching – CredSSP updates for CVE-20: T



Although you can use any of the above mentioned methods to resolve this issue of RDP Authentication Error Function Requested Is Not Supported, I recommend that you either use Solution 1 (install latest Windows updates) or Solution 2 (using local group policy) for the resolution.I had the same issue with my network. All the above mentioned solutions worked for me on my company network. I fixed it by updating all my Windows Server installations and also the client computers. There were some environments which required not updating the server at all. I used the second method to fix RDP authentication error messages from those servers.What are your thoughts about this?


I've check the providede link and both my win 10 client and my windows servers 2019 are completly updated and their tspkg.dll are in an upper version than the one with the patch for the credssp/oracle remediation CVE.




Client failed to RDP to RDS server following Windows Server Patching – CredSSP updates for CVE-20



This error is due to the fact that on Windows Server or regular desktop versions of Windows, to which you are trying to connect via RDP, no security updates have been installed since March 2018. The fact is that back in March 2018, Microsoft released an update that closes the possibility of remote code execution using a vulnerability in the CredSSP protocol (bulletin CVE-2018-0886). In May 2018, an additional update was published, in which, by default, clients are prohibited from connecting to remote RDP servers with a vulnerable (unpatched) version of the CredSSP protocol.Thus, if you have not installed the cumulative security updates on Windows RDS servers since March of this year, and the clients (Win 10/8/7) installed the May updates, then you will get an error about Unable to connect: This could be due to CredSSP encryption oracle remediation.


After installing updates and rebooting the server, do not forget to disable the policy on the clients (or set it to Force Updated Clients), or return the value 0 to the AllowEncryptionOracle registry key. In this case, your computer will not be at risk of connecting to unprotected hosts with CredSSP and exploiting the vulnerability.


The RDP 8.0 client and server components are also available as an add-on for Windows 7 SP1. The RDP 8.0 client is also available for Windows Server 2008 R2 SP1, but the server components are not. The add-on requires the DTLS protocol to be installed as prerequisite.[22] After installing the updates, for the RDP 8.0 protocol to be enabled between Windows 7 machines, an extra configuration step is needed using the Group Policy editor.[23]


Symptoms: When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log: 09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.


Conditions: This issue occurs when the following conditions are met: -- A standard virtual server with the clientssl and serverssl profiles in use. -- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.


Symptoms: When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection. The system posts the following messages in /ts/log/bd.log: -- IO_PLUGINERR Mar 28 09:16:15.12130539websocket.c:0269101 Switching Protocols HTTP status arrived, but the websocket hanshake failed. -- IO_PLUGINERR Mar 28 09:16:15.12130539websocket.c:0270Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.


Conditions: This occurs when the following conditions are true: -- The client sends a window scaling factor greater than 0 (zero). -- The server sends a window scaling factor equal to 0 (zero). -- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).


Symptoms: When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.


Conditions: This occurs when a client-side virtual server meets all of the following conditions: -- No SSL profile is enabled. -- SSID Persistence is one of the resources (i.e., the SSID is enabled). -- TLS v1.3 traffic is negotiated between the SSL client and the back-end SSL server, with the BIG-IP device acting as a passive listener between the client and the back-end server.


Conditions: The http-transparent profile is attached to a virtual, and the following profiles are attempted to be used on the same virtual: clientssl, serverssl, oneconnect, http-security (psm).


Symptoms: Import failure when importing ASM policy with many Session Awareness Data Points. ASM logs errors similar to the following: -- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Comments


bottom of page