An authentication error has occurred rdp the function requested is not supported

Ответ

Вы абсолютно правы в том, что бессмысленно решать проблему удалением обновлений Windows, ведь вы тем самым подвергаете свой компьютер риску эксплуатации различных уязвимостей, которые закрывают патчи в данном обновлении.

В своей проблеме вы не одиноки. Данная ошибка может появится в любой операционной системе Windows или Windows Server (не только Windows 7). У пользователей английской версии Windows 10 при попытке подключится к RDP/RDS серверу аналогичная ошибка выглядит так:

Ошибка RDP “An authentication error has occurred” может появляться и при попытке запуска RemoteApp приложений.

Почему это происходит? Дело в том, что на вашем компьютере установлены актуальные обновления безопасности (выпущенные после мая 2018 года), в которых исправляется серьёзная уязвимость в протоколе CredSSP (Credential Security Support Provider), использующегося для аутентификации на RDP серверах (CVE-2018-0886) (рекомендую познакомится со статьей Ошибка RDP подключения: CredSSP encryption oracle remediation). При этом на стороне RDP / RDS сервера, к которому вы подключаетесь со своего компьютера, эти обновления не установлены и при этом для RDP доступа включен протокол NLA (Network Level Authentication / Проверку подлинности на уровне сети). Протокол NLA использует механизмы CredSSP для пре-аутентификация пользователей через TLS/SSL или Kerberos. Ваш компьютер из-за новых настроек безопасности, которые выставило установленное у вас обновление, просто блокирует подключение к удаленному компьютеру, который использует уязвимую версию CredSSP.

Что можно сделать для исправления эту ошибки и подключиться к вашему RDP серверу?

1. Самый правильный способ решения проблемы – установка последних кумулятивных обновлений безопасности Windows на компьютере / сервере, к которому вы подключаетесь по RDP;
2. Временный способ 1. Можно отключить проверку подлинности на уровне сети (NLA) на стороне RDP сервера (описано ниже);
3. Временный способ 2. Вы можете на стороне клиента разрешить подключение к RDP серверам с небезопасной версией CredSSP, как описано в статье по ссылке выше. Для этого нужно изменить ключ реестра AllowEncryptionOracle (команда
   REG ADD
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 2
   ) или изменить настройки локальной политики Encryption Oracle Remediation / Исправление уязвимости шифрующего оракула), установив ее значение = Vulnerable / Оставить уязвимость).

   Это единственный способ доступа к удаленному серверу по RDP, если у вас отсусвует возможность локального входа на сервер (через консоль ILO, виртуальной машины, облачный интерфейс и т.д.). В этом режиме вы сможете подключиться к удаленному серверу и установить обновления безопасности, таким образом перейдете к рекомендуемому 1 способу. После обновления сервера не забудьте отключить политику или вернуть значение ключа AllowEncryptionOracle = 0 :
   REG ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 0

Отключение NLA для протокола RDP в Windows

Если на стороне RDP сервера, которому вы подключаетесь, включен NLA, это означает что для преаутентификации RDP пользователя используется CredSPP. Отключить Network Level Authentication можно в свойствах системы на вкладке Удаленный доступ (Remote), сняв галку «Разрешить подключения только с компьютеров, на которых работает удаленный рабочий стол с проверкой подлинности на уровне сети / Allow connection only from computers running Remote Desktop with Network Level Authentication (recommended)» (Windows 10 / Windows 8).

В Windows 7 эта опция называется по-другому. На вкладке Удаленный доступ нужно выбрать опцию «Разрешить подключения от компьютеров с любой версией удаленного рабочего стола (опасный) / Allow connections from computers running any version of Remote Desktop (less secure)».

Также можно отключить проверку подлинности на уровне сети (NLA) с помощью редактора локальной групповой политики — gpedit.msc (в Windows 10 Home редактор политик gpedit.msc можно запустить так) или с помощью консоли управления доменными политиками – GPMC.msc. Для этого перейдите в разделе Конфигурация компьютера –> Административные шаблоны –> Компоненты Windows –> Службы удаленных рабочих столов – Узел сеансов удаленных рабочих столов –> Безопасность (Computer Configuration –> Administrative Templates –> Windows Components –> Remote Desktop Services – Remote Desktop Session Host –> Security), отключите политику Требовать проверку подлинности пользователя для удаленных подключений путем проверки подлинности на уровне сети (Require user authentication for remote connections by using Network Level Authentication).

Также нужно в политике «Требовать использования специального уровня безопасности для удаленных подключений по протоколу RDP» (Require use of specific security layer for remote (RDP) connections) выбрать уровень безопасности (Security Layer) — RDP.

Для применения новых настроек RDP нужно обновить политики (gpupdate /force) или перезагрузить компьютер. После этого вы должны успешно подключиться к удаленному рабочему столу сервера.

After the May 2018 update to Windows 10, most computers running Remote Desktop Windows functionality are facing RDP authentication error, function requested is not supported issue where they get the following error while logging in to a remote computer via RDP.

An authentication error has occurred.
The function requested is not supported

Remove computer: [computername]
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

This is due to a recent vulnerability fixed in Windows 10 and Windows 7. After installing the latest update KB4103727 for Windows 10 Version 1709 and KB4103718 for Windows 7, you will start getting this error.

If you are running Remote Desktop Protocol on your network and allow connections to your server, this error should probably fix this error immediately.

Windows uses CredSSP protocol (Credential Security Support Provider) for authenticating clients on the RDP servers.

A serious vulnerability was found in CredSSP protocol which could impact the security of both the server and the client.

To fix this issue, Microsoft introduced the Network Level Authentication (NLA) protocol which works along with CredSSP and pre-authenticates RDP client users over TLS/SSL or Kerberos.

In a situation where the server does not have the required Windows update patch, an updated client computer will refuse to connect to the non-secure server because Microsoft makes it mandatory to enable NLA for secure remote desktop connection.

4 solutions to RDP Authentication Error Function Requested Is Not Supported

Let’s go through some resolutions to this problem.

Solution 1: Install updates on the target computer

The first and most recommended solution to this issue is to update the target computer on which you are trying to connect remotely. Go to Windows Update and check for updates. Install all the updates specifically related to CVE-2018-0886.

Specifically, if the target computer is running Windows Server 2016, you should install KB4103723 and if you are using Windows Server 2012 R2, then you should install KB4103725.

A server reboot will be required after installing these updates.

If you do not want to update your computer or if it’s not in your access, then you can try the other solutions listed below.

Solution 2: Using Group Policy

1. Go to Run –> gpedit.msc to open Group Policy Editor.
2. Go to the following policy path:
   Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
3. From the right-hand pane, open Encryption Oracle Remediation.
4. Select Enabled and set the protection level to Vulnerable.
5. Go to the command prompt and run the following command:
   gpupdate /force

This will apply the group policy immediately and you will be able to use the Remote Desktop without restarting the computer.

Solution 3: Using Registry Editor

The same can be achieved through Windows Registry. This method is especially useful for Windows Home editions where there is no Group Policy Editor (although you can install gpedit.msc easily). Here are the steps:

1. Go to Run –> regedit to open Registry Editor.
2. Go to the following key:
   HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters
3. In the right-hand pane, edit the DWORD value of AllowEncryptionOracle key to 2.
4. If you can’t find the key, you will need to create it. Alternatively, you can download the following registry file, double-click to run it and it will automatically create a key and set it up for you.

     CredSSP Parameters Registry (364 bytes, 13,077 hits)

This is a simple registry file. If you don’t want to download it, just create a text file with the following contents:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters]
"AllowEncryptionOracle"=dword:00000002

Save the file in with .reg extension and run the file to add these values to the Windows Registry.

Solution 4: Uninstall updates from your computer

Another workaround is to uninstall the updates from your computer. If you are using Windows 10 Version 1709, you should uninstall the update KB4103727 and KB4103718 if you’re running Windows 7. Uninstalling these updates requires the computer to be restarted.

Final words

Although you can use any of the above mentioned methods to resolve this issue of RDP Authentication Error Function Requested Is Not Supported, I recommend that you either use Solution 1 (install latest Windows updates) or Solution 2 (using local group policy) for the resolution.

I had the same issue with my network. All the above mentioned solutions worked for me on my company network. I fixed it by updating all my Windows Server installations and also the client computers. There were some environments which required not updating the server at all. I used the second method to fix RDP authentication error messages from those servers.

What are your thoughts about this?

Also see:

Answer

You are absolutely right. It’s pointless to solve this problem by removing installed Windows update because you are exposing your computer to the risk of exploiting the various vulnerabilities that this update fixes. The RDP error “An authentication error has occurred” can also appear when trying to run a RemoteApp application.

Why is this happening? The fact is that the latest security updates (released after May 2018) are installed on your Windows 10 desktop. These updates fix a serious vulnerability in the CredSSP protocol (Credential Security Support Provider) used for authentication on RDP servers (CVE-2018-0886 – read carefully the article RDP authentication error: CredSSP Encryption Oracle Remediation). These updates are not installed on your RDP/RDS server side, and the NLA (Network Level Authentication) is enabled for remote desktop access. NLA uses CredSSP mechanisms to pre-authenticate RDP users over TLS/SSL or Kerberos. Your computer simply blocks the remote desktop connection to a server that uses the vulnerable version of CredSSP.

What can you do to fix this problem and connect to your RDP server?

1. The most correct way to solve the problem is to install the latest cumulative Windows security updates on a remote computer or RDS server (to which you are trying to connect via RDP);
2. Workaround 1. You can disable NLA (Network Level Authentication) on the RDP server side (as described below);
3. Workaround 2. You can re-configure your desktops by allowing them to connect to the Remote Desktop with an unsafe version of CredSSP (as described in the article at the link above). To do this, change the registry parameter AllowEncryptionOracle (use the command: REG ADD
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 2) or change the local policy Encryption Oracle Remediation by setting its value to Vulnerable. This is the only way to access a remote server via RDP if you can’t log in on the server locally (via the ILO, virtual machine console or cloud provider web-interface). You can connect to a remote server in this mode and install the latest security updates. After updating the server, don’t forget to disable the policy or return the value of the registry parameter AllowEncryptionOracle to 0 (REG ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 0).

Disable NLA for Remote Desktop in Windows

If NLA is enabled on your RDP server, this means that CredSSP is used for RDP users’ pre-authentication. You can disable Network Level Authentication in the System Properties on the Remote tab by unchecking the options “Allow connection only from computers running Remote Desktop with Network Level Authentication (recommended)” (Windows 10 /8.1 or Windows Server 2012R2/2016).

In Windows 7 (Windows Server 2008 R2), this option is called differently. On the Remote tab, select the option “Allow connections from computers running any version of Remote Desktop (less secure)“.

You can also disable Network Level Authentication (NLA) using the Local Group Policy editor – gpedit.msc (you can run the gpedit.msc in Windows 10 Home edition like this) or using the domain group policy management console – GPMC.msc. In the policy editor go to the section Computer Configuration –> Administrative Templates –> Windows Components –> Remote Desktop Services –> Remote Desktop Session Host –> Security, find and disable the policy “Require user authentication for remote connections by using Network Level Authentication“.

You also need to select the RDP Security Layer in the “Require use of specific security layer for remote (RDP) connections” policy settings.

To apply new RDP settings, you need to update the group policies on a local computer (gpupdate / force) or reboot your desktop. After that, you should successfully connect to the remote desktop.

14 comments

If when you try to use the Remote Desktop Connection between two Windows computers and you receive the error message – Remote Desktop Connection error, An Authentication error has occurred, The Function requested is not supported, then this post is intended to help you. In this post, we will identify some potential known causes that can trigger the error and then provide the possible solutions you can try to help remediate this issue.

When the Remote Desktop Connection authentication fails, you’ll receive the following error message;

Remote Desktop Connection

An authentication error has occurred.
The function requested is not supported.

Remote computer: Computer_Name or IP_Address
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

As you can see from the image above, the error message is caused by the CredSPP Encryption Oracle Remediation. You can fix the ‘An authentication error has occurred, This could be due to CredSSP encryption oracle remediation’ error by using Registry or Group Policy Editor.

Recently Microsoft found that a remote code execution vulnerability (CVE-2018-0886: encryption oracle attack) exists in CredSSP versions. An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system. So any application that depends on CredSSP for authentication was vulnerable to this type of attack.

To patch this security risk, Microsoft released a security update addressing the vulnerability by correcting how CredSSP validates requests during the authentication process. The patch updated CredSSP authentication protocol and Remote Desktop clients for all affected platforms.

After installing the update, patched clients were not able to communicate with unpatched servers. In other words, if the client computer has the security update installed but the server computer was not updated with the security update (or vice versa), the remote connection was unsuccessful and user received above-mentioned error message.

If you’re faced with Remote Desktop Connection error, An Authentication error has occurred, The Function requested is not supported error message, you can try our recommended solutions below to resolve the issue.

1. Update Windows 10 with the latest security patches
2. Modify the Encryption Oracle Remediation policy
3. Create and configure the AllowEncryptionOracle registry key

Let’s take a look at the description of the process involved in relation to each of the listed solutions.

1] Update Windows 10 with the latest security patches

In this solution, it is recommended you install the CredSSP security patch in both computers (server and client). Alternatively, you can click Start > Settings > Update & Security > Windows Update > Check for Updates to download and install the latest cumulative update.

Once both computers have the CredSSP patch installed, the An Authentication error has occurred – The Function requested is not supported error message will be resolved.

If due to some reasons, you can’t install the security update in server or client computer, you can then use solutions 2 and 3 below.

2] Modify the Encryption Oracle Remediation policy

The error message can be resolved by using the Group Policy editor to modify the Encryption Oracle Remediation policy.

Note: This method does not apply to Windows 10 Home edition because the Local Group Policy Editor is not installed by default. But you can work around this issue by adding Local Group Policy Editor to Windows 10 Home edition.

To enable the Encryption Oracle Remediation policy, do the following:

• Press Windows key + R.
• In the Run dialog box type gpedit.msc and press Enter to open Group Policy Editor.
• Inside the Local Group Policy Editor, use the left pane to navigate to the path below:

Computer Configuration > Administrative Templates > System > Credentials Delegation

• On the right pane, double-click on Encryption Oracle Remediation to edit it’s properties.
• With the Encryption Oracle Remediation policy opened, set the radio button to Enabled.
• Next, scroll down to Protection Level and change it to Vulnerable.
• Click Apply > OK to save the changes.

You can now exit the Local Group Policy Editor and restart your computer. On boot, try the RDP connection again and see if the issue is resolved.

3] Create and configure the AllowEncryptionOracle registry key

This is the equivalent of enabling the Encryption Oracle Remediation policy. You can resolve the issue by creating and configuring the following registry key:

AllowEncryptionOracle: DWORD: 2

Since this is a registry operation, it is recommended that you back up the registry or create a system restore point in case the procedure goes wrong.

Once you have taken the necessary precautionary measures, you can proceed as follows:

• Press Windows key + R.
• In the Run dialog box, type regedit and press Enter to open Registry Editor.
• Navigate or jump to the registry key path below:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem

• Right-click System, select New > Key and set its name as CredSSP.
• Next, right-click CredSSP, select New > Key and set its name as Parameters.
• Now, right-click on the blank space on the right pane and then select New > DWORD (32-bit) Value.
• Rename the value name as AllowEncryptionOracle and hit Enter.
• Double-click on the new value to edit its properties.
• Input 2 in the Value data box and press Enter to save the change.
• Exit Registry Editor and restart you PC.

You should now be able to establish the Remote Desktop Connection successfully!