Solved: freerdp will not connect to server 2008r2 after CredSSP upda... - HP Support Community

T_P_A · ‎05-01-2018

I updated Thinpro 5.2 with HP's freerdp-1.1hp13b patch for the changes to the CredSSP protocol necessary to connect to servers patched for CVE-2018-0886. After changing the thinpro registry key "requireEncryptionOracleRemediation" from '0' to '1' to enforce strict connection behavior on the client, I cannot connect to Win 7 or server 2008r2.

Win 7 and 2008r2 are both patched with Microsoft's update https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

In the regeditor - Freerdp "requireEncryptionOracleRemediation" with value set to '0' I can rdp just fine.

If I set the value to '1' (enforce), I cannot connect to a Win 7 computer or 2008r2 term server, I get a small window popup that says "Authentication Failure". I can remote to Win 10 and server 2012r2 just fine with value '1'.

I have very generic settings, the Freerdp connection settings are "Enable deprecated RDP encryption" unchecked, server IP, user/password, TLS1.2, default cert setting.

The Win7 and 2008r2 are set with Network Level Authentication checked in remote desktop settings.

Local Group Policy > "Encryption Oracle Remediation". I have tried each one of these "Vulnerable or Mitigate or Forced".

Is there something I am missing on the client or server side settings that the value '1' is looking for to connect?

Is the HP freerdp-1.1hp13b patch at fault?

Thanks

T_P_A · ‎05-29-2018

This issue has been solved by HP support with a work around and will be fixed in the next FreeRDP release to Thinpro.

>>Quote<< 5-21-18

My name is Juan Munoz, a member of HP Inc’s 2nd Level Technical Support Team and recently this case was elevated to my attention.

On non-working connections, please do the following:

1) set requireEncryptionOracleRemediation back to 0

2) set root/ConnectionType/freerdp/connections/{uuid}/ExtraArgs to

/minimum-credssp-version:5

Retest in that configuration and I expect it will work.

What this does: Setting requireEncryptionOracleRemediation enforces a minimum CredSSP version of 6, but 5 is a valid CredSSP version that has the oracle remediation fix. On our end we can adjust this so that requireEncryptionOracleRemediation registry flag does the equivalent of /minimum-credssp-version:5, but ExtraArgs is a solution that is available immediately.

>>End Quote<<

>>Quote<< 5-29-18

I have confirmed R&D will include the changes the minimum-credssp-version:5 in the next FreeRDP, so customers do not have to manually change it in ExtraArgs.

>>End Quote<<

View solution in original post

T_P_A · ‎05-29-2018

This issue has been solved by HP support with a work around and will be fixed in the next FreeRDP release to Thinpro.

>>Quote<< 5-21-18

My name is Juan Munoz, a member of HP Inc’s 2nd Level Technical Support Team and recently this case was elevated to my attention.

On non-working connections, please do the following:

1) set requireEncryptionOracleRemediation back to 0

2) set root/ConnectionType/freerdp/connections/{uuid}/ExtraArgs to

/minimum-credssp-version:5

Retest in that configuration and I expect it will work.

What this does: Setting requireEncryptionOracleRemediation enforces a minimum CredSSP version of 6, but 5 is a valid CredSSP version that has the oracle remediation fix. On our end we can adjust this so that requireEncryptionOracleRemediation registry flag does the equivalent of /minimum-credssp-version:5, but ExtraArgs is a solution that is available immediately.

>>End Quote<<

>>Quote<< 5-29-18

I have confirmed R&D will include the changes the minimum-credssp-version:5 in the next FreeRDP, so customers do not have to manually change it in ExtraArgs.

>>End Quote<<

freerdp will not connect to server 2008r2 after CredSSP update

Create an account on the HP Community to personalize your profile and ask a question