cancel
Showing results for 
Search instead for 
Did you mean: 
T_P_A
Level 1
2 1 1 0
Message 1 of 2
2,026
Flag Post

Solved!

freerdp will not connect to server 2008r2 after CredSSP update

HP Recommended
t510
Linux

I updated Thinpro 5.2 with  HP's freerdp-1.1hp13b patch for the changes to the CredSSP protocol necessary to connect to servers patched for CVE-2018-0886. After changing  the thinpro registry key "requireEncryptionOracleRemediation" from '0' to '1' to enforce strict connection behavior on the client, I cannot connect to Win 7 or server 2008r2.

 

Win 7 and 2008r2 are both patched with Microsoft's update https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

 

In the regeditor - Freerdp "requireEncryptionOracleRemediation" with value set to '0' I can rdp just fine.

If I set the value to '1' (enforce), I cannot connect to a Win 7 computer or 2008r2 term server, I get a small window popup that says "Authentication Failure". I can remote to Win 10 and server 2012r2 just fine with value '1'.

I have very generic settings, the Freerdp connection settings are "Enable deprecated RDP encryption" unchecked, server IP, user/password, TLS1.2,  default cert setting.

The Win7 and 2008r2 are set with Network Level Authentication checked in remote desktop settings.

Local Group Policy > "Encryption Oracle Remediation". I have tried each one of these "Vulnerable or Mitigate or Forced".

 

Is there something I am missing on the client or server side settings that the value '1' is looking for to connect? 

Is the HP freerdp-1.1hp13b patch at fault?

 

Thanks

 

 

Tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
T_P_A
Author
Level 1
2 1 1 0
Message 2 of 2
Flag Post
HP Recommended

This issue has been solved by HP support with a work around and will be fixed in the next FreeRDP release to Thinpro.

 

>>Quote<< 5-21-18

My name is Juan Munoz, a member of HP Inc’s 2nd Level Technical Support Team and recently this case was elevated to my attention.

 

On non-working connections, please do the following:

1) set requireEncryptionOracleRemediation back to 0

2) set root/ConnectionType/freerdp/connections/{uuid}/ExtraArgs to

/minimum-credssp-version:5

 

Retest in that configuration and I expect it will work.

 

What this does: Setting requireEncryptionOracleRemediation enforces a minimum CredSSP version of 6, but 5 is a valid CredSSP version that has the oracle remediation fix.  On our end we can adjust this so that  requireEncryptionOracleRemediation registry flag does the equivalent of /minimum-credssp-version:5, but ExtraArgs is a solution that is available immediately.

>>End Quote<<

 

>>Quote<< 5-29-18

I have confirmed R&D will include the changes the minimum-credssp-version:5 in the next FreeRDP, so customers do not have to manually change it in ExtraArgs.

>>End Quote<<

View solution in original post

Tags (2)
Was this reply helpful? Yes No
1 REPLY 1
T_P_A
Author
Level 1
2 1 1 0
Message 2 of 2
Flag Post
HP Recommended

This issue has been solved by HP support with a work around and will be fixed in the next FreeRDP release to Thinpro.

 

>>Quote<< 5-21-18

My name is Juan Munoz, a member of HP Inc’s 2nd Level Technical Support Team and recently this case was elevated to my attention.

 

On non-working connections, please do the following:

1) set requireEncryptionOracleRemediation back to 0

2) set root/ConnectionType/freerdp/connections/{uuid}/ExtraArgs to

/minimum-credssp-version:5

 

Retest in that configuration and I expect it will work.

 

What this does: Setting requireEncryptionOracleRemediation enforces a minimum CredSSP version of 6, but 5 is a valid CredSSP version that has the oracle remediation fix.  On our end we can adjust this so that  requireEncryptionOracleRemediation registry flag does the equivalent of /minimum-credssp-version:5, but ExtraArgs is a solution that is available immediately.

>>End Quote<<

 

>>Quote<< 5-29-18

I have confirmed R&D will include the changes the minimum-credssp-version:5 in the next FreeRDP, so customers do not have to manually change it in ExtraArgs.

>>End Quote<<

View solution in original post

Tags (2)
Was this reply helpful? Yes No
Warning Be alert for scammers posting fake support phone numbers and/or email addresses on the community. If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation