• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.Windows 11 Support Center.
  • post a message
HP Recommended
t510
Linux

I updated Thinpro 5.2 with  HP's freerdp-1.1hp13b patch for the changes to the CredSSP protocol necessary to connect to servers patched for CVE-2018-0886. After changing  the thinpro registry key "requireEncryptionOracleRemediation" from '0' to '1' to enforce strict connection behavior on the client, I cannot connect to Win 7 or server 2008r2.

 

Win 7 and 2008r2 are both patched with Microsoft's update https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

 

In the regeditor - Freerdp "requireEncryptionOracleRemediation" with value set to '0' I can rdp just fine.

If I set the value to '1' (enforce), I cannot connect to a Win 7 computer or 2008r2 term server, I get a small window popup that says "Authentication Failure". I can remote to Win 10 and server 2012r2 just fine with value '1'.

I have very generic settings, the Freerdp connection settings are "Enable deprecated RDP encryption" unchecked, server IP, user/password, TLS1.2,  default cert setting.

The Win7 and 2008r2 are set with Network Level Authentication checked in remote desktop settings.

Local Group Policy > "Encryption Oracle Remediation". I have tried each one of these "Vulnerable or Mitigate or Forced".

 

Is there something I am missing on the client or server side settings that the value '1' is looking for to connect? 

Is the HP freerdp-1.1hp13b patch at fault?

 

Thanks

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended

This issue has been solved by HP support with a work around and will be fixed in the next FreeRDP release to Thinpro.

 

>>Quote<< 5-21-18

My name is Juan Munoz, a member of HP Inc’s 2nd Level Technical Support Team and recently this case was elevated to my attention.

 

On non-working connections, please do the following:

1) set requireEncryptionOracleRemediation back to 0

2) set root/ConnectionType/freerdp/connections/{uuid}/ExtraArgs to

/minimum-credssp-version:5

 

Retest in that configuration and I expect it will work.

 

What this does: Setting requireEncryptionOracleRemediation enforces a minimum CredSSP version of 6, but 5 is a valid CredSSP version that has the oracle remediation fix.  On our end we can adjust this so that  requireEncryptionOracleRemediation registry flag does the equivalent of /minimum-credssp-version:5, but ExtraArgs is a solution that is available immediately.

>>End Quote<<

 

>>Quote<< 5-29-18

I have confirmed R&D will include the changes the minimum-credssp-version:5 in the next FreeRDP, so customers do not have to manually change it in ExtraArgs.

>>End Quote<<

View solution in original post

1 REPLY 1
HP Recommended

This issue has been solved by HP support with a work around and will be fixed in the next FreeRDP release to Thinpro.

 

>>Quote<< 5-21-18

My name is Juan Munoz, a member of HP Inc’s 2nd Level Technical Support Team and recently this case was elevated to my attention.

 

On non-working connections, please do the following:

1) set requireEncryptionOracleRemediation back to 0

2) set root/ConnectionType/freerdp/connections/{uuid}/ExtraArgs to

/minimum-credssp-version:5

 

Retest in that configuration and I expect it will work.

 

What this does: Setting requireEncryptionOracleRemediation enforces a minimum CredSSP version of 6, but 5 is a valid CredSSP version that has the oracle remediation fix.  On our end we can adjust this so that  requireEncryptionOracleRemediation registry flag does the equivalent of /minimum-credssp-version:5, but ExtraArgs is a solution that is available immediately.

>>End Quote<<

 

>>Quote<< 5-29-18

I have confirmed R&D will include the changes the minimum-credssp-version:5 in the next FreeRDP, so customers do not have to manually change it in ExtraArgs.

>>End Quote<<

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.