3 min read

Failed to RDP the target VM/instance on Azure post migration?

You have received an error message “RDP to the target VM fail” Post-migration of windows server from on-premises to the cloud. However, the RDP to the target VM was failing with an error message.

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

Most Importantly, the Credential Security Support Provider protocol (CredSSP) is an authentication provider that processes authentication requests for other applications.

Especially, when one tries to establish an insecure RDP connection, the above error comes up. Therefore, to protect any attack to the server, that insecure RDP connection gets blocked by an Encryption Oracle Remediation policy setting on the server.

Meanwhile, we have to understand the above error is not only because the target VM or the server is blocking the RDP connection. But it also can be possible that the client machine itself is not updated with the latest update for CredSSP.

There are two scenarios possible:

Scenario 1: Updated clients cannot communicate with non-updated servers

The client has CredSSP update installed, and the Encryption Oracle Remediation policy setting does not allow an insecure RDP connection to a server that does not have the CredSSP update installed.

Nevertheless, to work around this issue follow these steps:

1. On the client has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane. 
2. Change the Encryption Oracle Remediation policy to Enabled
3. Change Protection Level to Vulnerable.

In fact, The same operations are performed with the registry tool.

1. Open a Command Prompt window as Administrator.
2. Run the following command to add a registry value:
   REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

Scenario 2: Non-updated clients cannot communicate with patched servers

Initially, when the target VM(Server) has this update installed, it restricted from receiving non-updated clients,

Following steps change the Encryption Oracle Remediation policy setting:

1. On any Windows computer that has PowerShell installed, add the IP of the VM to the “trusted” list in the host file:
   Set-item wsman:\localhost\Client\TrustedHosts -value <IP>
2. For AWS or Azure, ensure the NSG / the Security Group to PowerShell ports 5985 and 5986.
3. On the Windows computer, connect to the VM by using PowerShell:
   For HTTP:
   $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName “<<Public IP>>” -port “5985” -Credential (Get-Credential) -SessionOption $Skip
   
   For HTTPS:
   $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName “<<Public IP>>” -port “5986” -Credential (Get-Credential) -useSSL -SessionOption $Skip
4. Run the following command to change the Encryption Oracle Remediation policy setting by using the registry:
   Set-ItemProperty -Path ‘HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters’ -name “AllowEncryptionOracle” 2 -Type DWord

More details:

Why are we getting this: Microsoft came up with an update KB4103727 as a security update to prevent any insecure RDP connection.

As a result, the same windows update need to be there on both the client machine & on the target or server machine.

There are multiple workarounds for this issue:

Choice 1:

For instance, the update is installed by the client and not on the server (Eg: EC2 instance)

• Uninstall KB4103727 from your client machine. 
• Gain RDP access to the EC2 instance 
• Patch the instance with the latest updates first 
• Then update your client machine with the KB by running Windows Update again.

Else, there is an option to update your server on AWS, using SSM Run Command.

SSM Prerequisites:

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-prereqs.html

Run Command Tutorial:

https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/tutorial_run_command.html#rc-tutorial-ui

Eventually, after you configure your instance to use SSM Run Command, you can execute the Run Command document “AWS-Install Windows Updates” remotely on your instance.

Choice 2: If the KB is installed on the EC2 instance and not on the client machine

Run Windows Update on your client machine and install the latest software updates. Once the latest updates has installed on both the instance and the client machine, you can be able to RDP into the instance.

Choice 3: Disable the check altogether on the unpatched Windows machine and RDP should work normally. 

Finally, open a command prompt with Administrator privileges and run the command mentioned below:

reg add “HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters” /f /v AllowEncryptionOracle /t REG_DWORD /d 2

At last, Reboot the machine.

The solution to Failed to RDP the target VM/instance

Therefore, migrate to your preferred Cloud Platform with our Sate of Art Tools and Practices. Currently, Lia Infraservices offers you the expert’s Cloud Migration Services in India. for an Error-free Data Migration.