Assume the following scenario:
- An in-place upgrade of the certification authority's operating system is performed.
- After the upgrade I can no longer log in via Remote Desktop. The connection fails with the following error message:
An authentication error has occurred. The function requested is not supported. Remote Computer: 192.168.1.149 This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660
In German:
Authentication error. The requested function is not supported. Remote computer: 192.168.1.149 The cause could be a CredSSP Encryption Oracle defense. For more information, see https://go.microsoft.com/fwlink/?linkid=866660
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Cause and solution
The phenomenon may also occur in certain cases when authentication via NTLM is not allowed, and/or an IP address is used to connect instead of the fully qualified hostname. See article "No remote desktop logon possible from outside the Active Directory forest„.
After the in-place upgrade, the new operating system boots without recent updates in the following cases:
- During installation, the option to download and install updates from the Internet was deselected.
- The server does not have an Internet connection to download the updates - which should actually be the ideal state.
Usually, however, the clients with which the remote desktop connection is established are up to date with the latest patches.
In 2018 an update against the Remote Desktop vulnerability CVE-2018-0866 was released. In addition to closing the vulnerability, it also prevents a patched server from accepting connections from unpatched clients and vice versa.
For all operating system versions supported until then, a corresponding update has been released, which can be installed immediately after the in-place upgrade - but this can be done from the local console or PowerShell remoting.
| Operating system | Patch |
|---|---|
| Windows Server 2008 R2 | KB4103712 |
| Windows Server 2012 | KB4103726 |
| Windows Server 2012 R2 | KB4103715 |
| Windows Server 2016 | KB4093120 |
| Windows Server 2019 | KB4551853 |
Basically, all security-relevant updates should of course be installed as quickly as possible after the in-place upgrade.
Related links:
- Windows Server Migration Matrix for the Certification Authority
- In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2008 R2
- In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012
- In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012
- In-Place Upgrade of a Certification Authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016
External sources
- CredSSP updates for CVE-2018-0886 (Microsoft)
- CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability (Microsoft)
English 
Deutsch
5 thoughts on “Keine Remotedesktopverbindung mehr möglich nach In-Place Upgrade des Windows Server Betriebssystems”
Comments are closed.