tencent cloud

Feedback

An authentication error occurred when you tried to log in to a Windows instance remotely

Last updated: 2022-07-07 11:27:10

    Problem Description

    When a Remote Desktop Connection is used to log in to a Windows instance, an error is displayed.

    • "An authentication error has occurred. The token supplied to the function is invalid"
    • "An authentication error has occurred. The function requested is not supported"

    Problem Analysis

    Microsoft published a security update in March 2018. By correcting how the Credential Security Support Provider protocol (CredSSP) validates requests during authentication, this update fixes the remote code execution vulnerability in the CredSSP. Both the client and server need to install the security update, or the preceding error may occur.
    Remote connection fails in the following three scenarios:

    • Scenario 1: The security update is installed on the server but not on the client, and the "force updated clients" policy is configured.
    • Scenario 2: The security update is installed on the client but not on the server, and the "force updated clients" policy is configured.
    • Scenario 3: The security update is installed on the client but not on the server, and the "mitigated" policy is configured.

    Solution

    Note

    If you only update the client locally, use Solution 1. Install the security update (recommended).

    Logging in to CVM via VNC

    1. Log in to the CVM console.
    2. On the Instances page, find the target CVM instance and click Log in.
      CVM list page
    3. In the Standard Login | Windows Instance pop-up window, select Login via VNC.
    4. In the login pop-up window, select Send remote command in the top-left corner and press Ctrl-Alt-Delete to open the system login window as shown below:
    5. Enter the login password and press Enter to log in to the Windows CVM instance.

    Solution 1. Install the security update (recommended)

    Install the security update on the unpatched client or server. For updates for different operating systems, see CVE-2018-0886 | CredSSP remote code execution vulnerability. This solution uses Windows Server 2016 as an example.
    In other operating systems, you may use the following methods to enter Windows Update:

    • Windows Server 2012: > Control Panel > System and Security > Windows Update
    • Windows Server 2008: Start > Control Panel > System and Security > Windows Update
    • Windows 10: > Settings > Update & Security
    • Windows 7: > Control Panel > System and Security > Windows Update
    1. On the desktop, click and select Settings.
    2. In the Settings pop-up window, select Update & Security.
    3. In Update & Security, select Windows Update and click Check for updates.
    4. Click Start Installation.
    5. After the installation is complete, restart the instance to finish the update.

    Solution 2. Modify the policy

    In a CVM instance that has the security update installed, set the Encryption Oracle Remediation policy to Vulnerable. This solution uses Windows Server 2016 as an example. Follow the steps below:

    Note

    If no group policy editor is available in the Windows 10 Home operating system, you can modify the registry to edit the policy as instructed in Solution 3. Modify the registry.

    1. On the desktop, click , enter "gpedit.msc", and press Enter to open Local Group Policy Editor.
      Note

      You can also press Win+R to open the Run window.

    2. On the left sidebar, select Computer Configuration > Administrative Templates > System > Credentials Delegation and double-click Encryption Oracle Remediation.
    3. In the Encryption Oracle Remediation pop-up window, select Enabled and set Protection level to Vulnerable.
    4. Click OK.

    Solution 3. Modify the registry

    1. On the desktop, click , enter "regedit", and press Enter to open the Registry Editor.
      Note

      You can also press Win+R to open the Run window.

    2. On the left sidebar, select Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System > CredSSP > Parameters.
      Note

      If the directory path does not exist, create one manually.

    3. Right-click Parameters, select New > DWORD (32-bit) value, and name the file "AllowEncryptionOracle".
    4. Double-click the newly created "AllowEncryptionOracle" file, set Value data to "2", and click OK.
    5. Restart the instance.

    References

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support