The specified function is not supported. An authentication error has occurred

The problems of security and speed of servers have always been, and every year their relevance is only growing. As a result, Microsoft has moved from the original server-side authentication model to network-level authentication.

What is the difference between these models?
Previously, when connecting to Terminal Services, the user would create a session with the server through which the server would load the login screen for the user. This method consumes server resources even before the user has verified his legality, which allows an illegal user to completely load the server resources multiple requests to the entrance. The server, unable to process these requests, refuses to process requests for legitimate users (DoS attack).

Network-Level Authentication (NLA) forces the user to enter credentials in a dialog box on the client side. By default, if there is no Network Level Authentication on the client side, then the server won't allow the connection and it won't happen. NLA requests client computer provide your credentials for authentication, even before creating a session with the server. This process is also called frontal authentication.

NLA was introduced back in RDP 6.0 and was supported natively Windows Vista. From version RDP 6.1 - supported by servers running the operating system Windows Server 2008 and higher, and client support is provided for operating systems Windows XP SP3 (it is necessary to enable a new security provider in the registry) and higher. The method uses the CredSSP (Credential Security Support Provider) security provider. When using a remote desktop client for another operating system, you need to find out about its NLA support.

• Does not require significant server resources.
• Additional layer for protection against DoS attacks.
• Speeds up the mediation process between client and server.
• Allows you to extend the technology of NT "single login" to work with a terminal server.

• Other security providers are not supported.
• Not supported on client versions below Windows XP SP3 and server versions below Windows Server 2008.
• Required manual setting register on each Windows client XP SP3.
• Like any "single login" scheme, it is vulnerable to the theft of the "keys to the whole fortress".
• It is not possible to use the "Require password change at next logon" feature.

If you are using Windows XP when connecting to the server, you may receive an error: “The remote computer requires network level authentication, which this computer do not support".

This error arises as a result of the fact that initially in Windows XP OS authentication at the network level was not implemented, this opportunity developers have implemented in subsequent operating systems. An update file was also released later. KB951608 which fixed this bug and allowed Windows XP to implement Network Level Authentication.

In order for you to be able to connect to the remote desktop of the server from your computer running Windows XP, you need to install Service Pack 3 (SP3), and then do the following:

On the official Microsoft website on the Russian-language page https://support.microsoft.com/en-us/kb/951608 download the automatic fix file. Scroll down the page a little lower and click the "Download" button in the "Help solve the problem" section.

An English page is also available to you. https://support.microsoft.com/en-us/kb/951608 where you can download this file by clicking the "Download" button in the "How to turn on CredSSP" section

After the download of the file is completed, run it for execution. After launch given file You will see the program window. In it, at the first step, check the box "I accept". In the second step, click the "Next" button

When the installation is complete, you will see the following window with the notification "This Microsoft fix Fix it has been processed" You just have to click "Close".

After you clicked the "Close" button, the program will tell you to restart the computer for the changes to take effect, click "Yes" to restart.

Solve the problem yourself without downloading the file

If you have administrative skills, you can make changes to your computer's registry manually without having to download a patch file.

1. Click the button Start, select an item Run, enter the command regedit and press the key Enter

After installing update KB4103718 on my Windows 7 computer, I cannot remotely connect to a Windows Server 2012 R2 server via Remote Desktop. RDP table. After I specify the RDP server address in the mstsc.exe client window and click "Connect", an error appears:

Remote Desktop Connection

An authentication error has occurred.

The specified function is not supported.
Remote computer: computername

After I uninstalled update KB4103718 and restarted my computer, RDP connection began to work normally. If I understand correctly, this is only a temporary workaround, in next month will a new cumulative update package arrive and the error will return? Can you advise something?

Answer

You are absolutely right that it is pointless to fix the problem, because by doing so you expose your computer to the risk of exploiting various vulnerabilities that are closed by patches in this update.

You are not alone in your problem. This error can appear in any operating Windows system or Windows Server (not just Windows 7). For English users Windows versions 10 when trying to connect to the RDP/RDS server, a similar error looks like this:

An authentication error has occurred.

The function requested is not supported.

remote computer:computername

The RDP error “An authentication error has occurred” can also appear when trying to launch RemoteApp applications.

Why is this happening? The point is that your computer has actual updates security (released after May 2018), which fixes a serious vulnerability in the CredSSP (Credential Security Support Provider) protocol used for authentication on RDP servers (CVE-2018-0886) (I recommend that you read the article). At the same time, these updates are not installed on the side of the RDP / RDS server to which you connect from your computer, and the NLA protocol (Network Level Authentication / Network Level Authentication) is enabled for RDP access. The NLA protocol uses CredSSP mechanisms to pre-authenticate users via TLS/SSL or Kerberos. Your computer, due to the new security settings that the update you have installed, simply blocks the connection to remote computer, which uses a vulnerable version of CredSSP.

What can be done to fix this error and connect to your RDP server?

1. Most right way to solve the problem - installation latest updates Windows security on the computer / server to which you are connecting via RDP;
2. Temporary method 1 . You can disable Network Level Authentication (NLA) on the RDP server side (described below);
3. Temporary method 2 . You can allow client-side connections to RDP servers with an insecure version of CredSSP, as described in the article linked above. To do this, you need to change the registry key AllowEncryptionOracle(REG ADD command
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2) or change settings local policy Encryption Oracle Remediation/ Fix encryption oracle vulnerability) by setting its value = Vulnerable / Leave vulnerability).

   This is the only way to access a remote server via RDP if you do not have the ability to log into the server locally (via the ILO console, virtual machine, cloud interface, etc.). In this mode, you will be able to connect to a remote server and install security updates, thus moving on to the recommended method 1. After updating the server, do not forget to disable the policy or return the value of the AllowEncryptionOracle = 0 key: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0

Disabling NLA for RDP on Windows

If NLA is enabled on the side of the RDP server you are connecting to, this means that CredSPP is used to pre-authenticate the RDP user. You can disable Network Level Authentication in the system properties on the tab Remote access (Remote) , unchecking "Allow connections only from computers running Remote Desktop with Network Level Authentication / Allow connection only from computers running Remote Desktop with Network Level Authentication (recommended)" (Windows 10 / Windows 8).

In Windows 7, this option is called differently. On the tab Remote access you need to select the option Allow connections from computers running any version of Remote Desktop (dangerous)/ Allow connections from computers running any version of Remote Desktop (less secure)".

You can also disable Network Level Authentication (NLA) using the LAN Editor. group policy - gpedit.msc(in Windows 10 Home, the gpedit.msc policy editor can be run) or using the domain policy management console - GPMC.msc. To do this, go to the section Computer Configuration –> Administrative Templates –> ComponentsWindows–> Remote Desktop Services – Remote Desktop Session Host –> Security(Computer Configuration –> Administrative Templates –> Windows Components –> Remote Desktop Services – Remote Desktop Session Host –> Security), disable policy (Require user authentication for remote connections by using Network Level Authentication).

Also needed in politics Require the use of a special security level for remote connections via RDP protocol» (Require use of specific security layer for remote (RDP) connections) select Security Layer - RDP.

To apply the new RDP settings, you need to update the policies (gpupdate /force) or restart the computer. After that, you should successfully connect to the remote desktop server.

Open the registry editor.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Open the Security Packages parameter and look for the word tspkg there. If it is not present, we add it to the already existing parameters.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

Open the SecurityProviders parameter and add credssp.dll to the existing providers, if it is missing.

Close the registry editor.

Now you need to reboot. If this is not done, then the computer will ask us for a username and password, but instead of remote desktop, it will answer the following:

That's all.

Server administrators on Windows base 2008 may have to face the following issue:

Connection via rdp protocol to your favorite server from a Windows XP SP3 station fails with the following error:

Remote Desktop is disabled.

The remote computer requires network level authentication, which this computer does not support. Ask for help system administrator or technical support.

And although the promising Win7 threatens to eventually replace its grandmother WinXP, for another year or two the problem will be relevant.

Here is what you need to do to enable the network layer authentication mechanism:

Open the registry editor.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Opening the parameter Security Packages and looking for the word tspkg. If it is not present, we add it to the already existing parameters.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

Opening the parameter Security Providers and add to existing providers credssp.dll, if there is none.

Close the registry editor.

Now you need to reboot. If this is not done, then when trying to connect, the computer will ask us for a username and password, but instead of remote desktop, it will answer the following:

Remote Desktop Connection

Authentication failed (code 0x507)

That's all.