The specified function is not supported. An authentication error occurred

Security and speed of servers have always been a problem, and every year their relevance is only growing. Because of this, Microsoft has moved from the original server-side authentication model to network-level authentication.

What is the difference between these models?
Previously, when connecting to Terminal Services, the user created a session with the server through which the latter would load a screen to enter credentials for the user. This method consumes server resources even before the user has verified their legitimacy, allowing an illegal user to completely overwhelm server resources with multiple login requests. A server that is unable to process these requests denies requests to legitimate users (DoS attack).

Network-Level Authentication (NLA) forces the user to enter credentials in a client-side dialog box. By default, if there is no network level certificate of authentication check on the client side, then the server will not allow the connection and it will not happen. NLA requests the client computer to provide its authentication credentials before creating a session with the server. This process is also called front-end authentication.

NLA was introduced back in RDP 6.0 and was supported initially Windows Vista. From version RDP 6.1 - supported by servers running the operating system Windows Server 2008 and higher, and client support is provided for operating systems Windows XP SP3 (you must enable the new security provider in the registry) and higher. The method uses the CredSSP (Credential Security Support Provider) security provider. When using a remote desktop client for another operating system, you need to find out about its NLA support.

• Does not require significant server resources.
• Additional level for protection against DoS attacks.
• Speeds up the mediation process between client and server.
• Allows you to extend the NT "single login" technology to work with a terminal server.

• Other security providers are not supported.
• Not supported by client versions lower than Windows XP SP3 and server versions lower than Windows Server 2008.
• Required manual setting registry on each Windows client XP SP3.
• Like any “single login” scheme, it is vulnerable to the theft of “the keys to the entire fortress.”
• There is no option to use the "Require password change at next login" feature.

Open the registry editor.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Open the Security Packages parameter and look for the word tspkg there. If it is not there, add it to the existing parameters.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

Open the SecurityProviders parameter and add credssp.dll to the existing providers if it is missing.

Close the registry editor.

Now you need to reboot. If this is not done, the computer will ask us for a username and password, but instead of the remote desktop it will respond with the following:

That's all.

Windows 2008 server administrators may encounter the following problem:

Connecting via rdp protocol to your favorite server from a Windows XP SP3 station fails with the following error:

Remote Desktop is disabled.

Remote computer requires network level authentication, which this computer do not support. Contact your system administrator or technical support for assistance.

And although the promising Win7 threatens to eventually replace its grandmother WinXP, the problem will remain relevant for another year or two.

Here's what you need to do to enable network layer authentication:

Open the registry editor.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Open the parameter Security Packages and look for the word there tspkg. If it is not there, add it to the existing parameters.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

Open the parameter SecurityProviders and add to existing providers credssp.dll, if there is none.

Close the registry editor.

Now you need to reboot. If this is not done, then when we try to connect, the computer will ask us for a username and password, but instead of the remote desktop it will respond with the following:

Remote Desktop Connection

Authentication error (code 0x507)

That's all.

After installing update KB4103718 on my Windows 7 computer, I cannot remotely connect to a server running Windows Server 2012 R2 via RDP. After I specify the RDP server address in the mstsc.exe client window and click “Connect”, the error appears:

Remote Desktop Connection

An authentication error occurred.

The specified function is not supported.
Remote computer: computername

After I uninstalled the KB4103718 update and rebooted the computer, the RDP connection began to work fine. If I understand correctly, this is only a temporary workaround, next month a new cumulative update package will arrive and the error will return? Can you recommend anything?

Answer

You are absolutely right that it is pointless to solve the problem, because you thereby expose your computer to the risk of exploitation of various vulnerabilities that are closed by patches in this update.

You are not alone in your problem. This error may appear in any operating system Windows or Windows Server (not only Windows 7). For English users Windows versions 10, when trying to connect to an RDP/RDS server, a similar error looks like this:

An authentication error has occurred.

The function requested is not supported.

Remote computer: computername

The RDP error “An authentication error has occurred” may also appear when trying to launch RemoteApp applications.

Why is this happening? The fact is that your computer has the latest security updates (released after May 2018), which correct a serious vulnerability in the CredSSP (Credential Security Support Provider) protocol used for authentication on RDP servers (CVE-2018-0886) (I recommend read the article). However, on the side of the RDP / RDS server to which you connect from your computer, these updates are not installed, and the NLA (Network Level Authentication) protocol is enabled for RDP access. The NLA protocol uses CredSSP mechanisms to pre-authenticate users via TLS/SSL or Kerberos. Your computer, due to the new security settings introduced by the update you installed, simply blocks connection to a remote computer that uses a vulnerable version of CredSSP.

What can you do to fix this error and connect to your RDP server?

1. Most correct way to solve the problem - installation latest updates Windows security on the computer/server you are connecting to via RDP;
2. Temporary method 1 . You can disable Network Level Authentication (NLA) on the RDP server side (described below);
3. Temporary method 2 . You can, on the client side, allow connections to RDP servers with an insecure version of CredSSP, as described in the article linked above. To do this you need to change the registry key AllowEncryptionOracle(REG ADD command
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2) or change settings local politics Encryption Oracle Remediation/ Fix encryption oracle vulnerability), setting its value = Vulnerable / Leave vulnerability).

   This is the only way to access a remote server via RDP if you do not have the ability to log into the server locally (via the ILO console, virtual machine, cloud interface, etc.). In this mode, you will be able to connect to a remote server and install security updates, thus moving to the recommended method 1. After updating the server, do not forget to disable the policy or return the key value AllowEncryptionOracle = 0: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0

Disabling NLA for RDP on Windows

If NLA is enabled on the side of the RDP server you are connecting to, this means that CredSPP is used to pre-authenticate the RDP user. You can disable Network Level Authentication in the system properties on the tab Remote access (Remote) , unchecking the “Allow connection only from computers running Remote Desktop with Network Level Authentication (recommended)” checkbox (Windows 10 / Windows 8).

In Windows 7 this option is called differently. On the tab Remote access you need to select the option " Allow connections from computers running any version of Remote Desktop (dangerous)/ Allow connections from computers running any version of Remote Desktop (less secure)".

You can also disable Network Level Authentication (NLA) using the Local Editor group policy - gpedit.msc(in Windows 10 Home, the gpedit.msc policy editor can be launched) or using the domain policy management console - GPMC.msc. To do this, go to the section Computer Configuration –> Administrative Templates –> ComponentsWindows–> Remote Desktop Services – Remote Desktop Session Host –> Security(Computer Configuration –> Administrative Templates –> Windows Components –> Remote Desktop Services – Remote Desktop Session Host –> Security), turn off policy (Require user authentication for remote connections by using Network Level Authentication).

Also needed in politics " Require a special level of security for remote RDP connections» (Require use of specific security layer for remote (RDP) connections) select Security Layer - RDP.

To apply the new RDP settings, you need to update the policies (gpupdate /force) or restart the computer. After this, you should successfully connect to the remote desktop server.