I can't RDP to a remote Windows 2016 or Windows 2012. Why is this so ?

book

Article ID: 108652

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction



Trying to RDP to a Windows  2012 R2 or Windows 2016 R2, it does not work. Irrespective of whether we are specifying the account at login time or if this is automatically injected by PAM

In the logs the following error is reported:

NLA login was canceled or invalid credentials were entered. Deleting the file: XXX-0000043381-20180619140837917_RDP 

However, there is no problem with session recording, the ciphers and credentials are all up to date and they look the same as in any other server where it works

What may be the problem ?

Environment

Windows 2012 R2 and Windows 2016 R2 remote devices
CA PAM 2.8.X an later

 

Resolution

This is due to the Encryption Oracle remediation policy not being defined in the remote Windows system. RDP uses CredSSP for which a vulnerability was described in CVE-2018-0886. This required patching of Windows and, in particular of CredSSP.

See https://support.microsoft.com/ca-es/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018 for further information.

Setting up the Encryption Oracle remediation policy as specified in the document mentioned will help overcome the problem. You need to choose the "Mitigated" option for allowing connection  through RDP to occur seamlessly. See the table at the end of the Microsoft document for an explanation of the different options.

Additional Information

On newer PAM releases you may see an error popup when you launch the RDP access method. This would happen automatically, if auto-logon is configured, or after providing credentials manually. The error message would be "An error occurred in NTLM handshake". The PAM client log file, logs.log, would show an error similar to the following:
2019-05-22 09:38:54 ERROR - An error occurred in NTLM handshake: com.ca.xsuite.app.rdp3.core.common.libs.org.apache.harmony.security.asn1.ASN1Exception: security.132     com.ca.xsuite.app.rdp3.client.handler.cssp.ClientNTLM [PAM Access Agent-3]