After setting the Encryption Oracle Remediation policy setting "Force Updated Clients" according to Microsoft's website (CredSSP updates for CVE-2018-0886) on several Windows systems, users are not able to log in to any of these systems through PAM. The users receive errors like the following:

2019-05-22 09:38:54 ERROR - An error occurred in NTLM handshake: com.ca.xsuite.app.rdp3.core.common.libs.org.apache.harmony.security.asn1.ASN1Exception: security.132 com.ca.xsuite.app.rdp3.client.handler.cssp.ClientNTLM [PAM Access Agent-3]

This is due to the having set "Force Updated Clients" for the Encryption Oracle Remediation policy. With this setting, the built-in RDP applet will not work.

Set the Encryption Oracle Remediation policy setting to "Mitigated" for those systems where CredSSP has been deployed and a connection is required from PAM.

On a domain member the group policy editor (gpedit.msc) may not show the actual setting. Run command rsop.msc from a CMD window to check on the Resultant Set of Policy.

If the "Force Updated Clients" registry value is required, an RDP Proxy service could be used to launch a local RDP Client on the user's desktop, such as mstsc. The PAM RDP Proxy is compatible with this setting.

Please see the following documentation page: Create an RDP Proxy Service to Access a Device.

The RDP Gateway also uses the RDP Proxy service on the PAM appliance and thus is compatible with the "Force Updated Clients" setting.