search cancel

NTLM handshake error encountered after CredSSP as described in Microsoft's CVE-2018-0866.

book

Article ID: 213538

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

This document should be used only as a guidance/example if NTLM handshake error encountered during RDP after CredSSP as described in Microsoft's CVE-2018-0866.  First refer to the existing KB article #187142 (https://knowledge.broadcom.com/external/article/187142/ca-pam-support-for-credssp.html)

Cause

Hardening of  Windows servers do not allow synchronization of the required Group Policy (as called by KB article #187142) from the Domain Controller to the Windows servers in the Domain.

 

Environment

For this specific example - The Windows Domain Controller server is a 2008 server. The Target Windows to which RDP fails is a Windows 2019 server.

Resolution

1. Set Encryption Oracle Remediation policy setting to "Mitigated"for those systems where CredSSP has been deployed and a connection is required from PAM.

https://knowledge.broadcom.com/external/article/187142/ca-pam-support-for-credssp.html. The required Policy change in above was not being achieved between 2008 Domain Controller server and Target Windows 2019 server.

2. Force the Group Policies on the new 2019 servers as there were problem syncing policies with the Domain Controller (windows Server 2008 in this case)

Note that the system was hardened with these 3 settings selected. But RC4_HMAC_SHA1 was NOT selected as part of hardening changes. Given the 3 hardening settings the Target 2019 server failed to synchronize the Group policies with the 2008 Domain Controller.

gpedit.msc  è Windows Settings è Security Options è Network security:Configure encryption types allowed for Kerberos è Ensure RC4_HMAC_MD5 is also selected.

2. Use gpupdate /force

gpupdate /force command reapplies all client policies both new and old (regardless if policies have Changed or Not). From an Administrative Command Prompt. Run “gpupdate /force” (Group Policy Update) on the Target Windows 2019 server.

Additional Information

None.

Attachments