NTLM handshake error encountered after CredSSP as described in Microsoft's CVE-2018-0866.
Article ID: 213538
Updated On:
Products
Issue/Introduction
This document should be used only as a guidance/example if NTLM handshake error encountered during RDP after CredSSP as described in Microsoft's CVE-2018-0866. First refer to the existing KB article #187142 (https://knowledge.broadcom.com/external/article/187142/ca-pam-support-for-credssp.html)
Environment
For this specific example - The Windows Domain Controller server is a 2008 server. The Target Windows to which RDP fails is a Windows 2019 server.
Cause
Hardening of Windows servers do not allow synchronization of the required Group Policy (as called by KB article #187142) from the Domain Controller to the Windows servers in the Domain.
Resolution
1. Set Encryption Oracle Remediation policy setting to "Mitigated"for those systems where CredSSP has been deployed and a connection is required from PAM.
https://knowledge.broadcom.com/external/article/187142/ca-pam-support-for-credssp.html. The required Policy change in above was not being achieved between 2008 Domain Controller server and Target Windows 2019 server.
2. Force the Group Policies on the new 2019 servers as there were problem syncing policies with the Domain Controller (windows Server 2008 in this case)
Note that the system was hardened with these 3 settings selected. But RC4_HMAC_SHA1 was NOT selected as part of hardening changes. Given the 3 hardening settings the Target 2019 server failed to synchronize the Group policies with the 2008 Domain Controller.
gpedit.msc è Windows Settings è Security Options è Network security:Configure encryption types allowed for Kerberos è Ensure RC4_HMAC_MD5 is also selected.
2. Use gpupdate /force
gpupdate /force command reapplies all client policies both new and old (regardless if policies have Changed or Not). From an Administrative Command Prompt. Run “gpupdate /force” (Group Policy Update) on the Target Windows 2019 server.
Feedback
