After setting the Encryption Oracle Remediation policy setting "Force Updated Clients" according to Microsoft's website (https://support.microsoft.com/en-us/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea) on several Windows systems, users are not able to log in to any of these systems through PAM. The users receive errors like the following:
2019-05-22 09:38:54 ERROR - An error occurred in NTLM handshake: com.ca.xsuite.app.rdp3.core.common.libs.org.apache.harmony.security.asn1.ASN1Exception: security.132 com.ca.xsuite.app.rdp3.client.handler.cssp.ClientNTLM [PAM Access Agent-3]
Privileged Access Manager, all versions
This is due to the having set "Force Updated Clients" for the Encryption Oracle Remediation policy. With this setting, the built-in RDP applet will not work.
Please note:
For PAM versions 3.4 and above, the "Force Updated Clients" registry value can be used. The built-in RDP applet will not work, but the new RDP Proxy functionality could be used to utilize any local RDP Client on the user's desktop.
Please see the following documentation\video on this: