Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, June 19, 2018 7:02 PM
Hello,
I hope this is the right place to post this question. I have roughly 60 servers running Hyper-v Server Core 2012 r2. From time to time I have to use Hyper-V Manager to connect to one of the machines. Such as when the server loses power and shuts down. Sometimes the RODC VM will come to the boot recovery options screen, after such a shutdown, and I have no choice but to use Hyper-V Manager to connect to it.
Recently our workstations were patched against the CredSSP vulernability, and as work around until we can get the servers patched, we've deployed a GPO disabling network level authentication. So, I can RDP into the Hyper-V core host using mstsc.exe, but I cannot "connect" to the VM using Hyper-V Manager.
Has anyone seen this? The only way I can "connect" to the VMs on the the Hyper-V host using Hyper-V Manager is to uninstall the CredSSP patch on my Windows 10, 1803 PC.
I also don't see a way to patch the Hyper-V Core server. I tried to install the patch slated for Server 2012 R2 core and it fails to install stating that the server doesn't need this patch.
Anyway, I could use some help, if anyone has any to offer. If not, I will open a ticket with MS.
All replies (7)
Tuesday, June 19, 2018 7:05 PM | 1 vote
Hi.
If CVE-2018-0886 is mitigated on the client but not on the host then RDP will not work and it will throw this error:
An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.
The registry fix can be applied to the client until the host/server is updated.
It is all explained here.
https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886
Reg file for x64
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002
MCITP, MCSE. Regards, Oleg
Tuesday, June 19, 2018 7:22 PM
Thank you. I'll merge this on one of the affected hosts and reply back with the results.
Wednesday, June 20, 2018 12:13 PM
I merged the registry key provided above with the Hyper-V Server Core 2012 r2 machine and restarted.
I then reinstalled KB4103721 on my Windows 10, build 1803 laptop and restarted. (this is a fresh installation of Windows 10, not an upgrade, diskpart - clean. I was on Windows 8.1 Pro earlier in the week.)
I opened Hyper-V Manager, right-click > connect on the VM
Still getting the dreaded CredSSP error:
An authentication error has occurred. The function requested is not supported. Remote computer: AMTHVS01. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.
My gut feeling, I don't think Microsoft took Hyper-V Manager and/or Hyper-V Server Core into consideration when publishing this patch.
How can I escalate this situation to Microsoft? It is crucial that I be able to use Hyper-V Manager to connect to a remote VM when it fails and boots back up into a pre-install environment or recovery environment.
Thursday, June 21, 2018 5:24 PM
Hi.
I recommend install all update for server and client.
You can open ticket in Microsoft Support.
https://support.microsoft.com/en-us
MCITP, MCSE. Regards, Oleg
Wednesday, June 27, 2018 8:41 PM | 1 vote
I just noticed the same thing. I can connect to my servers via regular RDP with no problems, but if I try to connect using the Hyper-V Manager I will get the CredSSP RDP error. I am guessing that this is because we need to patch the Hyper-V hosts.
Friday, August 24, 2018 2:09 PM | 1 vote
Anyone have a fix for this yet? Same issue
Wednesday, October 31, 2018 3:17 PM | 1 vote
Hello!
I've been trying to solve the same issue for months.
I can RDP to the virtual machines, but I'm unable to connect through Hyper-V manager. The error message I receive puts the Hosts as Computer Name, so this is where the problem exists.
What I have noticed is that the Hyper-V hosts does not install any of the Updates that is waiting to be installed.
And the Update that takes care of the CredSSP is listed as a recommended update.
I install Updates on the host manually. The updates seems to install, but after restart they are all still in the list.
This is even if I install them all together or one by one.
The Updates is confirmed for install in WSUS as well.
Did you take this further with Microsoft, and in case, what was the result?
Best Regards
Kristian
\kf\