🟠 High   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2016

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Network Level Authentication fails on Windows Server 2016 hosts after CredSSP updates with ‘An authentication error has occurred. Function requested is not supported.’, blocking RDP for admins.

Environment & Reproduction

Reproducible from clients on older or newer patch levels than the server.

Get-ItemProperty 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters'
Get-WinEvent -LogName 'Microsoft-Windows-CAPI2/Operational' -MaxEvents 20

Root Cause Analysis

CredSSP encryption oracle remediation mitigation level mismatch between client and server.

Quick Triage

Inspect CredSSP policy and patch level.

Get-HotFix | Where-Object {$_.HotFixID -match 'KB'} | Sort-Object InstalledOn -Descending | Select -First 10
Get-ItemProperty 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' -Name AllowEncryptionOracle

Step-by-Step Diagnosis

Confirm client patches and policy values.

Test-NetConnection rds01.corp.local -Port 3389
Get-WinEvent -LogName 'Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational' -MaxEvents 20
Illustrative mockup for windows-server-2016 — error_dialog
mstsc CredSSP error dialog — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Patch both sides to current cumulative updates and align CredSSP level to Mitigated.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-ItemProperty 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' -Name AllowEncryptionOracle -Value 1 -Type DWord
Restart-Computer
Illustrative mockup for windows-server-2016 — terminal_or_powershell
CredSSP policy registry — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Temporarily allow vulnerable connections only when patching is blocked.

Set-ItemProperty 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' -Name AllowEncryptionOracle -Value 2 -Type DWord

Verification & Acceptance Criteria

RDP connects with NLA and no CredSSP errors appear.

mstsc /v:rds01.corp.local /admin
Get-WinEvent -LogName Application -ProviderName 'CredSSP' -MaxEvents 10

Rollback Plan

Set policy back to Force Updated Clients once all sides are patched.

Set-ItemProperty 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' -Name AllowEncryptionOracle -Value 0 -Type DWord

Prevention & Hardening

Maintain consistent patch level across RDP clients/servers and enforce CredSSP via GPO.

Get-HotFix | Sort-Object InstalledOn -Descending | Select -First 5

Linked with Credential Guard and NLA-related Kerberos issues.

Related tutorial: View the step-by-step tutorial for Windows Server 2016.

View all Windows Server 2016 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: CredSSP updates and RDP NLA.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.