Bug ID 714700: SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7

Fixed In:
14.1.0, 14.0.0, 13.1.0.8

Opened: Apr 11, 2018

Severity: 3-Major

Symptoms

To address a vulnerability in their CredSSP implementation Microsoft released set of updates for all versions of Windows (https://aka.ms/credssp). Although the APM implementation is not affected by this vulnerability, the Microsoft Windows Server fix introduces compatibility issues. The update adds new Group Policy 'Encryption Oracle Remediation', which, if set to 'Force Updated Clients' on the server might break SSO for APM's native RDP resources.

Impact

SSO for native RDP resources does not work.

Conditions

-- RDP server has https://aka.ms/credssp update installed. -- 'Encryption Oracle Remediation' Group Policy on the RDP server is set to 'Force Updated Clients'.

Workaround

Set 'Encryption Oracle Remediation' Group Policy on the RDP server to 'Mitigated'.

Fix Information

SSO for native RDP resources is now compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips