Bug ID 714700: SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7

Fixed In:
14.1.0, 14.0.0, 13.1.0.8

Opened: Apr 11, 2018
Severity: 3-Major

Symptoms

To address a vulnerability in their CredSSP implementation Microsoft released set of updates for all versions of Windows (https://aka.ms/credssp). Although the APM implementation is not affected by this vulnerability, the Microsoft Windows Server fix introduces compatibility issues. The update adds new Group Policy 'Encryption Oracle Remediation', which, if set to 'Force Updated Clients' on the server might break SSO for APM's native RDP resources.

Impact

SSO for native RDP resources does not work.

Conditions

-- RDP server has https://aka.ms/credssp update installed. -- 'Encryption Oracle Remediation' Group Policy on the RDP server is set to 'Force Updated Clients'.

Workaround

Set 'Encryption Oracle Remediation' Group Policy on the RDP server to 'Mitigated'.

Fix Information

SSO for native RDP resources is now compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy.

Behavior Change