By Anthony Failed to connect, CredSSP required by the server is an error line returned when trying to connect remotely to a Windows machine using RDP version 6 or newer with the Rdesktop client.
Failed to connect, CredSSP required by server is an error line returned when trying to connect remotely to a Windows machine using RDP version 6 or newer with the Rdesktop client. It represents a frequent problem for Windows and Linux administrators alike.
Rdesktop client is UNIX based client software for Microsoft’s Remote Desktop Protocol. It is commonly used on ReactOS and Linux installations to connect to Windows machines running Remote Desktop Services, which often leads to the CredSSP required by server error.
Why does CredSSP required by server error happen?
All Windows clients have a credential cache used for authentication against services in a network called NTLM or Windows NT LAN Manager. RDP supports SSO (single sign-on) authentication enabling a user to log in with a single ID and password to gain access to a connected system. However, Linux clients do not support this type of authentication and they require that credentials are provided, either via a Rdesktop command line or via a login window when initiating the remote session.
Linux has Kerberos, which is an authentication mechanism for requesting access to services based on an initial login. Windows Active Directory provides a Kerberos infrastructure, enabling Linux to be configured so it authenticates against AD. This means that upon logging in to Linux, you will be authenticated for a Kerberos TGT (Ticket Granting Ticket), which is used to access other services, such as RDP. When running Rdesktop, CredSSP will check if you have Kerberos TGT to access the remote service and use that for SSO authentication against the remote RDS server. If there is no Kerberos TGT, the Rdesktop will fall back to a lower, insecure level of network connection without the requirement for network-level authentication.
How to fix CredSSP required by server error?
Three solutions are commonly mentioned, though none of them is really THE CredSSP fix, but still they can help if you stumble upon the CredSSP required by server problem:
Downgrade security on the Windows server to accept SSL/TLSv2
This is generally not a solution, but a workaround. Turning security down is never a good solution, but only a temporary fix.
- Go to Control Panel -> System
- Click on “Allow remote access to your computer”
- Click on the “Remote” tab
- Uncheck the box next to “Allow connections only from computers running Remote Desktop with Network Level Authentication”
This will allow insecure connections without NLA (network-level authentication) and you will no longer be prompted with failed connections to a Windows machine due to the CredSSP requirement.