I'm experiencing something very strange after deploying the May security update on our test machines. Here is the thing -
client machines: Win 7 with May security installed, CredSSP patched
server machines: Win 2008R2, unpatched
We have TWO particular AD user accounts who always fails the FIRST login while trying to RDP from patched client to unpatched servers. The error is "Unknown Username or Password". In event viewer, i can find event 4625 which indicated the same failure reason with status: 0xc0000006c sub status: 0xc0000006a
after some test and research, i figured this has something to do with the CredSSP patch released in May security update. However the error message doesn't match the one listed in Microsoft KB https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018
Somehow it doesn't match the Interoperability matrix either.
The strangest part is that this is only affecting these two particular AD accounts (just regular user accounts, i can't think of anything special about these two account). After their first login attempt failed, they could login successfully in the second attempt.
The other solution is to apply the security policy mentioned in Microsoft KB (changing ENcryption Oracle Remediation to Vulnerable)
I believe it is definitely caused by may security patch, but i couldn't figure out why it's only affecting two AD accounts. I would expect the same behavior on all AD users....
