I can't RDP to a remote Windows 2016 or Windows 2012. Why is this so ?

Document ID : KB000108652
Last Modified Date : 29/01/2019
Show Technical Document Details
Trying to RDP to a Windows  2012 R2 or Windows 2016 R2, it does not work. Irrespective of whether we are specifying the account at login time or if this is automatically injected by PAM

In the logs the following error is reported:

NLA login was canceled or invalid credentials were entered. Deleting the file: XXX-0000043381-20180619140837917_RDP 

However, there is no problem with session recording, the ciphers and credentials are all up to date and they look the same as in any other server where it works

What may be the problem ?
Windows 2012 R2 and Windows 2016 R2 remote devices
CA PAM 2.8.X an later

This is due to the Encryption Oracle remediation policy not being defined in the remote Windows system. RDP uses CredSSP for which a vulnerability was described in CVE-2018-0886. This required patching of Windows and, in particular of CredSSP.

See https://support.microsoft.com/ca-es/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018 for further information.

Setting up the Encryption Oracle remediation policy as specified in the document mentioned will help overcome the problem. You need to choose the "Mitigated" option for allowing connection  through RDP to occur seamlessly. See the table at the end of the Microsoft document for an explanation of the different options.