Windows admins report AD authentication failures after installing Patch Tuesday update
Microsoft says the problem only affects domain controller servers that have received Patch Tuesday updates
Windows system admins are reporting authentication problems after installing the latest May 2022 Patch Tuesday security updates, which were released this week.
Affected systems alerted IT admins that authentication had failed owing to a mismatch in user credentials. Either the given username does not map to an existing account or the password was incorrect.
The issue affects client and server Windows platforms, as well as systems running any Windows version, even the most recent releases (Windows 11 and Windows Server 2022).
Microsoft said it was looking into complaints of authentication problems following its rollout of the May security upgrades.
According to the firm, the problem only affects domain controller servers that have received the Patch Tuesday updates.
Authentication failures should not occur if the fixes are installed on client Windows devices and Windows servers that are not domain controllers, it added.
"After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP)," Microsoft explained.
"An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller."
The issues that Windows Server administrators are presently experiencing are related to the way Microsoft addressed two 'high severity' privilege escalation bugs, CVE-2022-26931 and CVE-2022-26923.
These vulnerabilities were discovered in Windows Kerberos and Active Directory Domain Services, and they were addressed in Tuesday's round of monthly security updates.
"CVE-2022-26931 and CVE-2022-26923 address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request," according to Microsoft.
"Before the May 10th, 2022, security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways," it explained.
One user in a Reddit Patch Tuesday support group said that uninstalling the KB5014001 and KB5014011 updates served as a temporary workaround.
Another popular workaround, as reported by BleepingComputer, seems to be locating the StrongCertificateBindingEnforcement registry entry and change it to 0 (zero).
However, Microsoft strongly advises against using this workaround and suggests that admins manually map certificates to a machine account in Active Directory until an official patch is released.
Microsoft addressed a total of 75 security vulnerabilities, including three zero-days, in its May 2022 Patch Tuesday update.
Among the most serious of the patched bugs is CVE-2022-26925, a zero-day with CVSS score of 8.1.
A critical RCE vulnerability addressed is CVE-2022-26937, which affects services using the Windows Network File System (NFS).
Other RCE bugs patched by Microsoft this month include flaws in Windows Graphics (CVE-2022-26927), Windows LDAP (CVE-2022-22012, CVE-2022-29130), Windows Kernel (CVE-2022-29133), Visual Studio Code (CVE-2022-30129) and Remote Procedure Call Runtime (CVE-2022-22019).
Join us at the CyberSecurity Festival 2022, taking place across 3 days in June, where we will come together to learn, collaborate and tackle the biggest technology security challenges. Find out more and register for free.