UPDATED (05/23/22): Microsoft has issued emergency out-of-band (OOB) updates to fix Active Directory (AD) authentication difficulties. The OOB Windows updates are only available through the Microsoft Update Catalog and will not be available via Windows Update. You can find more information about these updates here.
Microsoft is investigating a known problem that causes authentication failures for various Windows services after users installed Windows updates from the May 2022 Patch Tuesday. It seems some policies are failing upon installing this month’s security upgrades due to a mismatch in user credentials. The updates were very important, because they patched two severe issues (CVE-2022-26931 and CVE-2022-26923)with the more severe, CVE-2022-26923, allowing attackers access to low-privileged accounts to upgrade privileges to domain admin.
The problem has been discovered in relation to the domain controller’s handling of certificate mapping to machine accounts, and affects client and server Windows platforms, as well as systems running any Windows version – including the most recent Windows 11 and Windows Server 2022. According to Microsoft, the known bug is only caused when the updates are installed on domain controller servers. When installed on client Windows devices and non-domain controller Windows Servers, the upgrades have no negative impact.
After completing the updates launched on May 10, 2022 on domain controllers, you may see failures related to authentication on the server or client for services, like the Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).
Devices will be in Compatibility Mode once you’ve installed the latest update. Authentication will occur as intended as long as the certificate can be strongly matched to a user. However, if the certificate is older than the user, a warning will be logged, authentication will fail, and an error will be recorded.
What You Can Do
If you’ve already installed the update:
It’s important to keep an eye out for any warnings/alerts that surface a month or so after installation. If no warnings appear, we highly advise you to turn on Full Enforcement Mode on all domain controllers that use certificate-based authentication. Full Enforcement Mode can be enabled by using the KDC registry entry.
Microsoft suggests manually mapping credentials/certificates to a machine account in Active Directory until an official update is released to fix this issue. Anything but these preferred mitigations could reduce security integrity. If the suggested mitigation does not work in your environment, check the SChannel registry key section for alternative possible mitigations here.
If you haven’t installed the update:
It’s important to weigh the CVE risk against the chance the update is going to negatively impact your systems. If you aren’t using the listed services, then it shouldn’t be a major risk and you should patch for the other fixes. If you are using the listed services, you need to proceed with caution, test heavily, and have a rollback plan until an official update is available.