A security update from Microsoft may result in authentication failures for Windows domain controllers, according to the company. Do you run any Windows servers? We'll give you the latest update and links to a workaround.
Windows authentication failures
After installing updates released during the May 2022 Patch Tuesday, Microsoft is investigating a known problem that causes authentication failures for various Windows services.
"After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP)," as revealed in a company report published this week.
The issue affects client and server Windows platforms, as well as systems running any Windows version, including the most recent (Windows 11 and Windows Server 2022).
Security updates addressing CVE-2022-26931 and CVE-2022-26923, two elevation of privilege vulnerabilities in Windows Kerberos and Active Directory Domain Services, are causing these ongoing service authentication problems, according to Microsoft.
The severe issue, CVE-2022-26923, can allow attackers with access to a low-privileged account to escalate rights to domain admin on default Active Directory configurations.
For now Microsoft suggests manually mapping certificates to a machine account in Active Directory until an official update is released to fix the known issue.
"If the preferred mitigation will not work in your environment, please see 'KB5014754—Certificate-based authentication changes on Windows domain controllers' for other possible mitigations in the SChannel registry key section," the company added.
"Any other mitigation except the preferred mitigations might lower or disable security hardening."
According to Microsoft, the May 2022 updates set the StrongCertificateBindingEnforcement registry key, which transforms the Kerberos Distribution Center (KDC) enforcement mode to Compatibility mode (and this should allow all auth attempts unless the certificate is older than the user).
If you don't see the key in the registry, you can also create it from scratch using a REG_DWORD Data Type and set it to 0 to disable the strong certificate mapping check (although not recommended by Microsoft, it's the only way to allow all users to log in).
If you have any further questions regarding this issue or the security of the applications that you use for your business, please don't hesitate to contact our specialists.