Microsoft’s May Patch Tuesday Updates Cause Windows AD Authentication Errors

Microsoft’s May Patch Tuesday update is triggering authentication errors.

Microsoft is alerting customers that its May Patch Tuesday update is causing authentications errors and failures tied to Windows Active Directory Domain Services. In a Friday update, Microsoft said it was investigating the issue.

The warning comes amid shared reports of multiple services and policies failing after installing the security update. “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.”  posted an admin to a Reddit thread on the topic.

According to Microsoft, the issue has been caused after installing the updates released on May 10, 2022.

“After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” Microsoft reported.

“An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller,” Microsoft added.

The domain controller is a server that is responsible for responding to authentication requests as well as verifying the user on a computer network, and the active directory is a type of directory service that stores the information about objects on a network and makes this information readily available for the users.

Microsoft added a note that the update will not affect the client’s Windows devices and non-domain controller windows servers, and will only cause issues for the server acting as a domain controller.

“Installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue. This issue only affects installation of May 10, 2022, updates installed on servers used as domain controllers.” Microsoft explains.

Authentication Failure Caused by Security Update

Microsoft releases another document, explaining further details related to the authentication problem caused by the security update addressing the privilege escalation vulnerabilities in Windows Kerbose and its Active Directory Domain Service.

The vulnerabilities are tracked as CVE-2022-26931 in Windows Kerberos with a high severity CVSS rating of 7.5 and CVE-2022-26923 (discovered by security researcher Oliver Lyak) in Microsoft’s Active Directory Domain Services. It has a CVSS score of 8.8 and is rated as high. An attacker can exploit the vulnerability if left unpatched and escalate the privilege to that of the domain admin.

Workarounds

The Domain administrators are advised by Microsoft to manually map the certificates to a user in Active Directory until the official updates are available.

“Domain administrators can manually map certificates to a user in Active Directory using the altSecurityIdentities attribute of the user’s Object,” Microsoft added.

“If the preferred mitigation will not work in your environment, please see ‘KB5014754—Certificate-based authentication changes on Windows domain controllers’ for other possible mitigations in the SChannel registry key section,” reported by Microsoft.

As per Microsoft any other mitigation method might not provide adequate security hardening.

According to Microsoft, the May 2022 update is allowing all authentication attempts unless the certificate is older than the user, this is because the updates automatically set the StrongCertificateBindingEnforcement registry key, “which changes the enforcement mode of the KDC to Disabled Mode, Compatibility Mode, or Full Enforcement Mode” Microsoft explains.

One Window Admin that spoke to Bleepingcomputer said that the only way they were able to get some of the users log in with the following installation of the patch was to disable the  StrongCertificateBindingEnforcement key by settings its value to 0.

By changing the REG_DWORD DataType value to 0, the admin can disable the strong certificate mapping check and can create the key from the scratch. This method is not recommended by Microsoft, but it’s the only way to allow all users to log in.

The issues are properly investigated by Microsoft and a proper fix should be available soon.

Microsoft also recently releases the 73 new patches of May’s monthly update of security fixes.

Suggested articles