Windows Authentication Problems Seen After Applying Microsoft's May Patches
Update 5/20: Microsoft now considers these authentication problems to be resolved, having released “out-of-band” updates on May 19, as described here.
Microsoft this week acknowledged possible authentication problems caused by its May security updates, which were released on Tuesday.
The authentication problems are just seen with Windows devices that are used as domain controllers and that received Microsoft's May 10-released updates. The issue stems from how certificates get mapped.
Here's Microsoft's terse explanation, which can be found in a tucked-away Windows 11 "Message Center" entry that's publicly available:
After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.
Microsoft is still investigating the issue. A workaround, in the meantime, isn't rolling back the faulty May patches (which aren't identified). Microsoft instead wants affected organizations to "manually map certificates to a machine account in Active Directory" according to the instructions in this "Certificate Mapping" document.
There's an alternative approach if the manual mapping approach can't be carried out:
If the preferred mitigation will not work in your environment, please see KB5014754—Certificate-based authentication changes on Windows domain controllers for other possible mitigations in the SChannel registry key section. Note: Any other mitigation except the preferred mitigations might lower or disable security hardening.
The issue affects all supported Windows Server products, plus Windows Server 2008.
Signs early on that there was a problem with the May patches surfaced in this Reddit discussion thread for system administrators.
Also this week, Microsoft explained its security update validation process prior to patch releases, which gets carried out by Microsoft and its partners. It offered this explanation about its patch release processes:
Once our engineering teams develop an update, it must go through rigorous testing to better assure that the fix does not cause some unintended side effects. The fix must meet necessary quality standards before it can be released. Only after an update has passed these quality checks can it be released as part of our scheduled Update Tuesday process or for out-of-band release (outside of our normal update release process).
Microsoft has a rollback capability for patches that cause problems, when detected. However, organizations that applied Microsoft's May patches early on are out of luck, it seems.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.