Some May 2022 Microsoft Security Updates Are Leading to Authentication Failures.

Microsoft reported :

“After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),”.

Microsoft explains that these ongoing service authentication problems are caused by security updates addressing CVE-2022-26931 and CVE-2022-26923, two elevations of privilege vulnerabilities in Windows Kerberos and Active Directory Domain Services.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns (https://www.cisa.gov/uscert/ncas/current-activity/2022/05/13/cisa-temporarily-removes-cve-2022-26925-known-exploited) not to install May Windows updates on domain controllers and remove the update from is catalog of known exploited vulnerabilities.

As CISA noted, “installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue and is still strongly encouraged.”

The workaround

As BleepingComputer reported, Windows admins are already identifying workarounds, and the most popular one seems to be locating the StrongCertificateBindingEnforcement registry key and setting it to 0 (zero). 

If you don’t find the key in the registry, create it from scratch using a REG_DWORD Data Type and set it to 0 to disable the strong certificate mapping check (although not recommended by Microsoft, it’s the only way to allow all users to log in).

To address the known issue until an official update is available, Microsoft recommends manually mapping certificates to a machine account in Active Directory by manually mapping certificates to users in Active Directory using the altSecurityIdentities attribute of the user’s object.

SHMUEL H.