Warning: Windows update breaks authentication for some server admins
Microsoft probes complaints of domain controller headaches
Microsoft is warning a security update may cause authentication failures for Windows domain controllers.
"After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP)," the IT goliath said in an advisory published Wednesday.
The advisory refers to Windows update KB5013943 (released Tuesday, May 10, 2022), which followed KB5012643 (released April 25, 2022) and addresses a cause of screen flicker when starting in Safe Mode.
That April KB5012643 update was withdrawn from circulation on Wednesday, May 11, without explanation.
The latest Windows update, KB5013943, leaves unresolved issues in which some .NET Framework 3.5 apps fail to open and some apps that use Direct3D 9 with certain GPUs crash (workarounds are suggested for both cases.)
The authentication difficulties should not affect client Windows devices or non-domain controller servers, according to Microsoft.
Netizens posting to
/r/sysadmin on Reddit noted the occurrence of authentication failures following the application of two Microsoft patches. Identified by the vulnerability ID CVE-2022-26931 and CVE-2022-26923, the patches were intended to resolve two "high severity" privilege escalation vulnerabilities that are described in KB5014754.
Admins report Hyper-V and domain controller issues after first Patch Tuesday of 2022DEJA VU
"The long and the short of it is that attackers in certain privileged positions can mint certificates that impersonate other named principals," explained Steve Syfuhs, senior software engineer on the Windows Cryptography, Identity, and Authentication team at Microsoft, in a Twitter post on Tuesday. "It's not a pants-on-fire situation because most environments already have mitigations in place that make this sort of attack difficult."
Syfuhs subsequently acknowledged that Microsoft is investigating reports of authentication problems.
"FYI we're aware of the NPS issue," he said on Wednesday. "It's not related to NPS specifically but rather with how we're distinguishing between different kinds of names in the certificates. Only a subset of folks are affected by this."
In its advisory, Microsoft offered the following workaround: "The preferred mitigation for this issue is to manually map certificates to a machine account in Active Directory."
If the preferred mitigation doesn't work, the IT behemoth suggests consulting KB5014754 for alternate strategies. At least one individual posting to
/r/sysadmin reports resolving the authentication problems by manually setting the
CertificateMappingMethods SChannel registry key value on the domain controller to its former default setting,
0x1F. But others who claim to have tried this say their problems persist.
"We are presently investigating and will provide an update in an upcoming release," Microsoft's advisory says. ®