Microsoft patches the patch that broke Windows authentication
May 10 update addressed serious vulns but also had problems of its own
Microsoft has released an out-of-band patch to deal with an authentication issue that was introduced in the May 10 Windows update.
Elizabeth Tyler, cyber security consultant on Microsoft's Detection and Response Team, confirmed the fix to worried administrators early this morning.
Yes, fixed and released 19 May.— Elizabeth Tyler (@MSetyler) May 20, 2022
WS 2022: KB5015013
WS, version 20H2: KB5015020
WS 2019: KB5015018
WS 2016: KB5015019
WS 2012 R2: KB5014986
WS 2012: KB5014991
WS 2008 R2 SP1: KB5014987
WS 2008 SP2: KB5014990
Multiple administrators complained last week that after installing the May 10 patch, they experienced authentication failures across several systems.
Tyler said at the time: "We know the root cause is the subject name is incorrectly used to map the cert to a machine account in AD rather than the DNSHostname in the subject alternative name on DCs that have installed 5b and we're working it."
An entry then turned up in the lengthy list of known issues for the patch in which Microsoft warned that, after installing the May 10 patch on domain controllers, there might be issues with some services.
"These services," it said, "include Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).
- Start your engines: Windows 11 ready for broad deployment
- Bing! Microsoft tests search box in the middle of Windows 11 desktop
- Microsoft-backed robovans to deliver grub in London
- Warning: Windows update breaks authentication for some server admins
"An issue has been found related to how the domain controller manages the mapping of certificates to machine accounts."
As with many updates, the May 10 patch was an important one, and included fixes for "high severity" elevation-of-privilege vulnerabilities that could occur when the Kerberos Distribution Center (KDC) serviced a certificate-based authentication request.
Backing out of the update apparently resolved the problems but, as one user observed, "this is quite a critical patch but seems to break quite a key role!"
Administrators would be forgiven for feeling that patches to fix patches seem to be becoming a little too common over the years. ®