Following the rollout of its latest round of Patch Tuesday updates, Microsoft is currently investigating a known issue that is causing authentication failures for a number of Windows services.
According to BeepComputerThe software giant began looking into these issues after Windows administrators began sharing reports of some policies failing after installing its May 2022 Patch Tuesday updates.
These admins reported that after installing updates, they started seeing the following error message: “Authentication failed due to mismatched user credentials. Either the username provided does not match an existing account or the password was incorrect.”
Although this issue affects Windows client and server platforms and systems, including those running Windows 11 and Windows Server 2022, Microsoft says it is only triggered after updates are installed on the servers used. as domain controllers.
In a support document, the company explained that authentication failures can occur for a number of services, including Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PAPE).
Authentication failure
In a separate support document, Microsoft went into more detail regarding these service authentication issues explaining that they are caused by security updates that address privilege escalation vulnerabilities in Windows Kerberos and its services. Active Directory domain.
The vulnerability in Microsoft’s Active Directory Domain Services (tracked as CVE-2022-26923) has a high severity CVSS score of 8.8 and if left unpatched can be exploited by an attacker to elevate the privileges of an account to those of a domain administrator. Meanwhile, the vulnerability in Windows Kerberos (tracked as CVE-2022-26931) also has a CVSS high severity score of 7.5.
To mitigate these authentication issues, Microsoft suggests that Windows administrators manually map certificates to a computer account in Active Directory, although it also suggests using the Kerberos operational log to see which domain controller is failing. to log in.
However, a Windows administrator who spoke to BeepComputer said that the only way they could get some of their users to log in after installing the latest Patch Tuesday updates was to disable the StrongCertificateBindingEnforcement registry key by setting it to 0. This registry key is used to change the application mode of the company’s Kerberos Distribution Center (KDC) to compatibility mode.
Now that Microsoft is actively investigating these issues and providing workarounds, a proper fix should arrive soon or at least in its upcoming Patch Tuesday updates in June.
Via BleepingComputer