Microsoft May Patch Tuesday Causes AD Authentication Failures

Bitdefender Small Business

Microsoft is investigating an issue causing authentication errors for certain Windows services following its rollout of updates in this month’s Patch Tuesday.

After the latest updates, Windows system administrators reported various policy failures. Afflicted systems prompted sysadmins with the message: “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account, or the password was incorrect.”

The situation affects both client and server Windows platforms, as well as systems running various versions of Windows, including Windows Server 2022 and Windows 11, the latest releases.

Microsoft says the issue only affects servers used as domain controllers that received the Patch Tuesday monthly updates. Installing the patches on client Windows devices and Windows servers not used as domain controllers shouldn’t lead to authentication failures, it said.

“After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” a status update document reads.

According to Microsoft, security updates addressing two elevations of privilege Windows Kerberos and Active Directory Domain Services vulnerabilities triggered the authentication failures.

The May updates change the Kerberos Distribution Center to Compatibility mode by automatically setting the StrongCertificateBindingEnforcement registry key. This, in turn, allows all authentication attempts if the certificate is not older than the user.

As BleepingComputer reported, Windows admins are already identifying workarounds, and the most popular one seems to be locating the StrongCertificateBindingEnforcement registry key and setting it to 0 (zero). Microsoft strongly recommends against this and suggests system administrators map certificates manually to a machine account in Active Directory until an official patch is available.

Microsoft’s May Patch Tuesday fixes 74 security flaws, including a high-severity, actively exploited vulnerability that could “let unauthenticated attackers coerce the domain controller to authenticate to the attacker using NTLM.”