Windows update breaks authentication for some server administrators • The Register

Windows update breaks authentication for some server administrators • The Register

Microsoft warns that a security update can cause authentication errors for Windows domain controllers.

“After installing updates released on May 10, 2022 on your domain controllers, you may see authentication errors on the server or client for services like Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP),” the IT giant said in an advisory published on Wednesday.

The advisory relates to the Windows update KB5013943 (released May 10, 2022) that followed KB5012643 (released April 25, 2022) and resolves a cause of screen flickering when starting in safe mode.

April update KB5012643 was pulled from circulation on Wednesday, May 11th without explanation.

The latest Windows update KB5013943 leaves unresolved issues where some .NET Framework 3.5 apps fail to open and some apps using Direct3D 9 with certain GPUs crash (workarounds are suggested for both cases).

According to Microsoft, the authentication difficulties shouldn’t affect client Windows devices or non-domain controller servers.

Internet users post on /r/sysadmin on Reddit noticed the appearance of authentication errors after applying two Microsoft patches. The patches, identified by vulnerability IDs CVE-2022-26931 and CVE-2022-26923, were intended to address two high severity privilege escalation vulnerabilities described in KB5014754.

A selection of plasters/plasters

Admins are reporting issues with Hyper-V and domain controllers after the first patch Tuesday 2022


“The long and short of it is that attackers in certain privileged positions can create certificates impersonating other named principals,” said Steve Syfuhs, senior software engineer on the Windows Cryptography, Identity, and Authentication Team at Microsoft, in a twitter post on Tuesday. “It’s not a ‘pant on fire’ situation as most environments already have defenses in place that make this type of attack difficult.”

Syfuhs subsequently acknowledged that Microsoft is investigating reports of authentication issues.

“FYI, we’re aware of the NPS issue,” he said called On Wednesday. “It’s not specifically to do with NPS, but more to do with how we differentiate between different types of names in the certificates. It only affects a subset of people.”

In its recommendation, Microsoft offered the following workaround: “The preferred mitigation for this issue is to manually map certificates to a computer account in Active Directory.”

If the preferred mitigation doesn’t work, the IT giant suggests consulting KB5014754 for alternative strategies. At least one single booking /r/sysadmin Reports on solving the authentication problems by manually setting the CertificateMappingMethods Schannel registry key value on the domain controller to its previous default setting, 0x1F. But others who claim to have tried this say their problems remain.

“We are currently investigating and will provide an update in an upcoming release,” Microsoft said in its recommendation. ®

Leave a Reply

Your email address will not be published.