Patch Tuesday’s latest batch of upgrades is causing authentication issues.
Microsoft is looking into a known issue that causes authentication failures for a variety of Windows services.
According to BleepingComputer, Microsoft began looking into these vulnerabilities after Windows administrators began reporting that certain rules were failing after applying Patch Tuesday upgrades in May 2022.
These administrators reported getting the following error notice after applying the updates: “Due to a discrepancy in user credentials, authentication failed. Either the provided user name does not correspond to an existing account or the password was entered incorrectly.”
Although this problem affects both client and server Windows platforms and systems, including those running Windows 11 and Windows Server 2022, Microsoft claims that it is only triggered once updates are implemented on domain controller servers.
Authentication failures can occur for a variety of services, including Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP), according to a support article (PEAP).
Microsoft went into greater detail about these service authentication issues in a separate support page, saying that they are caused by security patches that address privilege escalation vulnerabilities in Windows Kerberos and its Active Directory Domain Services.
The vulnerability in Microsoft’s Active Directory Domain Services (CVE-2022-26923) has a high severity CVSS score of 8.8 and can be exploited by an attacker to elevate an account’s capabilities to those of a domain admin if left unpatched. Meanwhile, the vulnerability in Windows Kerberos (CVE-2022-26931) has a CVSS score of 7.5, which is considered high severity.
To address these difficulties, Microsoft recommends that Windows administrators manually assign certificates to a machine account in Active Directory, as well as using the Kerberos Operational log to determine which domain controllers are failing to sign in.
However, one Windows administrator told BleepingComputer that the only way to get some of their customers to log in after installing the newest Patch Tuesday updates was to disable the StrongCertificateBindingEnforcement registry key by setting it to 0. This registry key is used to switch the Kerberos Distribution Center’s (KDC) enforcement mode to Compatibility mode.
Now that Microsoft is actively examining these vulnerabilities and developing workarounds, a genuine fix should be available soon, if not in June’s Patch Tuesday releases.
Use one of the top firewalls to safeguard all of the devices on your network.