Microsoft”s May Patch Tuesday update is causing authentication issues and failures in Windows Activ

Ref# AL2022_29 | Date: May 17th 2022

Description

The Cybersecurity and Infrastructure Security Agency (CISA) warns that Windows updates for May should not be installed on domain controllers. They indicated that installing these updates may cause authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Summary 

When the update is applied on a Windows Server domain controller, updates for two elevation of privilege vulnerabilities in Windows Kerberos and Active Directory Domain Services (recorded as CVE-2022-26931 and CVE-2022-26923) will cause service authentication difficulties. This problem only affects May 10, 2022, updates installed on domain controller servers. Client Windows devices and non-domain controller Windows Servers should continue to get updates.  As Microsoft no longer provides separate installers for each security issue during Patch Tuesday, an administrator is unable to select only one of the security upgrades to install.  

How it works. 

The updates automatically set the StrongCertificateBindingEnforcement registry key. This changes the enforcement mode of the Key Distribution Center (KDC) to Disabled Mode, Compatibility Mode, or Full Enforcement Mode which signifies that all authentication attempts are allowed unless the certificate is older than the user. 

 

Workarounds 

Microsoft suggests manually mapping certificates to a machine account in Active Directory until they provide an official update to fix the AD auth issues caused by applying this month”s security patches.  

 

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.  

PDF Download: AL2022_29 Microsoft”s May patch Tuesday update is causing authentication issues and failures.pdf

References   

 

  • Gatlan, S. (2022, May 16). CISA warns not to install May Windows updates on domain controllers.  Retrieved from BleepingComputer. 

                 https://www.bleepingcomputer.com/news/security/cisa-warns-not-to-install-may-windows-updates-on-domain-controllers/ 

  • Microsoft. (2022, May 16). KB5014754Certificate-based authentication changes on Windows domain controllers. Retrieved from Microsoft  

                 https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 #bkmk_compatmode 

  • Security Update Guide – Microsoft Security Response Center. (2022, May 10).  Microsoft. Retrieved from Microsoft.

                 https://msrc.microsoft.com/update-guide/vulnerability 

  • Tiwari, S. (2022, May 16). Microsoft”s May Patch Tuesday Updates Cause Windows AD Authentication Errors.  Retrieved from threat post

                 https://threatpost.com/microsofts-may-patch-tuesday-updates-cause-windows-ad-authentication-errors/179631/