Some Windows updates may actually hurt your security
Following its latest round of deployment Tuesday updates, Microsoft is currently investigating a known issue that leads to authentication failures for a number of Windows services.
According to BleepingComputerthe software giant is looking into these issues after Windows admins began sharing reports of certain policies failing after installing its May 2022 Patch Tuesday updates.
These admins reported that after installing the updates they started seeing the following error message: “Authentication failed due to a user credentials mismatch. Either the username does not provide an existing account or the password was incorrect.”
While this issue impacts client and server Windows platforms and systems including those running Windows 11 and Windows Server 2022, Microsoft says that it is only triggered after updates are installed on servers that are being used as domain controllers.
In a support document, the company explained that authentication failures may occur for a number of services including Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol ( PEAP).
Failure to authenticate
In a separate support document, Microsoft went into further detail regarding these service authentication problems by explaining that they are security updates that address privilege escalation vulnerabilities in Windows Kerberos and its Active Directory Domain Services.
The vulnerability in Microsoft’s Active Directory Domain Services (tracked as CVE-2022-26923) has a high severity CVSS score of 8.8 and if left unpatched, can be exploited by an attacker to elevate the privileges of an account to a domain admin. Meanwhile, the vulnerability in Windows Kerberos (tracked as CVE-2022-26931) also has a high severity CVSS score of 7.5.
To mitigate these authentication issues, Microsoft suggests that Windows administrators manually map certificates to a machine account in Active Directory though it also suggests using the Kerberos operating log to see which domain controller is failing to sign in.
Still though, a Windows admin that spoke to BleepingComputer said that the only way they were able to get some of their users to log in following the latest Patch Tuesday updates was by disabling the StrongCertificateBindingEnforcement registry key setting to 0. This registry key is used to change the enforcement mode. The company’s Kerberos Distribution Center (KDC) to Compatibility Mode.
Now that Microsoft is actively investigating these issues and coming up with workarounds, a proper fix should be coming soon or at least during its next Patch Tuesday updates in June.
Via BleepingComputer