Following the implementation of the latest round of Patch Tuesday updates, Microsoft is currently investigating a known issue leading to authentication errors for some Windows services.
According to BleepingComputerthe software giant began investigating these issues after Windows administrators began sharing reports of certain policies failing after installing the May 2022 Patch Tuesday updates.
These administrators reported that after installing the updates, they started seeing the following error message: “Authentication failed due to a user credential mismatch. The username provided was not assigned to an existing account or the password was incorrect.”
While this issue affects client and server Windows platforms and systems, including those running Windows 11 and Windows Server 2022, Microsoft says it only activates after updates are installed on servers used as domain controllers.
In a support document, the company explained that authentication errors can occur for a number of services, including Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP).
Do not authenticate
In a separate support document, Microsoft detailed these service authentication issues by explaining that they are caused by security updates that address privilege escalation vulnerabilities in Windows Kerberos and its Active Directory Domain Services.
Vulnerability in Microsoft Active Directory Domain Services (tracked as CVE-2022-26923) has a very severe CVSS score of 8.8 and, if not patched, could be exploited by an attacker to elevate an account’s privileges to that of a domain administrator. Meanwhile, the vulnerability in Windows Kerberos (tracked as CVE-2022-26931) also has a very severe CVSS score of 7.5.
To mitigate these authentication issues, Microsoft suggests that Windows administrators manually assign certificates to a computer account in Active Directory, although it also suggests using the Kerberos Operational log to see which domain controller is unable to log on.
But still, a Windows administrator who spoke to BleepingComputer said the only way they could get some of their users to login after installing the latest Patch Tuesday updates was to disable the StrongCertificateBindingEnforcement registry key by setting it to 0. This registry key is used to enable enforcement mode of the company’s Kerberos Distribution Center (KDC) to compatibility mode.
With Microsoft actively investigating these issues and coming up with workarounds, a proper fix should be out soon, or at least during the next Patch Tuesday updates in June.