Following the rollout of Windows newest round of Patch for Tuesday updates, Microsoft is currently looking at a known issue causing authentication failures for some of it services, as per TechRadar.
Microsoft started the investigation after Windows admins started sharing reports of some policies failing after installing May's security updates with "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect" errors, according to BleepingComputer.
The Issue Affects Windows Clients and Server
The issue affects client and server Windows platforms and systems including those running on Windows 11 and Windows Server 2022.
However, according to Microsoft, it is only triggered after updates are installed on servers being used as domain controllers.
Moreover, updates will not negatively impact when deployed on client Windows devices and non-domain controller Windows Servers.
Microsoft explained that authentication failures may be observed for a number of services including Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).
"An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller," Microsoft added.
Read Also: Samsung to Allow Windows Updates Again
Failure To Authenticate is Caused by Security Updates
In a separate support document, Microsoft explained that the ongoing service authentication problems are caused by security updates addressing CVE-2022-26931 and CVE-2022-2692.
These are two elevations of privilege vulnerabilities in Windows Kerberos and Active Directory Domain Services.
CVE-2022-26923, the more severe one, has a high severity CVSS score of 8.8 and can be exploited by an attacker to elevate the privileges of an account to those of a domain admin if left unpatched.
On the other hand, the vulnerability in Windows Kerberos tracked as CVE-2022-26931 also has a high severity CVSS score of 7.5.
Microsoft suggested that Windows admins manually map certificates to a machine account in Active Directory to mitigate these authentication issues. But it also suggested using the Kerberos Operational log to see which domain controller is failing to sign in.
"Any other mitigation except the preferred mitigations might lower or disable security hardening," Microsoft said.
According to the BleepingComputer, Microsoft said that the May 2022 updates automatically set the StrongCertificateBindingEnforcement registry key, which changes the enforcement mode of the Kerberos Distribution Center (KDC) to Compatibility mode.
Unless the certificate is older than the user, this should allow all authentication attempts.
But a Windows admin told the BleepingComputer that the only way to get some of their users to log in with this update was to disable the StrongCertificateBindingEnforcement key by setting it to 0.
In addition, you have to create the key from scratch using a REG_DWORD Data Type if you don't find the key in the registry. Afterward, set it to 0 to disable the strong certificate mapping check.
Currently, Microsoft is investigating these issues and trying to come up with workarounds.
A proper fix should arrive at least during its next Patch Tuesday updates in June.
Related Article: Windows 11 Preview Update Will Break Some Apps - Here's How To Fix It
