The May 2022 Windows Updates may cause Active Directory Authentication Failures

The May 2022 updates for all supported versions of Windows Server may cause Active Directory authentication failures. Microsoft is investigating the issue. A workaround is available for organizations experiencing issues.

The situation

The Windows updates of May 10th, 2022, address several vulnerabilities on Domain Controllers, including several of the ten LDAP Remote Code Execution vulnerabilities (CVSSv3 9.8) and an zero-day LSA Spoofing vulnerability (Important, CVE-2022-26925, CVSSv3 8.1-9.8). Another vulnerability addressed in these updates is CVE-2022-26923 (discovered by security researcher Oliver Lyak and dubbed Certifried).

Microsoft has urged Active Directory admins to update Domain Controllers as soon as possible.

The updates were released for all supported Windows Server versions:

  1. KB5014010 or KB5014006 for Windows Server 2008
  2. KB5014012 or KB5013999 for Windows Server 2008 R2
  3. KB5014017 or KB5014018 for Windows Server 2012
  4. KB5014011 or KB5014001 for Windows Server 2012 R2
  5. KB5013952 for Windows Server 2016
  6. KB5013941 for Windows Server 2019
  7. KB5013944 for Windows Server 2022

However, when the May 2022 Windows updates are installed on Domain Controllers relying on certificate authentication, authentication failures may occur.

The issue

Admins are sharing reports that they are experiencing errors:

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.

The cause

The Windows updates of May 10th, 2022, when installed on domain controllers cause these issues, as described by Microsoft in KB5014754

CVE-2022-26931 and CVE-2022-26923 address elevation of privilege (EoP)vulnerabilities that may occur when the Kerberos Distribution Center (KDC) services a certificate-based authentication request. Before the May 10th, 2022, security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. Additionally, conflicts between userPrincipalName and sAMAccountName attributes introduced other emulation (spoofing) vulnerabilities that Microsoft also addressed with this security update.

When an administrator installs the May 10, 2022 Windows updates, devices will be in compatibility mode for the measures:

  1. If a certificate can be strongly mapped to a user, based on the X509IssuerSerialNumber, X509SKI or X509SHA1PublicKey mappings for the altSecurityIdentities attribute, authentication will occur as expected.
  2. If a certificate can only be weakly mapped to a user, based on the X509IssuerSubject or X509SubjectOnly mappings for the altSecurityIdentities attribute, authentication will occur as expected. However, a warning will be logged unless the certificate is older than the user. If the certificate is older than the user, authentication will fail, and an error will be logged.

Microsoft updates all devices to full enforcement mode for these measures by May 9, 2023.

The workaround

The May 2022 Windows updates set the StrongCertificateBindingEnforcement registry key in HKLM\SYSTEM\CurrentControlSet\Services\Kdc, which changes the enforcement mode of the Kerberos Distribution Center (KDC) to compatibility mode. While setting this registry key manually to 0 alleviates the encountered errors, it does not address the vulnerability. Also, Microsoft removes the registry key and its functionality on February 14th, 2023.

While Microsoft is working on a solution, Active Directory admins can use a workaround by manually mapping certificates to users in Active Directory using the altSecurityIdentities attribute of the user’s object. For more information use the information in HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attribute on Microsoft Docs.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.