Microsoft confirms Patch Tuesday patch May 2022 causes AD authentication error

After installing the update, Windows admins reported that some policies were faulty. The error message is as follows: "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect".

This issue affects Windows platforms and systems for clients and servers running all versions of Windows, including the latest available releases (Windows 11 and Windows Server 2022).

Microsoft says this error is only triggered after installing updates on a server used as a domain controller. Updates will have no negative impact when deployed on Windows client and server devices other than Windows Server domain controllers.

"After installing the updates released on 5/10/2022 on your domain controller, you may see authentication errors on the server or client for services like Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP)", Microsoft shared.

Currently, Microsoft is investigating this issue and will release an update to address it in the near future.

In another support document, Microsoft said it was the patches CVE-2022-26931 and CVE-2022-26923 that caused the AD authentication problem. These are two elevated privilege vulnerabilities in Windows Kerberos and Active Directory Domain Services.

CVE-2022-26923 is a critical vulnerability that allows an attacker to elevate the privileges of a low-level account to an administrator account on default Active Directory configurations.

For the time being, users can work around it by manually mapping the certificate to the machine account in Active Directory.

In the May update, Microsoft also automatically added the Registry key StrongCertificateBindingEnforcement. This key will change the execution mode of the Kerberos Distribution Center (KDC) to Compatibility mode (this will allow all authentication unless the certificate is older than the user).

However, one administrator said that the only way some of their users could log in was to disable StrongCertificateBindingEnforcement by setting its value to 0.

If you don't find this key in Registry Editor, you can manually generate it with the REG_DWORD data type and set it to 0. This will disable the strong certificate mapping check. While this isn't a solution Microsoft recommends, it's the only way people can sign in.

Last November, Microsoft also fixed Windows Server authentication errors related to Kerberos authorization scenarios affecting Domain Controllers (DCs) via emergency updates.

Micah Soto

Update 16 May 2022