Microsoft confirms Patch Tuesday patch May 2022 causes AD authentication error
After installing the update, Windows admins reported that some policies were faulty. The error message is as follows: "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect".
This issue affects Windows platforms and systems for clients and servers running all versions of Windows, including the latest available releases (Windows 11 and Windows Server 2022).
Microsoft says this error is only triggered after installing updates on a server used as a domain controller. Updates will have no negative impact when deployed on Windows client and server devices other than Windows Server domain controllers.
"After installing the updates released on 5/10/2022 on your domain controller, you may see authentication errors on the server or client for services like Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP)", Microsoft shared.
Currently, Microsoft is investigating this issue and will release an update to address it in the near future.
In another support document, Microsoft said it was the patches CVE-2022-26931 and CVE-2022-26923 that caused the AD authentication problem. These are two elevated privilege vulnerabilities in Windows Kerberos and Active Directory Domain Services.
CVE-2022-26923 is a critical vulnerability that allows an attacker to elevate the privileges of a low-level account to an administrator account on default Active Directory configurations.
For the time being, users can work around it by manually mapping the certificate to the machine account in Active Directory.
In the May update, Microsoft also automatically added the Registry key StrongCertificateBindingEnforcement. This key will change the execution mode of the Kerberos Distribution Center (KDC) to Compatibility mode (this will allow all authentication unless the certificate is older than the user).
However, one administrator said that the only way some of their users could log in was to disable StrongCertificateBindingEnforcement by setting its value to 0.
If you don't find this key in Registry Editor, you can manually generate it with the REG_DWORD data type and set it to 0. This will disable the strong certificate mapping check. While this isn't a solution Microsoft recommends, it's the only way people can sign in.
Last November, Microsoft also fixed Windows Server authentication errors related to Kerberos authorization scenarios affecting Domain Controllers (DCs) via emergency updates.
You should read it
- How to fix Windows Update error 0x80190001
- How to fix error 0x8007045A ERROR_DLL_INIT_FAILED when using Windows Update
- Error 0x80245006 during Windows 7, 8 and 10 update, this is how to fix the problem
- Some Windows 10 machines are locked to update after updating KB5003214 and KB5003690
- How to fix Windows Update error
- 5 most common Windows errors and this is a fix
- Steps to fix error 0x803fa067 when Active Windows
- How to fix a blank screen error after updating Windows 10 April 2018 Update
- How to fix Windows Update error code 0x80240fff in Windows 10
- Windows Update June 2022 continues to cause many annoying bugs
- How to fix error 0x80d06802 when installing Windows updates
- Fix the Webcam Error on Windows 10 Anniversary Update is suspended
Maybe you are interested
How to fix the missing language bar error on Windows 11 extremely quickly
Turn off these visual effects to make Windows run smoother!
7 Ways to Customize Windows 11 Notepad
8 settings to change to make your Mac trackpad and keyboard work like Windows
How to add fonts to Word in Windows computer
How to use the file search command on Windows, find saved files