After the last Patch Tuesday updates, many Windows users started to have update-related complaints. According to BleepingComputer, Microsoft has reportedly begun investigating these issues that put your device and yours at risk after Windows administrators shared reports that some policies failed after installing the latest updates. Moreover, this is not the first problem brought by the updates. We shared a similar problem with you in the past days.
According to this new issue, a number of Windows services are experiencing authentication issues. In the statement, it is noted that only client and server Windows platforms and systems, including those running Windows 11 and Windows Server 2022, are affected by the current problem; Microsoft states that the issue only triggers after installing updates on servers used as domain controllers.
Windows administrators encountering ‘authentication issues’ on many services
Windows administrators encountering the issue, after installing updates “Authentication due to user credential mismatch” failed. The username provided does not match an existing account or the password is incorrect”. Microsoft, meanwhile, mentions authentication failures for a number of services, including Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). notes that it may be the subject.
In another statement, Microsoft states that these issues are caused by security updates related to privilege escalation vulnerabilities in Windows Kerberos and Active Directory Domain Services. Accordingly, if this vulnerability (CVE-2022-26923) in Active Directory Domain Services, which has a high-prevention CVVS score of 8.8, is not fixed, it means that attackers can use an account’s privileges to elevate the privileges of a domain administrator.
On the other hand, the vulnerability in Windows Kerberos (CVE-2022-26931) stands out with its CVSS score of 7.5 with a high prevention rating.
So what can you do?
Microsoft recommends that Windows administrators manually map certificates to a machine account in Active Directory to reduce these authentication issues; and recommends using the Kerberos Operational log to see which domain controller failed to log in.
In contrast, a Windows administrator reports that the only way for some users who have installed the latest updates to log in is to disable the StrongCertificateBindingEnforcement registry key by setting it to 0. This registry key is used to change the enforcement mode of the company’s Kerberos Deployment Center (KDC) to ‘Compatibility mode’.
Now that Microsoft is actively investigating these issues and providing workarounds, this means that a suitable fix may be available soon, or at least in the patch due in June.