Microsoft security patches breaking authentication

It’s been a busy few days for Microsoft: after withdrawing a non-security Windows 11 update on Monday, it issued another update for Patch Tuesday, almost immediately to find the newer patch has an authentication bug.

OS Build 22000.652 landed on April 25, and was “expired” without explanation on Monday. 

The only hint admins could glean from Microsoft’s announcement is that while the patch was described as a “non-security update”, users are told to “update your devices to the latest security quality update.”

When Patch Tuesday happened, diligent systems administrators got busy, and then got noisy with complaints that the update broke authentication on domain controllers.

This comment from a German forum (translated) describes what the admin sees: “Yes, I have the NPS [Network Policy Server] running here with computer certificates.

“With the KB5013941 update, authentications can no longer be carried out based on certificates (Error 16, Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.)

“After uninstalling the update, the NPS works again.”

Microsoft’s explanation in KB5013943 attributes the issue to certificate mapping.

“After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). 

“An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.”

Since the patch covered a escalation of privilege vulnerabilities in Kerberos, CVE-2022-26931, and Active Directory, CVE-2022-26923, Microsoft would rather admins didn’t just roll back the patch.

The mitigation offered by Microsoft is to “manually map certificates to a machine account in Active Directory”, with other options available in KB5014754.