Headline
Microsoft’s May Patch Tuesday Updates Cause Windows AD Authentication Errors
Microsoft’s May Patch Tuesday update is triggering authentication errors.
Microsoft’s May Patch Tuesday update is triggering authentication errors.
Microsoft is alerting customers that its May Patch Tuesday update is causing authentications errors and failures tied to Windows Active Directory Domain Services. In a Friday update, Microsoft said it was investigating the issue.
The warning comes amid shared reports of multiple services and policies failing after installing the security update. “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.” posted an admin to a Reddit thread on the topic.
According to Microsoft, the issue has been caused after installing the updates released on May 10, 2022.
“After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” Microsoft reported.
“An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller,” Microsoft added.
The domain controller is a server that is responsible for responding to authentication requests as well as verifying the user on a computer network, and the active directory is a type of directory service that stores the information about objects on a network and makes this information readily available for the users.
Microsoft added a note that the update will not affect the client’s Windows devices and non-domain controller windows servers, and will only cause issues for the server acting as a domain controller.
“Installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue. This issue only affects installation of May 10, 2022, updates installed on servers used as domain controllers.” Microsoft explains.
****Authentication Failure Caused by Security Update****
Microsoft releases another document, explaining further details related to the authentication problem caused by the security update addressing the privilege escalation vulnerabilities in Windows Kerbose and its Active Directory Domain Service.
The vulnerabilities are tracked as CVE-2022-26931 in Windows Kerberos with a high severity CVSS rating of 7.5 and CVE-2022-26923 (discovered by security researcher Oliver Lyak) in Microsoft’s Active Directory Domain Services. It has a CVSS score of 8.8 and is rated as high. An attacker can exploit the vulnerability if left unpatched and escalate the privilege to that of the domain admin.
****Workarounds****
The Domain administrators are advised by Microsoft to manually map the certificates to a user in Active Directory until the official updates are available.
“Domain administrators can manually map certificates to a user in Active Directory using the altSecurityIdentities attribute of the user’s Object,” Microsoft added.
“If the preferred mitigation will not work in your environment, please see ‘KB5014754—Certificate-based authentication changes on Windows domain controllers’ for other possible mitigations in the SChannel registry key section,” reported by Microsoft.
As per Microsoft any other mitigation method might not provide adequate security hardening.
According to Microsoft, the May 2022 update is allowing all authentication attempts unless the certificate is older than the user, this is because the updates automatically set the StrongCertificateBindingEnforcement registry key, “which changes the enforcement mode of the KDC to Disabled Mode, Compatibility Mode, or Full Enforcement Mode” Microsoft explains.
One Window Admin that spoke to Bleepingcomputer said that the only way they were able to get some of the users log in with the following installation of the patch was to disable the StrongCertificateBindingEnforcement key by settings its value to 0.
By changing the REG_DWORD DataType value to 0, the admin can disable the strong certificate mapping check and can create the key from the scratch. This method is not recommended by Microsoft, but it’s the only way to allow all users to log in.
The issues are properly investigated by Microsoft and a proper fix should be available soon.
Microsoft also recently releases the 73 new patches of May’s monthly update of security fixes.
Related news
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
Categories: Exploits and vulnerabilities Categories: News CISA updated its catalog of actively exploited vulnerabilities. Make sure you update your software before the due date! (Read more...) The post CISA wants you to patch these actively exploited vulnerabilities before September 8 appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The issue in question is CVE-2022-22536, which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch […]
Two of Microsoft's Patch Tuesday updates need a do-over after causing certificate-based authentication errors.
By Waqas The latest edition of Patch Tuesday offers fixes for 7 critical flaws, including 5 RCE (remote code execution)… This is a post from HackRead.com Read the original post: Microsoft Patch Tuesday: Fixes for 0-Day and 74 Other Flaws Released
Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.
Active Directory Domain Services Elevation of Privilege Vulnerability.
Windows Kerberos Elevation of Privilege Vulnerability.
By Jon Munshaw, with contributions from Jaeson Schultz. Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]
By Jon Munshaw, with contributions from Jaeson Schultz. Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]