Description
The Cybersecurity and Infrastructure Security Agency (CISA) warns that Windows updates for May should not be installed on domain controllers. They indicated that installing these updates may cause authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Summary
When the update is applied on a Windows Server domain controller, updates for two elevation of privilege vulnerabilities in Windows Kerberos and Active Directory Domain Services (recorded as CVE-2022-26931 and CVE-2022-26923) will cause service authentication difficulties. This problem only affects May 10, 2022, updates installed on domain controller servers. Client Windows devices and non-domain controller Windows Servers should continue to get updates. As Microsoft no longer provides separate installers for each security issue during Patch Tuesday, an administrator is unable to select only one of the security upgrades to install.
How it works.
The updates automatically set the StrongCertificateBindingEnforcement registry key. This changes the enforcement mode of the Key Distribution Center (KDC) to Disabled Mode, Compatibility Mode, or Full Enforcement Mode which signifies that all authentication attempts are allowed unless the certificate is older than the user.
Workarounds
Microsoft suggests manually mapping certificates to a machine account in Active Directory until they provide an official update to fix the AD auth issues caused by applying this month”s security patches.
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: AL2022_29 Microsoft”s May patch Tuesday update is causing authentication issues and failures.pdf
References
https://msrc.microsoft.com/update-guide/vulnerability