
Microsoft has acknowledged about a possible authentication problems caused by its May security updates, released lat week.
The authentication problems are just seen with Windows devices that are used as domain controllers, issue occurs from how certificates get mapped.
After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.
Microsoft is still investigating the issue. A workaround, in the meantime, isn’t rolling back the faulty patches. Microsoft instead wants affected organizations to “manually map certificates to a machine account in Active Directory” according to the instructions in this “Certificate Mapping” document.
An alternative approach if the manual mapping approach can’t be carried out:
If the preferred mitigation will not work in your environment, please see KB5014754—Certificate-based authentication changes on Windows domain controllers for other possible mitigations in the SChannel registry key section.
The issue affects all supported Windows Server products, plus Windows Server 2008.
Microsoft explained its security update validation process prior to patch releases, which gets carried out by Microsoft and its partners. Microsoft has a rollback capability for patches that cause problems, when detected. However, organizations that applied Microsoft’s May patches early on are out of luck, it seems.