Microsoft has released a fix for the certificate mapping issue, but many administrators have chosen to revert the changes to avoid operational disruptions.
According to online discussions, numerous companies are experiencing problems, particularly those that have installed the updates on Windows servers that also serve as domain controllers (DCs) and Active Directory Certification Services (ACDS). Some administrators complained that Network Policy Server (NPS) policies were failing, generating the error “authentication failed owing to a user credential mismatch”.
Removing update KB5013941 reportedly resolved the issue. One user pointed out that in his setup, DC and NPS are running on different servers, and after testing the updates on each, he concluded that the NPS servers can be patched but the DC servers may require the update to be rolled back.
Steve Syfuhs, a Microsoft senior software engineer specializing in encryption, authentication and identification, confirmed the problem, admitting that it is being reported by a large number of IT administrators. “After installing the updates released on May 10, 2022 for domain controllers, authentication failures may arise on the server or client for services such as Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” Syfuhs said, adding that “an issue has been identified with how the domain controller handles the assignment of certificates to machine accounts.”
Microsoft on Tuesday patched two “high severity” privilege escalation vulnerabilities, identified as CVE-2022-26931 and CVE-2022-26923, as part of its monthly security updates. This is the cause of the problems Windows Server administrators are currently facing.
Earlier this year, a large number of Windows Server administrators opted out of Microsoft’s security patches, citing several issues causing such severe operational disruption that they felt it preferable to remain unprotected by security patches than to update and deploy The corrections.
Microsoft has published a mitigation proposal for administrators who want to work around the certificate issue, but don’t want to revert to the latest version, as this would leave them somewhat helpless. Microsoft stated that the solution includes manually assigning certificates to a machine account in Active Directory.