Microsoft has released an out-of-band patch to address an authentication issue that was introduced in the Windows update on May 10th.
Elizabeth Tyler, cybersecurity consultant on Microsoft’s Detection and Response Team, confirmed the fix to concerned administrators early this morning.
Yes, corrected and released May 19th.
CU:
WS 2022: KB5015013
WS, version 20H2: KB5015020
WS 2019: KB5015018
WS 2016: KB5015019
Standalone:
WS 2012 R2: KB5014986
WS 2012: KB5014991
WS 2008 R2 SP1: KB5014987
WS 2008 SP2: KB5014990– Elizabeth Tyler (@MSetyler) May 20, 2022
Several administrators complained last week that after installing the May 10 patch, they experienced authentication errors across multiple systems.
Tyler said at that time: “We know the root cause is that the subject name is incorrectly used to associate the certificate to a machine account in AD instead of the DNSHost name in the subject’s alternate name of DCs that have installed 5b and we are working on it. “
An entry then appeared on the long list of known issues for the patch, in which Microsoft warned that after installing the May 10 patch on domain controllers, there may be issues with some services.
“These services,” it said, “include Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP).
“A problem has been found related to how the domain controller manages the association of machine account certificates.”
As with many updates, the May 10 patch was important and included fixes for “high severity” extension vulnerabilities that could occur when the Kerberos Distribution Center (KDC) serviced a certificate-based authentication request.
Backing out of the update apparently solved the issues, but as one user remarked, “this is a pretty critical patch, but it seems to break quite a key role!”
Administrators would be forgiven for feeling that patches for repairing patches seem to become a little too common over the years. ®
