CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers

Windows Server 3 Hero Approved

The US Cybersecurity and Infrastructure Security Agency (CISA) has temporarily removed the security flaw CVE-2022-26925 from its Known Exploited Vulnerability Catalog. It has warned that IT admins should not install the May 2021 Patch Tuesday updates on Windows Servers used as domain controllers due to the risk of authentication failures.

The security advisory comes amid recent reports of several policies and services failing after installing this month’s security updates on Windows domain controllers. Last week, Microsoft confirmed that these issues are caused by the security patches released to address two “high severity” privilege escalation vulnerabilities (CVE-2022-26931 and CVE-2022-26923) in Windows Kerberos and Active Directory Domain Services.

“After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” CISA explained.

Microsoft has reported the authentication problems to CISA, which involve how the domain controller handles the mapping of certificates to computer accounts. The company noted that the update only triggers issues on Windows servers acting as a domain controller. However, Microsoft advises IT admins to install the May 2020 updates on non-domain controller Windows Servers and client Windows devices.

Microsoft suggests a workaround to fix Azure AD authentication bug on domain controllers

Microsoft is actively investigating the Azure AD authentication issues, and a permanent fix should be available soon. In its advisory, the firm recommends the Domain administrators to manually map the certificates to a machine account in Active Directory.

However, if the workaround doesn’t work, Microsoft suggests IT admins to check out this support document for alternate mitigation strategies to resolve the issues. Let us know in the comments down below if the workarounds helped you to resolve the Windows AD authentication errors in your organization.