Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication

If you updated servers running Active Directory Certificate Services and Window domain controllers responsible for certificate-based authentication with Microsoft’s May 10 Patch Tuesday update, you may need a re-do. 

The company said the original patch for CVE-2022-26931 and CVE-2022-26923 was intended to stop certificate spoofing via privilege escalation, but an unintended consequence of the fix was a rash of authentication errors. So, it rushed a new patch, available as of Thursday.

After installing the original Patch Tuesday updates, several Reddit users complained of certificate-authentication errors in r/sysadmin subreddit Patch Tuesday Megathread for May 10. 

“My [Network Policy Server] NPS policies (with certificate auth) have been failing to work since the update, stating ‘Authentication failed due to a user credentials mismatch,'” Reddit user RiceeeChrispies wrote. “Either the user name provided does not map to an existing account, or the password was incorrect.”

Microsoft added that once the update is installed, it won’t be necessary to renew client-authentication certificates. 

“Renewal is not required,” Microsoft said in its statement acknowledging the authentication errors. “The CA will ship in Compatibility Mode. If you want a strong mapping using the ObjectSID extension, you will need a new certificate.”