Windows out-of-band updates dated May 19, 2022 fail on AD DC authentication bug in NPS environments

Windows[German]Microsoft has released out-of-band updates for supported versions of Windows Server, effective May 19, 2022, to address issues caused by the May 10, 2022 security updates. This includes fixing the Active Directory authentication issue on domain controllers. However, I have since received several reports that the fix does not help, at least in certain constellations with NPS (Network Policy Server).

Out-of-band updates from May 19, 2022

The security updates released on May 10, 2022, tried to fix various vulnerabilities. However, the security updates failed on Windows Servers used as Active Directory Domain Controllers because of authentication issues there (see my blog post Windows May 2022 Updates Cause AD Authentication Failure (Server, Client)). and finally CISA has warned to install these patches (see CISA warns against installing May 2022 updates on Windows Domain Controllers). Microsoft has therefore released subsequent out-of-band updates, and listed them in the Windows Healt status Know Issues section:

as well as the subsequent standalone updates:

The purpose of these updates was also to fix a known issue that can prevent some services from authenticating machine accounts on clients or servers. This issue occurs after installing the May 10, 2022 security update on domain controllers. I had mentioned the update and other details in the blog post Windows out-of-band updates (05/19/2022) fixes AD authentication error and Store installation error.

Updates don't help with NPS

In the meantime, affected people have been installing the out-of-band updates on their Windows servers that act as Active Directory Domain Controllers. In doing so, I noticed that there was a noticeable amount of feedback that the out-of-band updates did not change the certificate error. German blog reader Andreas writes in this comment (I've translated the text):

It does not help with us.

The May update is on it and now also the KB5015018 for Windows Server 2019.
But the RADIUS clients still can't get past the NPS and into the WLAN.

Extremely annoying, there are 700 iPads in front of the NPS and they want to be let in …
The latest SSU update is also installed.

After Andreas uninstalled both updates (KB5013941 and KB5015018), all clients can connect to the RADIUS WLAN again. The problem is confirmed by MOM20xx in this comment:

I can confirm this. Notebooks still do not connect to the network with 802.1x after applying the patch. Error as before the update. None of the mentioned eventIDs 39-41 are logged. We do have eventid 39 in the logs but for mobiles that come in but have a different radius configuration.

And also here still the event source Kerberos-Key-Distribution-Center and not as described with kdcsvc under KB5014754—Certificate-based authentication changes on Windows domain controllers.

Even new certificates with the mentioned extension, where the SID is noted, are not accepted. Only if the certificate has an additional UPN, 802.1x works again. Or should the patch perhaps also be applied to the NPS server?

– without UPN in the certificate there is Auth Failure with EventID 4768 and Result Code 0x6, which means the device is not found in the KerberosDB.

Another German user confirms:In our environment (802.1x with NPS) installing KB5018018 did not fix the problem either. NPS still denied access for computers. Also in my blog here, there is this comment on the topic:

I can also confirm that KB5015018 also breaks NPS Radius EAP-TLS device authentication.

Update KB5015018 applies to Windows Server 2019, and German blog reader Stefan A. asks here, if there is anyone for whom the out-of-band update could solve the problem with NPS and computer certificates at all. So far, no administrator has come forward in this regard.

Some hints that may help

Susan Bradley postet this comment as an answer to my post at askwoody, that there's a timing that may need to be done, to bee successful (see also the following comment):

Those with a PKI need to update their CA's first. The patch adds a new OID to all templates used for authentication.

This OID is populated by the AD object SID further identifying the specific device in the cert.

Once CA's are updated and OID is present in your initial test cert to a PC, you can revoke older certs without the OID and through Auto-enrollment issue new ones.

Then it is safe to patch your DC's and authentication will continue as normal because DCs after patching will understand the new OID as an identifier.

Maybe that helps.

More insights and hints

Addendum 2: Within my German blog I received the following comment (tranlated here) to my article about the patch issue (dedicated to KB5014986 but it's also valid for other updates):

Install the patch also on the SRV with internal CA, which issues the certificates for the computers/users to connect via WLAN. I think that MS thinks here that on SRV with DC role also the CA role is installed. This is probably not true for many of us.

And another user left a comment with links to insight articles about the root cause for the patch and explanations why some things has changed. He wrote that the following two links helped him to understand the reasons why the patch makes these changes in the first place.

The second article is in German – use deepl.com to translate.

Similar articles:
Patchday: Windows 10-Updates (May 10, 2022)
Patchday: Windows 11/Server 2022-Updates (May 10, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (May 10, 2022)

Windows May 2022 Updates Cause AD Authentication Failure (Server, Client)
CISA warns against installing May 2022 updates on Windows Domain Controllers
Microsoft has fixed the (PetitPotam) NTLM Relay Vulnerability (CVE-2022-26925) with Windows May 2022 Update
Windows 11: Update KB5013943 results in application error 0xc0000135
MS-Patchday wrap-up: Issues with April 2022 updates
Windows Server 2022: RDS bug (RDCB role broken) caused by KB5011497, not fixed in May 2022
Windows Update KB5012599: Microsoft plans fix for install error 0x8024200B and 0x800F0831
Windows 11: Update KB5013943 results in application error 0xc0000135
Active Directory Admins: May 2022 updates may force DCs to a boot loop (AltSecID attribute set on krbtgt)
Windows out-of-band updates (05/19/2022) fixes AD authentication error and Store installation error

This entry was posted in issue, Update, Windows and tagged , , . Bookmark the permalink.

2 Responses to Windows out-of-band updates dated May 19, 2022 fail on AD DC authentication bug in NPS environments

  1. Anonymous says:

    Hi Guenni,
    I was reading up your comment (anyway I think by you) at:

    https://www.askwoody.com/forums/topic/master-patch-list-as-of-may-19-2022-out-of-band-for-server-auth-issues/#post-2448056

    where you have posted this article as a link concerning the May 19, 2022 out-of-band updates will not fix the certificate issue with AD DC when a Network Policy Server (NPS) is in use.

    FYI there is a reply posting by Susan Bradley (in case you miss it) to you that may be relevant for your readers:

    https://www.askwoody.com/forums/topic/master-patch-list-as-of-may-19-2022-out-of-band-for-server-auth-issues/#post-2448058
    ——————————————————–
    Can you post this back on that thread — There's a timing that may need to be done:

    "Those with a PKI need to update their CA's first. The patch adds a new OID to all templates used for authentication.
    This OID is populated by the AD object SID further identifying the specific device in the cert.
    Once CA's are updated and OID is present in your initial test cert to a PC, you can revoke older certs without the OID and through Auto-enrollment issue new ones.
    Then it is safe to patch your DC's and authentication will continue as normal because DCs after patching will understand the new OID as an identifier.

    If you can hold off patching your DC's until after all new certs are issued, all the better."
    ——————————————————-
    Hope this helps.

  2. Mark says:

    In my environment I have two domain controllers which are also CAs and a separate NPS server. Applying the out-of-band May 19 patch to these three servers worked in my case (WiFi authentication using client computer certificates / EAP-TLS)

Leave a Reply

Your email address will not be published. Required fields are marked *