Skip links

Microsoft patches the patch that broke Windows authentication

Microsoft has released an out-of-band patch to deal with an authentication issue that was introduced in the May 10 Windows update.

Elizabeth Tyler, cyber security consultant on Microsoft’s Detection and Response Team, confirmed the fix to worried administrators early this morning.

Multiple administrators complained last week that after installing the May 10 patch, they experienced authentication failures across several systems.

Tyler said at the time: “We know the root cause is the subject name is incorrectly used to map the cert to a machine account in AD rather than the DNSHostname in the subject alternative name on DCs that have installed 5b and we’re working it.”

An entry then turned up in the lengthy list of known issues for the patch in which Microsoft warned that, after installing the May 10 patch on domain controllers, there might be issues with some services.

“These services,” it said, “include Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).

“An issue has been found related to how the domain controller manages the mapping of certificates to machine accounts.”

As with many updates, the May 10 patch was an important one, and included fixes for “high severity” elevation-of-privilege vulnerabilities that could occur when the Kerberos Distribution Center (KDC) serviced a certificate-based authentication request.

Backing out of the update apparently resolved the problems but, as one user observed, “this is quite a critical patch but seems to break quite a key role!”

Administrators would be forgiven for feeling that patches to fix patches seem to be becoming a little too common over the years. ®