Two of Microsoft's Patch Tuesday updates need a do-over after causing certificate-based authentication errors.

Dark Reading Staff, Dark Reading

May 20, 2022

1 Min Read
Microsoft campus signage
Source: Ian Dagnall via Alamy

If you updated servers running Active Directory Certificate Services and Window domain controllers responsible for certificate-based authentication with Microsoft's May 10 Patch Tuesday update, you may need a re-do. 

The company said the original patch for CVE-2022-26931 and CVE-2022-26923 was intended to stop certificate spoofing via privilege escalation, but an unintended consequence of the fix was a rash of authentication errors. So, it rushed a new patch, available as of Thursday.

After installing the original Patch Tuesday updates, several Reddit users complained of certificate-authentication errors in r/sysadmin subreddit Patch Tuesday Megathread for May 10. 

"My [Network Policy Server] NPS policies (with certificate auth) have been failing to work since the update, stating 'Authentication failed due to a user credentials mismatch,'" Reddit user RiceeeChrispies wrote. "Either the user name provided does not map to an existing account, or the password was incorrect.”

Microsoft added that once the update is installed, it won't be necessary to renew client-authentication certificates. 

"Renewal is not required," Microsoft said in its statement acknowledging the authentication errors. "The CA will ship in Compatibility Mode. If you want a strong mapping using the ObjectSID extension, you will need a new certificate."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights