An update on Microsoft’s May Patch Issues with Domain Controllers and Certificate-Based Authentication

May 19th, 2022
An update on Microsoft’s May Patch Issues with Domain Controllers and Certificate-Based Authentication
I wanted to update you on the Microsoft authentication issues caused by the May patches.

  1. This only potentially affects Microsoft Domain Controllers. More specifically it only affects Domain Controllers that are using certificates in any way for some form of authentication. There are lots of authentication methods that use Certificates.
  2. Windows devices that are not Microsoft Domain Controllers that are not using Certificates for authentication are not affected negatively by the May authentication patch.
  3. Microsoft's workaround is something called Certificate Mapping.
  4. CISA has temporarily rescinded their CVE-2022-26925 for domain controllers due to the chaos this is causing.

Reading the Certificate Mapping documentation, it is obvious that this has to be thought through as changes must be made to the Certificate and Active Directory structure.

Below are three links. The first is Microsoft's official document on this issue. The second is the document on the actual patch that lists what must be done to make Certificate Mapping actually work. The third is CISA's official position on this issue.

Microsoft's Office May Patch Document

KB5014754 with Certificate Mapping Explanation

CISA Temporarily Removes CVE-2022-26925 from Known Exploited Vulnerability Catalog

If you have already installed the May patch on your Domain Controllers and have some form of Certificate-Based Authentication such as NPS or Radius, etc., then you must either do the Certificate Mapping process and/or uninstall KB5014754 to end the pain and give you time to figure out Certificate Mapping and/or see if Microsoft provides some other form of relief to this patching/authentication conflict.

It is important to realize that Microsoft made these changes because there were real security vulnerabilities in the present Domain Controller framework. My understanding is that these changes were designed to block those vulnerabilities. Failure to patch the domain controllers functionally leaves those known vulnerabilities exposed. If you are subject to stringent regulatory patching requirements (i.e., PCI for credit cards), you may have specific guidance you must follow.

Our current thinking is that for everything except Microsoft Domain Controllers proceeding with a "normal" patching process for the May updates is acceptable. Refrain from all Domain Controller patching until you have a handle on this Certificate Mapping issue and/or have improved guidance from Microsoft as to what your options are.

As with any set of Microsoft patches, test them on a limited test set of servers or endpoints before mass deploying across your entire networks.

We have all lived through "Patch Tuesday" leading to "Dead Body" Wednesdays.

Much like last summer's "Printer Nightmare" saga, I expect we will see more guidance on this troubling topic.

If you have questions, please let us know.

-Scott Quimby