Bugs in Windows aren't entirely uncommon. Recently, we covered a Windows RDP security "bug" that Microsoft has acknowledged, but refused to fix. However, things can get even more problematic if operating system issues impact organizations, where operational infrastructure is critical to business viability. Unfortunately, one such issue is plaguing enterprise customers once again, where Windows Server components have broken after recent updates.

Authentication problems in Windows Server

In its Windows release health dashboard, Microsoft has begun tracking a new bug in Windows Server installations. Customers have reported that after installing April's Patch Tuesday updates, they are facing issues with authentication processes. Redmond has further detailed this problem by noting that Domain Controllers (DCs) will experience issues while processing Kerberos logon events or authentication delegations which rely on Active Directory's (AD) msds-KeyCredentialLink field for key trust.

This will cause logon failures for devices which are deployed in Windows Hello for Business (WHfB) and Device Public Key Authentication environments. Other systems which depend on this feature for sign-in mechanisms may also be affected. Home devices are not expected to be affected by this issue but the following protocols for DCs are impacted:

• Kerberos Public Key Cryptography for Initial Authentication (Kerberos PKINIT)
• Certificate-based Service-for-User Delegation (S4U) via both Kerberos Constrained Delegation (KCD or A2D2 Delegation) and Kerberos Resource-Based Constrained Delegation (RBKCD or A2DF Delegation)

Workaround available, permanent fix in progress

It is interesting to note that this latest issue is related to a design change that Microsoft recently made to Kerberos authentication to combat security threats. However, it still allows IT admins to modify the behavior of this implementation through registry values in Group Policy (GP). You can head over to Microsoft's dedicated information page here to find out more details about the implementation, but for now, Microsoft does have a workaround.

The workaround involves setting the registry value of AllowNtAuthPolicyBypass in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc to 1 instead of 2. Microsoft has not provided a concrete timeline for a permanent patch yet, but it has requested organizations to properly assess the impact of new security measures and their compliance following the deployment of the April quality updates. It is also important to keep in mind that Windows Server 2025, 2022, 2019, and 2016 are impacted by this latest issue, and client systems are unaffected.