[German]On October 21, 2025, Microsoft issued a statement regarding a problem with NTLM/Kerberos authentication. Authentication errors occur in these operating systems when SIDs are identical on multiple computers and certain updates from August or September 2025 are installed. This is a problem that can arise when cloning installation images.
The SID (which stands for Security ID) is a unique security identifier that Microsoft Windows assigns automatically. Its purpose is to permanently identify each system, user, and group. In my German blog, this comment contains a more extensive discussion of whether SID duplicates in the same network can be a problem. Duplicate SIDs in the network also play a role in this German comment. This can be prevented by performing a Sysprep after cloning a Windows installation. That much as a preliminary remark, even if the following remarks address a problem related to Windows updates from August or September 2025.
Kerberos/NTLM authentication problems caused by SIDs
On October 21, 2025, Microsoft published a support article entitled Kerberos and NTLM authentication failures due to duplicate SIDs (via), which deals with the consequences of duplicate SIDs. The article states that devices with duplicate security IDs (SIDs) may experience errors with Kerberos and NTLM authentication. This issue occurs when the following Windows updates are installed in Windows 11 24H2 and 25H2, as well as in Windows Server 2025:
- August 29, 2025—KB5064081 (OS Build 26100.5074) Preview
- September 9, 2025—KB5065426 (OS Build 26100.6584)
On affected systems, authentication errors manifest themselves as follows:
- Users are repeatedly prompted to enter their login credentials.
- Access requests with valid login credentials fail with the following error messages appearing on the screen:
- Login attempt failed
- The machine ID does not partially match
- The username or password is incorrect
- Shared network folders cannot be accessed via the IP address or host name.
- Remote desktop connections cannot be established, including Remote Desktop Protocol (RDP) sessions initiated via privileged access management (PAM) solutions or third-party tools.
- Failover clustering fails with the error message "Access denied."
- The Event Viewer may display one of the following errors in the Windows logs:
- The security protocol contains the error SEC_E_NO_CREDENTIALS.
- The system log contains event ID 6167 from the Local Security Authority Server Service (lsasrv.dll) with the message text: There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session.
The background to this is that Windows updates released on or after August 29, 2025, contain additional security measures that enforce SID checks. This causes authentication to fail with NTLM and Kerberos as soon as devices have duplicate SIDs. This design change blocks authentication handshakes between such devices.
Failed authentication requests related to these security measures are identified by event ID 6167 of the Local Security Authority Server Service (lsasrv.dll) in the system event log.
These duplicate SIDs can occur in installations when an unsupported cloning or duplication of a Windows installation is performed without running Sysprep. SID uniqueness enabled by Sysprep is mandatory for operating system duplication on Windows 11, versions 24H2 and 25H2, as well as Windows Server 2025 after installing Windows updates from August 29, 2025 (see The Microsoft policy for disk duplication of Windows installations).
Resolving the above issue requires administrators to set up the affected machines with a new SID. Some of my German blog readers wrote, the used SIDCHG successful to change the SID. IT administrators can also temporarily resolve this issue by installing and configuring a special group policy (which will override the aforementioned check). To obtain this special group policy, please contact Microsoft Enterprise Support.
I can confirm that duplicated SIDs are not unique to the enterprise. I purchased two identical SKU laptops from the same vendor within a few days of one-another last year, and after 24H2 a year later I experienced SMB peer-to-peer failure between them. I found that they had identical machine SIDs. Because system integrators as well as the enterprise are also not following MS best practices this makes the problem far more widespread than enterprise customers. MS is not providing a work-around for smaller customers who have had machines bricked from ever being able to peer-to-peer network again. Creating a new user only appends the machine ID – authentication still fails. MS or the vendor need to provide everyone with a work-around. I may throw caution to the wind and try SIDCHG.
Used SIDCHGL and SMB connectivity on duplicated SID machines was restored.