Windows Server: Issues with Windows Hello issue and Kerberos events caused by April 2025 updates confirmed

Posted on 2025-05-08 by guenni

Windows[German]The April 2025 security updates for Windows Server may cause problems with domain controllers so that Kerberos event IDs 45 and 21 are logged. Microsoft has confirmed this problem and writes that logging in with Windows Hello in Key Trust mode can fail. Private users are probably not affected by these problems, because they don't use Domain Controllers.

On April 8, 2025, Microsoft rolled out security updates for Windows clients and servers that close various vulnerabilities (mentioned in Microsoft Security Update Summary (April 8, 2025)). For Windows Server, the updates are listed in the article Patchday: Windows Server-Updates (April 8, 2025).

Hello logon problem and Kerberos events

As of May 6, 2025, Microsoft has published the support article Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events in the Windows Release Health dashboard of Windows Server 2025 (and other server versions). There Microsoft confirms problems after installation of the monthly Windows security update from April 8, 2025 (for Windows Server 2025 this is KB5055523) or later updates.

Active Directory Domain Controllers (DC) may experience problems when processing Kerberos logins or delegations, it is reported. These occur when the Kerberos logins or delegations use certificate-based credentials that are based on key trust via the Active Directory field msds-KeyCredentialLink.

According to Microsoft, this can lead to authentication problems in Windows Hello for Business (WHfB) key trust environments or in environments where Device Public Key Authentication (also known as Machine PKINIT) is used. It is also possible that other products that rely on this function are also affected. Microsoft mentions smart card authentication products, third-party single sign-on (SSO) solutions and identity management systems in this context.

Affected protocols are Kerberos Public Key Cryptography for Initial Authentication (Kerberos PKINIT) and certificate-based Service-for-User Delegation (S4U) via Kerberos Constrained Delegation (KCD or A2D2 Delegation) and Kerberos Resource-Based Constrained Delegation (RBKCD or A2DF Delegation).

This problem is related to the protection against the vulnerability described in KB5057784, Protections for CVE-2025-26647 (Kerberos Authentication), which will be closed by the security updates such as KB5057784 (for Server 2025). Subsequent updates will also cause these problems.

The background: Starting with the Windows updates released on April 8, 2025 and later, the method used by DCs to check the certificates used for Kerberos authentication has changed. If the April 2025 update is installed, they will check if the certificates are chained to a root in the NTAuth store (described in KB5057784).

This behavior can be prevented by the registry value AllowNtAuthPolicyBypass in the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

If AllowNtAuthPolicyBypass is not present, the DC behaves as if the value was configured to "1". If the problem occurs, two symptoms can be observed:

  • If the registry value AllowNtAuthPolicyBypass is set to "1" on the authenticating DC, the Kerberos Key Distribution Center event ID 45 is repeatedly recorded in the DC system event log. The event is logged with the text "The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to a root in the NTAuth store" or similar. Even if numerous events with this ID are logged, the associated logon processes should otherwise be successful and no other problems outside of these event logs can be observed.
  • If the registry value AllowNtAuthPolicyBypass is set to "2" on the authenticating DC, user logins will fail. Then a Kerberos key distribution center event ID 21 is entered in the DC system event log with a text such as: "The client certificate for the user is not valid and resulted in a failed smartcard logon." or similar. There is a workaround, because the effects on the user only occur if the registry key AllowNtAuthPolicyBypass is set to a value of "2". To prevent the resulting logon errors, administrators should temporarily reset AllowNtAuthPolicyBypass from "2" to "1" (see section Registry settings in KB5057784).

Microsoft writes that it is aware of this problem. Windows Server 2025; Windows Server 2022; Windows Server 2019; and Windows Server 2016 are affected. Redmond emphasizes that it is important to them that companies can closely monitor and test compliance with security measures using the registry values available after the Windows updates of April 8, 2025. Microsoft's developers are working on a solution and will provide an update as soon as possible. (via)

Similar articles:
Microsoft Security Update Summary (April 8, 2025)
Patchday: Windows 10/11 Updates (April 8, 2025)
Patchday: Windows Server-Updates (April 8, 2025)
Patchday: Microsoft Office Updates (April 8, 2025)

Word/Excel 2016 crashing after April 2025 update KB5002700
Outlook 2016: Calendar access blocked after April 2025 update KB5002700

Windows 10/11 and Server hardening: Timeline for 2025 and beyond
Windows: Kerberos PAC Validation Protocol in enforcement mode since April 8, 2025

This entry was posted in issue, Security, Update, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).