{"id":24587,"date":"2022-05-21T06:50:34","date_gmt":"2022-05-21T04:50:34","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=24587"},"modified":"2022-05-24T10:33:08","modified_gmt":"2022-05-24T08:33:08","slug":"windows-out-of-band-updates-vom-19-5-2022-versagen-mit-nps-beim-ad-dc-authentifizierungsfehler","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/05\/21\/windows-out-of-band-updates-vom-19-5-2022-versagen-mit-nps-beim-ad-dc-authentifizierungsfehler\/","title":{"rendered":"Windows out-of-band updates dated May 19, 2022 fail on AD DC authentication bug in NPS environments"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/05\/21\/windows-out-of-band-updates-vom-19-5-2022-versagen-mit-nps-beim-ad-dc-authentifizierungsfehler\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Microsoft has released out-of-band updates for supported versions of Windows Server, effective May 19, 2022, to address issues caused by the May 10, 2022 security updates. This includes fixing the Active Directory authentication issue on domain controllers. However, I have since received several reports that the fix does not help, at least in certain constellations with NPS (Network Policy Server).<\/p>\n<p><!--more--><\/p>\n<h2>Out-of-band updates from May 19, 2022<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg07.met.vgwort.de\/na\/3147c98cb6ca425fa5eb1fb6c09d6169\" alt=\"\" width=\"1\" height=\"1\" \/>The security updates released on May 10, 2022, tried to fix various vulnerabilities. However, the security updates failed on Windows Servers used as Active Directory Domain Controllers because of authentication issues there (see my blog post <a href=\"https:\/\/borncity.com\/win\/2022\/05\/12\/windows-mai-2022-updates-verursachen-ad-authentifizierungsfehler-server-client\/\">Windows May 2022 Updates Cause AD Authentication Failure (Server, Client)<\/a>). and finally CISA has warned to install these patches (see <a href=\"https:\/\/borncity.com\/win\/2022\/05\/17\/cisa-warnt-vor-installation-der-mai-2022-updates-auf-windows-domain-controllern\/\">CISA warns against installing May 2022 updates on Windows Domain Controllers<\/a>). Microsoft has therefore released subsequent out-of-band updates, and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/release-health\/resolved-issues-windows-11-21h2#2826msgdesc\" target=\"_blank\" rel=\"noopener\">listed them<\/a> in the Windows Healt status Know Issues section:<\/p>\n<ul>\n<li>\u200b<a href=\"https:\/\/support.microsoft.com\/help\/5015013\" target=\"_blank\" rel=\"noopener\">KB5015013<\/a>: Windows Server 2022<\/li>\n<li>\u200b<a href=\"https:\/\/support.microsoft.com\/help\/5015020\" target=\"_blank\" rel=\"noopener\">KB5015020<\/a>: Windows Server Version 20H2<\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/5015018\" target=\"_blank\" rel=\"noopener\">KB5015018<\/a>: \u200bWindows Server 2019<\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/5015019\" target=\"_blank\" rel=\"noopener\">KB5015019<\/a>: \u200bWindows Server 2016<\/li>\n<\/ul>\n<p>as well as the subsequent standalone updates:<\/p>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/5014986\" target=\"_blank\" rel=\"noopener\">KB5014986<\/a>: \u200bWindows Server 2012 R2<\/li>\n<li>\u200b<a href=\"https:\/\/support.microsoft.com\/help\/5014991\" target=\"_blank\" rel=\"noopener\">KB5014991<\/a>: Windows Server 2012<\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/5014987\" target=\"_blank\" rel=\"noopener\">KB5014987<\/a>: \u200bWindows Server 2008 R2 SP1<\/li>\n<li>\u200b<a href=\"https:\/\/support.microsoft.com\/help\/5014990\" target=\"_blank\" rel=\"noopener\">KB5014990<\/a>: Windows Server 2008 SP2<\/li>\n<\/ul>\n<p>The purpose of these updates was also to fix a known issue that can prevent some services from authenticating machine accounts on clients or servers. This issue occurs after installing the May 10, 2022 security update on domain controllers. I had mentioned the update and other details in the blog post <a href=\"https:\/\/borncity.com\/win\/2022\/05\/20\/windows-out-of-band-updates-19-5-2022-fixen-ad-authentifizierungsfehler-und-store-installationsfehler\/\">Windows out-of-band updates (05\/19\/2022) fixes AD authentication error and Store installation error<\/a>.<\/p>\n<h2>Updates don't help with NPS<\/h2>\n<p>In the meantime, affected people have been installing the out-of-band updates on their Windows servers that act as Active Directory Domain Controllers. In doing so, I noticed that there was a noticeable amount of feedback that the out-of-band updates did not change the certificate error. German blog reader Andreas writes in <a href=\"https:\/\/www.borncity.com\/blog\/2022\/05\/20\/windows-out-of-band-updates-19-5-2022-fixen-ad-authentifizierungsfehler-und-store-installationsfehler\/#comment-125996\" target=\"_blank\" rel=\"noopener\">this comment<\/a> (I've translated the text):<\/p>\n<blockquote><p>It does not help with us.<\/p>\n<p>The May update is on it and now also the KB5015018 for Windows Server 2019.<br \/>\nBut the RADIUS clients still can't get past the NPS and into the WLAN.<\/p>\n<p>Extremely annoying, there are 700 iPads in front of the NPS and they want to be let in &#8230;<br \/>\nThe latest SSU update is also installed.<\/p><\/blockquote>\n<p>After Andreas uninstalled both updates (KB5013941 and KB5015018), all clients can connect to the RADIUS WLAN again. The problem is confirmed by MOM20xx in <a href=\"https:\/\/www.borncity.com\/blog\/2022\/05\/20\/windows-out-of-band-updates-19-5-2022-fixen-ad-authentifizierungsfehler-und-store-installationsfehler\/#comment-126010\" target=\"_blank\" rel=\"noopener\">this comment<\/a>:<\/p>\n<blockquote><p>I can confirm this. Notebooks still do not connect to the network with 802.1x after applying the patch. Error as before the update. None of the mentioned eventIDs 39-41 are logged. We do have eventid 39 in the logs but for mobiles that come in but have a different radius configuration.<\/p>\n<p>And also here still the event source Kerberos-Key-Distribution-Center and not as described with <em>kdcsvc <\/em>under <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16\" target=\"_blank\" rel=\"noopener\">KB5014754\u2014Certificate-based authentication changes on Windows domain controllers<\/a>.<\/p>\n<p>Even new certificates with the mentioned extension, where the SID is noted, are not accepted. Only if the certificate has an additional UPN, 802.1x works again. Or should the patch perhaps also be applied to the NPS server?<\/p>\n<p>&#8211; without UPN in the certificate there is Auth Failure with EventID 4768 and Result Code 0x6, which means the device is not found in the KerberosDB.<\/p><\/blockquote>\n<p>Another German user <a href=\"https:\/\/www.borncity.com\/blog\/2022\/05\/20\/windows-out-of-band-updates-19-5-2022-fixen-ad-authentifizierungsfehler-und-store-installationsfehler\/#comment-126017\" target=\"_blank\" rel=\"noopener\">confirms<\/a>:<em>In our environment (802.1x with NPS) installing KB5018018 did not fix the problem either. NPS still denied access for computers.<\/em> Also in my blog here, there is <a href=\"https:\/\/borncity.com\/win\/2022\/05\/20\/windows-out-of-band-updates-19-5-2022-fixen-ad-authentifizierungsfehler-und-store-installationsfehler\/#comment-14853\">this comment<\/a> on the topic:<\/p>\n<blockquote><p>I can also confirm that KB5015018 also breaks NPS Radius EAP-TLS device authentication.<\/p><\/blockquote>\n<p>Update <a href=\"https:\/\/support.microsoft.com\/help\/5015018\" target=\"_blank\" rel=\"noopener\">KB5015018<\/a> applies to Windows Server 2019, and German blog reader Stefan A. asks <a href=\"https:\/\/www.borncity.com\/blog\/2022\/05\/20\/windows-out-of-band-updates-19-5-2022-fixen-ad-authentifizierungsfehler-und-store-installationsfehler\/#comment-126034\" target=\"_blank\" rel=\"noopener\">here<\/a>, if there is anyone for whom the out-of-band update could solve the problem with NPS and computer certificates at all. So far, no administrator has come forward in this regard.<\/p>\n<h3>Some hints that may help<\/h3>\n<p>Susan Bradley postet <a href=\"https:\/\/www.askwoody.com\/forums\/topic\/master-patch-list-as-of-may-19-2022-out-of-band-for-server-auth-issues\/#post-2448058\" target=\"_blank\" rel=\"noopener\">this comment<\/a> as an answer to my post at askwoody, that there's a timing that may need to be done, to bee successful (see also the following comment):<\/p>\n<blockquote><p>Those with a PKI need to update their CA's first. The patch adds a new OID to all templates used for authentication.<\/p>\n<p>This OID is populated by the AD object SID further identifying the specific device in the cert.<\/p>\n<p>Once CA's are updated and OID is present in your initial test cert to a PC, you can revoke older certs without the OID and through Auto-enrollment issue new ones.<\/p>\n<p>Then it is safe to patch your DC's and authentication will continue as normal because DCs after patching will understand the new OID as an identifier.<\/p><\/blockquote>\n<p>Maybe that helps.<\/p>\n<h3>More insights and hints<\/h3>\n<p><strong>Addendum 2:<\/strong> Within my German blog I received the <a href=\"https:\/\/www.borncity.com\/blog\/2022\/05\/21\/windows-out-of-band-updates-vom-19-5-2022-versagen-mit-nps-beim-ad-dc-authentifizierungsfehler\/#comment-126188\" target=\"_blank\" rel=\"noopener\">following comment<\/a> (tranlated here) to my article about the patch issue (dedicated to KB5014986 but it's also valid for other updates):<\/p>\n<blockquote><p>Install the patch also on the SRV with internal CA, which issues the certificates for the computers\/users to connect via WLAN. I think that MS thinks here that on SRV with DC role also the CA role is installed. This is probably not true for many of us.<\/p><\/blockquote>\n<p>And another user left<a href=\"https:\/\/www.borncity.com\/blog\/2022\/05\/21\/windows-out-of-band-updates-vom-19-5-2022-versagen-mit-nps-beim-ad-dc-authentifizierungsfehler\/#comment-126187\" target=\"_blank\" rel=\"noopener\"> a comment<\/a> with links to insight articles about the root cause for the patch and explanations why some things has changed. He wrote that the following two links helped him to understand the reasons why the patch makes these changes in the first place.<\/p>\n<ul>\n<li><a href=\"https:\/\/research.ifcr.dk\/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4\" target=\"_blank\" rel=\"noopener\">Certifried: Active Directory Domain Privilege Escalation (CVE-2022\u201326923)<\/a><\/li>\n<li><a href=\"https:\/\/www.gradenegger.eu\/?p=18373\" target=\"_blank\" rel=\"noopener\">\u00c4nderungen an der Zertifikatausstellung und an der zertifikatbasierten Anmeldung am Active Directory mit dem Patch f\u00fcr Windows Server vom 10. Mai 2022 (KB5014754)<\/a><\/li>\n<\/ul>\n<p>The second article is in German &#8211; use deepl.com to translate.<\/p>\n<p><strong>Similar articles:<br \/>\n<\/strong><a href=\"https:\/\/borncity.com\/win\/2022\/05\/11\/patchday-windows-10-updates-10-mai-2022\/\">Patchday: Windows 10-Updates (May 10, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/05\/11\/patchday-windows-11-server-2022-updates-may-10-2022\/\">Patchday: Windows 11\/Server 2022-Updates (May 10, 2022)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/05\/11\/windows-7-server-2008r2-windows-8-1-server-2012r2-updates-may-10-2022\/\">Windows 7\/Server 2008R2; Windows 8.1\/Server 2012R2: Updates (May 10, 2022)<\/a><\/p>\n<p><a href=\"https:\/\/borncity.com\/win\/2022\/05\/12\/windows-mai-2022-updates-verursachen-ad-authentifizierungsfehler-server-client\/\">Windows May 2022 Updates Cause AD Authentication Failure (Server, Client)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/05\/17\/cisa-warnt-vor-installation-der-mai-2022-updates-auf-windows-domain-controllern\/\">CISA warns against installing May 2022 updates on Windows Domain Controllers<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/05\/15\/microsoft-fixt-petitpotam-ntlm-relay-schwachstelle-cve-2022-26925-mit-windows-mai-2022-update\/\">Microsoft has fixed the (PetitPotam) NTLM Relay Vulnerability (CVE-2022-26925) with Windows May 2022 Update<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/05\/11\/windows-11-update-kb5013943-erzeugt-fehler-0xc0000135\/\">Windows 11: Update KB5013943 results in application error 0xc0000135<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/04\/15\/patchday-nachlese-probleme-mit-april-2022-updates\/\">MS-Patchday wrap-up: Issues with April 2022 updates<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/05\/12\/windows-server-2022-rds-bug-rdcb-role-broken-caused-by-kb5011497-not-fixed-in-may-2022\/\">Windows Server 2022: RDS bug (RDCB role broken) caused by KB5011497, not fixed in May 2022<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/05\/09\/windows-update-kb5012599-fix-fr-installationsfehler-0x8024200b-und-0x800f0831-kommt\/\">Windows Update KB5012599: Microsoft plans fix for install error 0x8024200B and 0x800F0831<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/05\/11\/windows-11-update-kb5013943-erzeugt-fehler-0xc0000135\/\">Windows 11: Update KB5013943 results in application error 0xc0000135<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/05\/18\/active-directory-admins-mai-2022-updates-knnen-bei-dcs-zur-boot-schleife-fhren-gesetztes-altsecid-attribut-bei-krbtgt\/\">Active Directory Admins: May 2022 updates may force DCs to a boot loop (AltSecID attribute set on krbtgt)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2022\/05\/20\/windows-out-of-band-updates-19-5-2022-fixen-ad-authentifizierungsfehler-und-store-installationsfehler\/\">Windows out-of-band updates (05\/19\/2022) fixes AD authentication error and Store installation error<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft has released out-of-band updates for supported versions of Windows Server, effective May 19, 2022, to address issues caused by the May 10, 2022 security updates. This includes fixing the Active Directory authentication issue on domain controllers. However, I have &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/05\/21\/windows-out-of-band-updates-vom-19-5-2022-versagen-mit-nps-beim-ad-dc-authentifizierungsfehler\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,22,2],"tags":[466,195,159],"class_list":["post-24587","post","type-post","status-publish","format-standard","hentry","category-issue","category-update","category-windows","tag-problem","tag-update","tag-windows-server"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24587","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=24587"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24587\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=24587"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=24587"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=24587"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}