{"id":37973,"date":"2025-05-08T00:02:37","date_gmt":"2025-05-07T22:02:37","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=37973"},"modified":"2025-05-07T18:22:05","modified_gmt":"2025-05-07T16:22:05","slug":"windows-server-issues-with-windows-hello-issue-and-kerberos-events-caused-by-april-2025-updates-confirmed","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/05\/08\/windows-server-issues-with-windows-hello-issue-and-kerberos-events-caused-by-april-2025-updates-confirmed\/","title":{"rendered":"Windows Server: Issues with Windows Hello issue and Kerberos events caused by April 2025 updates confirmed"},"content":{"rendered":"

\"Windows\"[German<\/a>]The April 2025 security updates for Windows Server may cause problems with domain controllers so that Kerberos event IDs 45 and 21 are logged. Microsoft has confirmed this problem and writes that logging in with Windows Hello in Key Trust mode can fail. Private users are probably not affected by these problems, because they don't use Domain Controllers.<\/p>\n

<\/p>\n

\"\"On April 8, 2025, Microsoft rolled out security updates for Windows clients and servers that close various vulnerabilities (mentioned in Microsoft Security Update Summary (April 8, 2025)<\/a>). For Windows Server, the updates are listed in the article Patchday: Windows Server-Updates (April 8, 2025)<\/a>.<\/p>\n

Hello logon problem and Kerberos events<\/h2>\n

As of May 6, 2025, Microsoft has published the support article Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events<\/a> in the Windows Release Health dashboard of Windows Server 2025 (and other server versions). There Microsoft confirms problems after installation of the monthly Windows security update from April 8, 2025 (for Windows Server 2025 this is KB5055523) or later updates.<\/p>\n

Active Directory Domain Controllers (DC) may experience problems when processing Kerberos logins or delegations, it is reported. These occur when the Kerberos logins or delegations use certificate-based credentials that are based on key trust via the Active Directory field msds-KeyCredentialLink<\/em>.<\/p>\n

According to Microsoft, this can lead to authentication problems in Windows Hello for Business (WHfB) key trust environments or in environments where Device Public Key Authentication (also known as Machine PKINIT) is used. It is also possible that other products that rely on this function are also affected. Microsoft mentions smart card authentication products, third-party single sign-on (SSO) solutions and identity management systems in this context.<\/p>\n

Affected protocols are Kerberos Public Key Cryptography for Initial Authentication (Kerberos PKINIT) and certificate-based Service-for-User Delegation (S4U) via Kerberos Constrained Delegation (KCD or A2D2 Delegation) and Kerberos Resource-Based Constrained Delegation (RBKCD or A2DF Delegation).<\/p>\n

This problem is related to the protection against the vulnerability described in KB5057784, Protections for CVE-2025-26647 (Kerberos Authentication)<\/a>, which will be closed by the security updates such as KB5057784 (for Server 2025). Subsequent updates will also cause these problems.<\/p>\n

The background: Starting with the Windows updates released on April 8, 2025 and later, the method used by DCs to check the certificates used for Kerberos authentication has changed. If the April 2025 update is installed, they will check if the certificates are chained to a root in the NTAuth store (described in KB5057784<\/a>).<\/p>\n

This behavior can be prevented by the registry value AllowNtAuthPolicyBypass in the key:<\/p>\n

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc<\/pre>\n
If AllowNtAuthPolicyBypass<\/em> is not present, the DC behaves as if the value was configured to \"1\". If the problem occurs, two symptoms can be observed:<\/p>\n