Microsoft explains KB5055523/KB5055526 & KB5057784 impact on Kerberos Windows Hello DC logins

Microsoft explains KB5055523/KB5055526 & KB5057784 impact on Kerberos Windows Hello DC logins

Critical Announcement: Windows Hello Kerberos Authentication Issues Identified

Microsoft has acknowledged a significant issue affecting Windows Hello Kerberos authentication on Active Directory Domain Controllers (AD DC).This problem has emerged following the installation of the recent April 2025 Patch Tuesday updates, specifically impacting Windows Server 2025 (KB5055523), Server 2022 (KB5055526), Server 2019 (KB5055519), and Server 2016 (KB5055521).

Details of the Authentication Failure

The updates have led to complications when processing Kerberos logons or delegations that utilize certificate-based credentials. This problem primarily manifests in systems depending on key trust via the msds-KeyCredentialLink field in Active Directory. Consequently, organizations utilizing Windows Hello for Business (WHfB) in Key Trust environments, or those with Device Public Key Authentication (Machine PKINIT), may face authentication failures.

Microsoft elaborated:

“After installing the April Windows monthly security update released April 8, 2025 (KB5055523 / KB5055526 / KB5055519 /KB5055521) or later, Active Directory Domain Controllers (DC) might experience issues when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field. This can result in authentication issues in Windows Hello for Business (WHfB) Key Trust environments or environments that have deployed Device Public Key Authentication (also known as Machine PKINIT).”

The affected protocols include Kerberos Public Key Cryptography for Initial Authentication (Kerberos PKINIT) and Certificate-based Service-for-User Delegation (S4U), which operates through both Kerberos Constrained Delegation (KCD) and Kerberos Resource-Based Constrained Delegation (RBKCD).

Understanding the Root Cause

The disruption is attributed to a compatibility issue arising from patches addressing a network security vulnerability in Windows Kerberos, identified as CVE-2025-26647. Further details can be found in the patch notes under KB5057784. As the rollout of these patches is still in the initial deployment phase or audit mode, they are not yet fully enforced.

According to Microsoft, the problem stems from new security protocols introduced in the recent updates. Specifically, the method by which Domain Controllers validate certificates for Kerberos authentication has been modified. The updated process now requires that certificates connect to a root found in the NTAuth store, as detailed in KB5057784.

Microsoft noted:

This issue is related to security measures described in KB5057784, Protections for CVE-2025-26647 (Kerberos Authentication).Beginning with Windows updates released April 8, 2025 and later, the method in which DCs validate certificates being used for Kerberos authentication has changed. Following this update, they will check if the certificates chain to a root in the NTAuth store, as described in KB5057784.

This behavior can be controlled by the registry value AllowNtAuthPolicyBypass in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc. If AllowNtAuthPolicyBypass does not exist, the DC defaults to behave as if the value is set to “1”.

The following two symptoms have been identified:

  • If the registry value AllowNtAuthPolicyBypass is configured to “1”on the authenticating Domain Controller, Kerberos-Key-Distribution-Center event ID 45 will be repeatedly logged, indicating: “The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to a root in the NTAuth store.”Though this event may be logged multiple times, affected logon processes remain successful without further issues.
  • Conversely, if AllowNtAuthPolicyBypass is set to “2”, user logins will fail, and Kerberos-Key-Distribution-Center event ID 21 will appear in the event logs, stating: “The client certificate for the user is not valid and resulted in a failed smartcard logon.”

Current Workaround and Further Information

For organizations currently facing these authentication problems, Microsoft recommends adjusting the Registry setting by changing the value from “2”to “1”to mitigate the impact temporarily. For more detailed information about this issue, you can refer to the entry on the Microsoft Windows Health Dashboard.

For further insights and updates on this developing situation, please visit the Neowin article.

Related Articles:

Create Personalized Video Clips using Google Vids and Veo 2
Microsoft Introduces AI Agents to Enhance Windows with Practical AI Functionality

Leave a Reply

Your email address will not be published. Required fields are marked *