Microsoft confirmed that the April 2025 security updates are causing significant authentication problems on several Windows Server versions, including Windows Server 2016, 2019, 2022, and the latest Windows Server 2025. These issues primarily affect enterprise environments using Windows Hello for Business (WHfB) and certificate-based authentication relying on Kerberos protocols.
What’s Happening with April 2025 Windows Server Updates?
As reported by Bleeping Computer, after installing the April 8, 2025 security update (KB5055523) or subsequent patches, Active Directory Domain Controllers (DCs) may fail to process Kerberos logons or delegations that use certificate-based credentials linked via the Active Directory msds-KeyCredentialLink attribute. This impacts environments configured with Windows Hello for Business in Key Trust mode and those using Device Public Key Authentication (Machine PKINIT).
The affected authentication protocols include:
-
Kerberos Public Key Cryptography for Initial Authentication (Kerberos PKINIT)
-
Certificate-based Service-for-User Delegation (S4U) via Kerberos Constrained Delegation (KCD) and Resource-Based Constrained Delegation (RBKCD)
These issues can also disrupt third-party single sign-on (SSO) solutions, smart card authentication, and identity management systems relying on these protocols.
Symptoms and Impact
Two main symptoms have been identified depending on a specific registry setting (AllowNtAuthPolicyBypass) on the domain controllers:
-
If set to “1”: The DC logs frequent Kerberos event ID 45 warnings about client certificates that do not chain to a root in the NTAuth store. Despite the warnings, logons generally succeed with no user impact.
-
If set to “2”: User logons fail outright, with Kerberos event ID 21 logged, indicating invalid client certificates causing failed smart card logons. This setting leads to authentication failures and user lockouts.
The problem is specific to enterprise environments using domain controllers for authentication; home users are unlikely to be affected.
Why Did This Happen?
The root cause stems from security enhancements introduced in the April 2025 update to address CVE-2025-26647, a critical Kerberos authentication vulnerability. The update changed how domain controllers validate certificates used in Kerberos authentication, enforcing that certificates must chain to a trusted root in the NTAuth store.
This stricter validation, while improving security, inadvertently caused compatibility issues with existing certificates and authentication flows in some enterprise setups.
Microsoft’s Response and Workarounds
Microsoft acknowledges the issue and is actively working on a fix. Meanwhile, organizations experiencing logon failures can apply a temporary workaround by changing the AllowNtAuthPolicyBypass registry value from “2” back to “1” on affected domain controllers. This adjustment prevents logon failures but may reduce the strictness of certificate validation.
Additionally, for issues specifically impacting Windows Hello login on Windows 11 and Server 2025 devices, Microsoft recommends users re-enroll their PIN or facial recognition via the sign-in options in Settings.
What Should Enterprises Do Now?
-
Assess Impact: Identify if your environment uses Windows Hello for Business in Key Trust mode or Device Public Key Authentication.
-
Monitor Event Logs: Look for Kerberos event IDs 21 and 45 on domain controllers to detect potential issues.
-
Apply Workaround if Needed: Temporarily set
AllowNtAuthPolicyBypassto “1” to avoid logon failures until Microsoft releases a permanent fix. -
Stay Updated: Regularly check Microsoft’s official Windows Server release health page for updates and patches addressing this issue.
-
Plan for Patch Testing: Test future updates in a controlled environment before wide deployment to prevent unexpected authentication disruptions.
Why This Matters
Kerberos authentication is foundational to secure access in enterprise networks. Disruptions can cause widespread access issues, impacting productivity and security compliance. Windows Hello for Business adoption is growing as organizations seek passwordless authentication solutions, making this issue particularly critical.
Discover more from Microsoft News Today
Subscribe to get the latest posts sent to your email.
