Microsoft says the April 2025 security updates are causing authentication issues on some Windows Server 2025 domain controllers.
The list of impacted platforms includes Windows Server 2016, Windows Server 2019, Windows Server 2022, and the latest version, Windows Server 2025.
However, as the company further explained, home users are unlikely to be affected by this known issue since domain controllers are typically used for business and enterprise authentication.
“After installing the April Windows monthly security update released April 8, 2025 (KB5055523) or later, Active Directory Domain Controllers (DC) might experience issues when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field,” Microsoft said in a Windows release health update.
“This can result in authentication issues in Windows Hello for Business (WHfB) Key Trust environments or environments that have deployed Device Public Key Authentication (also known as Machine PKINIT).”
These problems could also impact software relying on these two features for authentication, including but not limited to third-party single sign-on (SSO) solutions, identity management systems, and smart card authentication products.
Affected auth protocols include Kerberos Public Key Cryptography for Initial Authentication (Kerberos PKINIT) and Certificate-based Service-for-User Delegation (S4U) via Kerberos Resource-Based Constrained Delegation (RBKCD or A2DF Delegation) or Kerberos Constrained Delegation (KCD or A2D2 Delegation).
Auth issues linked to CVE-2025-26647 security patches
According to Microsoft, these issues are linked to security measures designed to mitigate a high-severity vulnerability tracked as CVE-2025-26647 that can let authenticated attackers escalate privileges remotely by exploiting an improper input validation weakness in Windows Kerberos, which superseded NTLM as the new default auth protocol for domain-connected devices on all Windows versions released since Windows 2000.
“An attacker who successfully exploited this vulnerability could be assigned much greater rights by the Key Distribution Center to the certificate than intended,” Redmond explains.
“An authenticated attacker could exploit this vulnerability by obtaining a certificate containing the target Subject Key Identifier (SKI) value from a Certificate Authority (CA). The attacker could then use this certificate to get a Ticket Granting Ticket (TGT) for the target user from the Key Distribution Center (KDC).”
As a workaround, affected customers are advised to switch the AllowNtAuthPolicyBypass registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc from “2” to “1” as detailed in this support document.
Last month, Microsoft mitigated another known issue causing authentication problems on Windows 11 and Windows Server 2025 devices using the Kerberos PKINIT security protocol when Credential Guard is enabled.
Redmond also released emergency out-of-band (OOB) updates in November 2022 to fix a bug causing Kerberos sign-in failures and other auth problems on domain controllers.
One year earlier, it addressed authentication failures related to Kerberos delegation scenarios on Windows Server and similar Kerberos auth problems impacting domain-connected devices running Windows 2000 and later.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
