"After installing the April Windows monthly security update released April 8, 2025 (KB5055523) or later, Active Directory Domain Controllers (DC) might experience issues when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field," Microsoft said in a Windows release health update. According to Microsoft, these issues are linked to security measures designed to mitigate a high-severity vulnerability tracked as CVE-2025-26647 that can let authenticated attackers escalate privileges remotely by exploiting an improper input validation weakness in Windows Kerberos, which superseded NTLM as the new default auth protocol for domain-connected devices on all Windows versions released since Windows 2000. Last month, Microsoft mitigated another known issue causing authentication problems on Windows 11 and Windows Server 2025 devices using the Kerberos PKINIT security protocol when Credential Guard is enabled. One year earlier, it addressed authentication failures related to Kerberos delegation scenarios on Windows Server and similar Kerberos auth problems impacting domain-connected devices running Windows 2000 and later. Microsoft says the April 2025 security updates are causing authentication issues on some Windows Server 2025 domain controllers. Affected auth protocols include Kerberos Public Key Cryptography for Initial Authentication (Kerberos PKINIT) and Certificate-based Service-for-User Delegation (S4U) via Kerberos Resource-Based Constrained Delegation (RBKCD or A2DF Delegation) or Kerberos Constrained Delegation (KCD or A2D2 Delegation). Redmond also released emergency out-of-band (OOB) updates in November 2022 to fix a bug causing Kerberos sign-in failures and other auth problems on domain controllers.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 07 May 2025 09:59:59 +0000