Microsoft Is Investigating Domain Controller Authentication Failures in Windows

According to the changelog of the Windows 11 Health Dashboard, authentication issues will occur on the client and server-side after installing this month’s update KB5013943. This type of authentication problem mainly affects enterprises, especially large enterprises. If the enterprise does not use a domain controller server, this problem can be ignored directly.

When this update is installed on the domain controller server, it will affect both the server itself and the client. Microsoft’s preliminary investigation is that the certificate and account mapping is abnormal.

Microsoft writes:

After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS)Routing and Remote access Service (RRAS)RadiusExtensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.

So if the user encounters the above authentication failure, do not try to verify continuously, because no matter how many times the verification fails, it will not succeed.

Affected platforms:

  • ​Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1
  • ​Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 1909; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Enterprise IT administrators can temporarily revert to using a temporary workaround, currently, the preferred solution is to manually map the certificate to a computer account in the AD domain. If the certificate mapping still does not work, you can try to change the certificate-based authentication, but this solution will reduce the security and is not recommended.

Microsoft still needs more time to investigate the cause of this problem, and Microsoft may release a fix through an optional
update later to solve the problem.