Microsoft has confirmed that Home windows Hi there Kerberos authentication is damaged on Lively Listing (AD) Area Controllers (DC). The problem began after putting in the newest April 2025 Patch Tuesday updates on Home windows Server 2025 (KB5055523), Server 2022 (KB5055526), Server 2019 (KB5055519) and Server 2016 (KB5055521).

The corporate explains:

After putting in the April Home windows month-to-month safety replace launched April 8, 2025 (KB5055523 / KB5055526 / KB5055519 /KB5055521 ) or later, Lively Listing Area Controllers (DC) may expertise points when processing Kerberos logons or delegations utilizing certificate-based credentials that depend on key belief by way of the Lively Listing msds-KeyCredentialLink subject. This can lead to authentication points in Home windows Hi there for Enterprise (WHfB) Key Belief environments or environments which have deployed Machine Public Key Authentication (often known as Machine PKINIT).

…

The affected protocols are Kerberos Public Key Cryptography for Preliminary Authentication (Kerberos PKINIT), and Certificates primarily based Service-for-Consumer Delegation (S4U) by way of each Kerberos Constrained Delegation (KCD or A2D2 Delegation) and Kerberos Useful resource-Primarily based Constrained Delegation (RBKCD or A2DF Delegation).

Microsoft provides that different merchandise which depend on this will additionally even be affected, together with good card authentication merchandise, third-party single sign-on (SSO), and so forth.

Microsoft has additionally defined what triggered the problem. The tech big says that the issue is a results of a compatibility bug with the latest patches deployed for a Home windows Kerberos Elevation of Privilege (community) safety vulnerability. The vulnerability is tracked beneath ID CVE-2025-26647 and the patch particulars can be found beneath KB5057784.

The rollout of the above patch entered the preliminary deployment section or audit mode with the April Patch, and therefore, it’s not enforced but.

Microsoft has defined the foundation of the issue beneath and likewise the signs:

This challenge is said to safety measures described in KB5057784, Protections for CVE-2025-26647 (Kerberos Authentication). Starting with Home windows updates launched April 8,2025 and later, the tactic through which DCs validate certificates getting used for Kerberos authentication has modified. Following this replace, they’ll test if the certificates chain to a root within the NTAuth retailer, as described in described in KB5057784.

This habits will be managed by the registry worth AllowNtAuthPolicyBypass in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesKdc. If AllowNtAuthPolicyBypass doesn’t exist, the DC will behave as if the worth is configured to “1”.

Two signs will be noticed from this challenge:

• When registry worth AllowNtAuthPolicyBypass is ready to “1” on the authenticating DC, Kerberos-Key-Distribution-Heart occasion ID 45 is repeatedly recorded within the DC system occasion log, with textual content just like “The Key Distribution Heart (KDC) encountered a consumer certificates that was legitimate however didn’t chain to a root within the NTAuth retailer”. Though this occasion could also be logged excessively, please notice that associated logon operations are in any other case profitable, and no different points are noticed outdoors of those occasion log data.
• When registry worth AllowNtAuthPolicyBypass is ready to “2” on the authenticating DC, person logon operations fail. Kerberos-Key-Distribution-Heart occasion ID 21 is recorded within the DC system occasion log, with textual content just like “The consumer certificates for the person will not be legitimate and resulted in a failed smartcard logon.”

For now, the corporate says that the problem will be labored round by setting the aforementioned Registry worth to “1” as a substitute of “2”. You will discover the problem entry right here on Microsoft’s Home windows Well being Dashboard web site.