Microsoft has acknowledged that the April 2025 security updates are leading to authentication challenges for certain Windows Server domain controllers. The affected platforms encompass a range of versions, including Windows Server 2016, 2019, 2022, and the newly released Windows Server 2025.
However, the company reassures home users that they are unlikely to encounter these issues, as domain controllers are primarily utilized for business and enterprise authentication purposes.
In a recent Windows release health update, Microsoft elaborated on the matter: “After installing the April Windows monthly security update released April 8, 2025 (KB5055523) or later, Active Directory Domain Controllers (DC) might experience issues when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field.” This situation may lead to authentication complications in Windows Hello for Business (WHfB) Key Trust environments or those employing Device Public Key Authentication (Machine PKINIT).
Furthermore, software that depends on these authentication features could also be affected. This includes various third-party single sign-on (SSO) solutions, identity management systems, and smart card authentication products. The impacted authentication protocols consist of:
- Kerberos Public Key Cryptography for Initial Authentication (Kerberos PKINIT)
- Certificate-based Service-for-User Delegation (S4U) via Kerberos Resource-Based Constrained Delegation (RBKCD or A2DF Delegation)
- Kerberos Constrained Delegation (KCD or A2D2 Delegation)
Auth issues linked to CVE-2025-26647 security patches
These authentication issues are tied to security measures aimed at addressing a critical vulnerability identified as CVE-2025-26647. This vulnerability could allow authenticated attackers to escalate privileges remotely by exploiting an improper input validation weakness in Windows Kerberos, which has replaced NTLM as the default authentication protocol for domain-connected devices since the release of Windows 2000.
Microsoft explains, “An attacker who successfully exploited this vulnerability could be assigned much greater rights by the Key Distribution Center to the certificate than intended.” The exploitation process involves an authenticated attacker obtaining a certificate containing the target Subject Key Identifier (SKI) value from a Certificate Authority (CA) and subsequently using it to acquire a Ticket Granting Ticket (TGT) for the target user from the Key Distribution Center (KDC).
As a temporary workaround, affected customers are advised to modify the AllowNtAuthPolicyBypass registry value in HKEYLOCALMACHINESYSTEMCurrentControlSetServicesKdc from “2” to “1,” as outlined in the accompanying support document.
Last month, Microsoft also addressed another known issue that caused authentication problems on Windows 11 and Windows Server 2025 devices utilizing the Kerberos PKINIT security protocol when Credential Guard was enabled. Additionally, in November 2022, the company released emergency out-of-band updates to rectify a bug that resulted in Kerberos sign-in failures and other authentication issues on domain controllers.
In the previous year, Microsoft tackled authentication failures related to Kerberos delegation scenarios on Windows Server, as well as similar Kerberos authentication challenges affecting domain-connected devices running Windows 2000 and later.
