Microsoft has successfully addressed a significant authentication issue that emerged following the installation of the April 2025 security updates on Windows Server domain controllers. This problem predominantly affected enterprise environments utilizing Windows Server 2016, 2019, 2022, and the latest iteration, Windows Server 2025.
Details of the Authentication Issue
In early May, Microsoft acknowledged that the authentication challenges arose after the deployment of the April monthly security update (KB5055523), released on April 8, 2025. The company noted that Active Directory Domain Controllers (DC) encountered difficulties in processing Kerberos logons or delegations that depend on certificate-based credentials utilizing key trust through the Active Directory msds-KeyCredentialLink field.
This complication could lead to authentication failures in environments utilizing Windows Hello for Business (WHfB) Key Trust or those employing Device Public Key Authentication (Machine PKINIT). Additionally, software reliant on these authentication features, including identity management systems, third-party single sign-on (SSO) solutions, and smart card authentication products, may also experience disruptions.
Resolution and Recommendations
This week, Microsoft rolled out cumulative updates aimed at rectifying the authentication issues across all affected Windows releases. In a recent Windows release health update, the company emphasized the importance of installing the latest security updates, stating, “We recommend you install the latest security update for your device as it contains important improvements and issue resolutions, including this one.”
For administrators who have implemented updates prior to this resolution and are still encountering issues, Microsoft advised a temporary delay in setting a value of ‘2’ to the registry key AllowNtAuthPolicyBypass on updated DCs servicing self-signed certificate-based authentication. The company directed users to the Registry Settings section of the KB5057784 support document for further guidance.
Underlying Security Measures
These authentication issues are intricately linked to security enhancements designed to mitigate a high-severity vulnerability (CVE-2025-26647). This vulnerability could potentially allow authenticated attackers to escalate privileges remotely by exploiting an improper input validation flaw within Windows Kerberos, which has been the default authentication protocol for domain-connected devices since the release of Windows 2000.
In addition to this recent fix, Microsoft had previously addressed another authentication issue in April that affected Windows 11 and Windows Server 2025 systems using the Kerberos PKINIT security protocol when Credential Guard was enabled. Moreover, the company had to issue emergency out-of-band updates in November 2022 to resolve a bug that caused Kerberos sign-in failures and other authentication problems impacting Windows domain controllers.
