Microsoft details how KB5055523/KB5055526 & KB5057784 break Kerberos Windows Hello DC logons

Microsoft has confirmed that Windows Hello Kerberos authentication is broken on Active Directory (AD) Domain Controllers (DC). The issue started after installing the latest April 2025 Patch Tuesday updates on Windows Server 2025 (KB5055523), Server 2022 (KB5055526), Server 2019 (KB5055519) and Server 2016 (KB5055521).

The company explains:

After installing the April Windows monthly security update released April 8, 2025 (KB5055523 / KB5055526 / KB5055519 /KB5055521 ) or later, Active Directory Domain Controllers (DC) might experience issues when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field. This can result in authentication issues in Windows Hello for Business (WHfB) Key Trust environments or environments that have deployed Device Public Key Authentication (also known as Machine PKINIT).

 

...

 

The affected protocols are Kerberos Public Key Cryptography for Initial Authentication (Kerberos PKINIT), and Certificate based Service-for-User Delegation (S4U) via both Kerberos Constrained Delegation (KCD or A2D2 Delegation) and Kerberos Resource-Based Constrained Delegation (RBKCD or A2DF Delegation).

Microsoft adds that other products which rely on this can also also be affected, including smart card authentication products, third-party single sign-on (SSO), and so on.

Microsoft has also explained what triggered the issue. The tech giant says that the problem is a result of a compatibility bug with the recent patches deployed for a Windows Kerberos Elevation of Privilege (network) security vulnerability. The vulnerability is tracked under ID CVE-2025-26647 and the patch details are available under KB5057784.

The rollout of the above patch entered the initial deployment phase or audit mode with the April Patch, and hence, it is not enforced yet.

Microsoft has explained the root of the problem below and also the symptoms:

This issue is related to security measures described in KB5057784, Protections for CVE-2025-26647 (Kerberos Authentication). Beginning with Windows updates released April 8,2025 and later, the method in which DCs validate certificates being used for Kerberos authentication has changed. Following this update, they will check if the certificates chain to a root in the NTAuth store, as described in described in KB5057784.

 

This behavior can be controlled by the registry value AllowNtAuthPolicyBypass in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc. If AllowNtAuthPolicyBypass does not exist, the DC will behave as if the value is configured to “1”.

 

Two symptoms can be observed from this issue:

 

• When registry value AllowNtAuthPolicyBypass is set to "1" on the authenticating DC, Kerberos-Key-Distribution-Center event ID 45 is repeatedly recorded in the DC system event log, with text similar to "The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to a root in the NTAuth store". Although this event may be logged excessively, please note that related logon operations are otherwise successful, and no other issues are observed outside of these event log records.
• When registry value AllowNtAuthPolicyBypass is set to "2" on the authenticating DC, user logon operations fail. Kerberos-Key-Distribution-Center event ID 21 is recorded in the DC system event log, with text similar to "The client certificate for the user is not valid and resulted in a failed smartcard logon."

For now, the company says that the issue can be worked around by setting the aforementioned Registry value to "1" instead of "2". You can find the issue entry here on Microsoft's Windows Health Dashboard website.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend