Issue related to Patch KB5013941 issued on May 10th, 2022 


According to some admins, Network Policy Server (NPS) policies were reported to be failing, returning an error which read that ‘authentication failed due to a user credential mismatch. Either the user name provided does not map to an existing account or the password was incorrect.


Others said their Windows Server, which was serving only the DC role, not the ACDS role too, experienced the same issues with failing NPS policies. Removing the KB5013941 update reportedly fixed the issue.


One individual reported that in their environment they run separate servers for DC and NPS, and came to the conclusion that the NPS servers may be patchable, but DC servers may need to have the update rolled back, after testing the updates on each.


“After installing updates released May 10, 2022, on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” Microsoft said in an issues document. “An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.”



Mi-Token recommends do not patch your DC Server until Microsoft announces the new patch without this problem




https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2#you-might-see-authentication-failures-on-the-server-or-client-for-services



Bibliography:



https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931


https://www.itpro.co.uk/infrastructure/server-storage/367663/windows-admin-patch-tuesday-authentication-bug


https://www.bleepingcomputer.com/news/microsoft/microsoft-may-windows-updates-cause-ad-authentication-failures/


https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931


https://www.itpro.co.uk/server-storage/microsoft-windows-server/362009/windows-server-admins-agree-to-forgo-broken-patches