KB5014991: Authentication failures occur after the May 10, 2022 update is installed on domain controllers running Windows Server 2012
Summary
This update includes improvements for the following issue:
-
Addresses a known issue that might cause authentication failures for some services on a server or client after you install the May 10, 2022 update on domain controllers. These services include Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). The issue affects how the domain controller manages the mapping of certificates to machine accounts. This issue only affects servers that are used as domain controllers and intermediary application servers which authenticate to domain controllers; it does not affect client Windows devices.
Known issues in this update
We are currently not aware of any issues that affect this update.
How to get this update
Before installing this update
Monthly rollup updates are cumulative and include security and all quality updates. If you use Monthly rollup updates, you have to install both this update and the Monthly rollup released May 10, 2022 to receive the quality updates for May 2022. If you have already installed updates released May 10, 2022, you do not have to uninstall the affected update before you install any later updates including this update.
If you use Security-only updates for Windows Server, you only have to install this update for May 2022. Security-only updates are not cumulative, and you will also have to install all previous Security-only updates to be fully up to date.
Get this update
Important Install this update on all domain controllers and intermediary application servers which authenticate to domain controllers. The intermediary application servers include Network Policy Servers (NPS), RADIUS, Certification Authority (CA), and web servers.
Release Channel |
Available |
Next Step |
Windows Update and Microsoft Update |
No |
See the other options below. |
Microsoft Update Catalog |
Yes |
To get the standalone package for this update, go to the Microsoft Update Catalog website. |
Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager |
No |
You can manually import these updates into Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog. |
Note After this update is installed, if you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them. This includes the removal of the registry key (CertificateMappingMethods = 0x1F) documented in the SChannel registry key section of KB5014754. There is no action needed on the client side to resolve this authentication issue.
Prerequisites
We strongly recommend that you install the latest servicing stack update (SSU) before you apply this update. The latest SSU for Windows Server 2012 can be found in ADV990001 | Latest Servicing Stack Updates.
File information
For a list of the files that are provided in this update, download the file information for update KB5014991.
References
Learn about the standard terminology that is used to describe Microsoft software updates.