KB5014990: Authentication failures occur after the May 10, 2022 update is installed on domain controllers running Windows Server 2008 SP2
Summary
This update includes improvements for the following issue:
-
Addresses a known issue that might cause authentication failures for some services on a server or client after you install the May 10, 2022 update on domain controllers. These services include Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). The issue affects how the domain controller manages the mapping of certificates to machine accounts. This issue only affects servers that are used as domain controllers and intermediary application servers which authenticate to domain controllers; it does not affect client Windows devices.
Known issues in this update
We are currently not aware of any issues that affect this update.
How to get this update
Before installing this update
Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and is now in extended support. Customers who have purchased the Extended Security Update (ESU) for on-premises versions of this OS must follow the procedures in KB4522133 to continue receiving security updates after extended support ended on January 14, 2020. For more information about ESU and which editions are supported, see KB4497181.
Because ESU is available as a separate SKU for each of the years in which they are offered (2020, 2021, and 2022)—and because ESU can only be purchased in specific 12-month periods—you must purchase the third year of ESU coverage separately and activate a new key on each applicable device for your devices to continue receiving security updates in 2022.
If your organization did not purchase the third year of ESU coverage, you must purchase Year 1, Year 2, and Year 3 ESU for your applicable Windows Server 2008 SP2 devices before you install and activate the Year 3 MAK keys to receive updates. The steps to install, activate, and deploy ESUs are the same for first, second, and third year coverage. For more information, see Obtaining Extended Security Updates for eligible Windows devices for the Volume Licensing process and Purchasing Windows 7 ESUs as a Cloud Solution Provider for the CSP process. For embedded devices, contact your original equipment manufacturer (OEM).
For more information, see the ESU blog.
For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following article.
To view other notes and messages for Windows Server 2008 SP2, see the following update history home page.
Monthly rollup updates are cumulative and include security and all quality updates. If you use Monthly rollup updates, you have to install both this update and the Monthly rollup released May 10, 2022 to receive the quality updates for May 2022. If you have already installed updates released May 10, 2022, you do not have to uninstall the affected update before you install any later updates including this update.
If you use Security-only updates for Windows Server, you only have to install this update for May 2022. Security-only updates are not cumulative, and you will also have to install all previous Security-only updates to be fully up to date.
Get this update
Important Install this update on all domain controllers and intermediary application servers which authenticate to domain controllers. The intermediary application servers include Network Policy Servers (NPS), RADIUS, Certification Authority (CA), and web servers.
Release Channel |
Available |
Next Step |
Windows Update and Microsoft Update |
No |
See the other options below. |
Microsoft Update Catalog |
Yes |
To get the standalone package for this update, go to the Microsoft Update Catalog website. |
Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager |
No |
You can manually import these updates into Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog. |
Note After this update is installed, if you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them. This includes the removal of the registry key (CertificateMappingMethods = 0x1F) documented in the SChannel registry key section of KB5014754. There is no action needed on the client side to resolve this authentication issue.
File information
For a list of the files that are provided in this update, download the file information for update KB5014990.
References
Learn about the standard terminology that is used to describe Microsoft software updates.