Original publish date: April 8, 2025
KB ID: 5057784
|
Change date |
Change description |
|
May 9, 2025 |
|
In this article
Summary
The Windows security updates released on or after April 8, 2025, contain protections for a vulnerability with Kerberos authentication. This update provides a change in behavior when the issuing authority of the certificate used for a security principal's certificate-based authentication (CBA) is trusted, but not in the NTAuth store, and a Subject Key Identifier (SKI) mapping is present in the altSecID attribute of the security principal using certificate-based authentication. To learn more about this vulnerability, please see CVE-2025-26647.
Take Action
To help protect your environment and prevent outages, we recommend the following steps:
-
UPDATE all domain controllers with a Windows update released on or after April 8, 2025.
-
MONITOR new events that will be visible on domain controllers to identify affected certificate authorities.
-
ENABLE Enforcement mode after your environment is now only using logon certificates issued by authorities that are in the NTAuth store.
altSecID attributes
The following table lists all the Alternative Security Identifiers (altSecIDs) attributes and the altSecIDs that are impacted by this change.
|
List of Certificate attributes that could be mapped to altSecIDs |
AltSecIDs that require a matching certificate to chain to the NTAuth store |
|
X509IssuerSubject X509IssuerSerialNumber X509SKI X509SHA1PublicKey X509RFC822 X509SubjectOnly X509NSubjectOnly X509PublicKeyOnly |
X509IssuerSerialNumber X509SKI X509SHA1PublicKey X509IssuerSubject X509NSubjectOnly |
Timeline of changes
April 8, 2025: Initial Deployment phase – Audit mode
The initial deployment phase (Audit mode) starts with the updates released on April 8, 2025. These updates change the behavior that detects the elevation of privilege vulnerability described in CVE-2025-26647 but does not initially enforce it.
While in Audit mode, Event ID: 45 will be logged on the domain controller when it receives a Kerberos authentication request with an unsafe certificate. The authentication request will be allowed and no client errors are expected.
To enable the change in behavior and be secure from the vulnerability, you must ensure all Windows domain controllers are updated with a Windows update release on or after April 8, 2025, and the AllowNtAuthPolicyBypass registry key setting is set to 2 to configure for Enforcement mode.
When in Enforcement mode, if the domain controller receives a Kerberos authentication request with an unsafe certificate, it will log legacy Event ID: 21 and deny the request.
To turn on the protections offered by this update, follow these steps:
-
Apply the Windows update released on or after April 8, 2025, to all domain controllers in your environment. After applying the update, the AllowNtAuthPolicyBypass registry value is set to 1 which enables the NTAuth check and the Audit log warning events.IMPORTANT If you are not ready to proceed to apply the protections offered by this update, set the registry key to 0 to temporarily disable this change. See the Registry Key Information section for more information.
-
Monitor new events that will be visible on domain controllers to identify affected certificate authorities that are not part of the NTAuth store. The Event ID you need to monitor is Event ID: 45. See the Audit Events section for more information about these events.
-
Ensure all client certificates are valid and chained to a trusted Issuing CA in the NTAuth store.
-
After all Event ID: 45 events are resolved, then you can proceed to Enforcement mode. To do this, set the AllowNtAuthPolicyBypass registry value to 2. See the Registry Key Information section for more information.Note We recommend to temporarily delay setting AllowNtAuthPolicyBypass = 2 until after applying the Windows update released after May 2025 to domain controllers which service self-signed certificate-based authentication used in multiple scenarios. This includes domain controllers which service Windows Hello for Business Key Trust and Domain-joined Device Public Key Authentication.
July 2025: Enforced by Default phase
Updates released in or after July 2025 will enforce the NTAuth Store check by default. The AllowNtAuthPolicyBypass registry key setting will still allow customers to move back to Audit mode if needed. However, the ability to completely disable this security update will be removed.
October 2025: Enforcement mode
Updates released in or after October 2025 will discontinue Microsoft support for the AllowNtAuthPolicyBypass registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.
Registry Settings and Event Logs
Registry Key Information
The following registry key allows for auditing vulnerable scenarios and then enforcing the change once vulnerable certificates are addressed. The registry key will not be created automatically. The behavior of the OS when the registry key is unconfigured will depend on which phase of the deployment it is in.
AllowNtAuthPolicyBypass
|
Registry Subkey |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc |
|
|
Value |
AllowNtAuthPolicyBypass |
|
|
Data Type |
REG_DWORD |
|
|
Value data |
0 |
Disables the change entirely. |
|
1 |
Performs the NTAuth check and log warning event indicating certificate that was issued by an authority that’s not part of NTAuth store (Audit mode). (Default behavior starting in the April 8, 2025 release.) |
|
|
2 |
Perform the NTAuth check and if it fails don’t allow the logon. Log normal events (existing) for an AS-REQ failure with an error code indicating the NTAuth check failed (Enforced mode). |
|
|
Comments |
The AllowNtAuthPolicyBypass registry setting should only be configured on Windows KDCs such as domain controllers that have installed the Windows updates released in or after May 2025. |
|
Audit Events
Event ID: 45 | NT Auth Store Check Audit Event
Administrators should watch for the following event added by the installation of Windows updates released on or after April 8, 2025. If it exists, it implies that a certificate was issued by an authority that is not part of the NTAuth store.
|
Event Log |
Log System |
|
Event Type |
Warning |
|
Event Source |
Kerberos-Key-Distribution-Center |
|
Event ID |
45 |
|
Event Text |
The Key Distribution Center (KDC) encountered a client certificate that was valid but not chained to a root in the NTAuth store. Support for certificates that do not chain to the NTAuth store is deprecated. Support for certificates chaining to non-NTAuth stores is deprecated and insecure. See https://go.microsoft.com/fwlink/?linkid=2300705 to learn more. User: <UserName> Certificate Subject: <Cert Subject> Certificate Issuer: <Cert Issuer> Certificate Serial Number: <Cert Serial Number> Certificate Thumbprint: < CertThumbprint> |
|
Comments |
|
Event ID: 21 | AS-REQ Failure Event
After addressing Kerberos-Key-Distribution-Center Event 45, the logging of this generic, legacy event indicates that the client certificate is still NOT trusted. This event may be logged for multiple reasons, one of which is that a valid client certificate is NOT chained to an Issuing CA in the NTAuth store.
|
Event Log |
Log System |
|
Event Type |
Warning |
|
Event Source |
Kerberos-Key-Distribution-Center |
|
Event ID |
21 |
|
Event Text |
The client certificate for the user <Domain\UserName> is not valid and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. |
|
Comments |
|
Known issue
Customers reported issues with Event ID: 45 and Event ID: 21 triggered by certificate-based authentication using self-signed certificates. To see more information, please refer to the known issue documented on Windows release health:
-
Windows Server 2025: Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events
-
Windows Server 2022: Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events
-
Windows Server 2019: Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events
-
Windows Server 2016: Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events
