Microsoft has fixed a known issue causing authentication problems on Windows Server domain controllers after installing the April 2025 security updates.
Platforms affected by these problems include Windows Server 2016, Windows Server 2019, Windows Server 2022, and the latest version, Windows Server 2025.
However, as Microsoft further explained when it acknowledged this known issue in early May, home users are unlikely to be impacted since domain controllers are typically used in enterprise authentication scenarios.
“After installing the April Windows monthly security update released April 8, 2025 (KB5055523) or later, Active Directory Domain Controllers (DC) might experience issues when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field,” Microsoft said.
“This can result in authentication issues in Windows Hello for Business (WHfB) Key Trust environments or environments that have deployed Device Public Key Authentication (also known as Machine PKINIT).”
These issues could also affect software using these two features for authentication, including but not limited to identity management systems, third-party single sign-on (SSO) solutions, and smart card authentication products.
This week, the company released the following cumulative updates that resolve the auth issues on all impacted Windows releases:
“We recommend you install the latest security update for your device as it contains important improvements and issue resolutions, including this one,” Redmond explains in a Tuesday Windows release health update.
“If you are using an update released before this date and have this issue, you should temporarily delay setting a value of ‘2’ to registry key AllowNtAuthPolicyBypass on updated DCs servicing self-signed certificate-based authentication,” it added, referring admins to the Registry Settings section of the KB5057784 support document.
As Microsoft explained last month, these authentication issues are linked to security measures that mitigate a high-severity vulnerability (CVE-2025-26647) that can let authenticated attackers escalate privileges remotely by exploiting an improper input validation weakness in Windows Kerberos (which replaced NTLM as the new default authentication protocol for domain-connected devices on Windows versions released since Windows 2000.
In April, Microsoft fixed another known issue causing auth problems on Windows 11 and Windows Server 2025 systems using the Kerberos PKINIT security protocol when Credential Guard is enabled.
The company also had to release emergency out-of-band (OOB) updates in November 2022 to resolve a bug causing Kerberos sign-in failures and other auth issues affecting Windows domain controllers.
Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.
In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.