TL;DR: Are your domain controllers failing authentication after the April 2025 security update? Microsoft confirms that KB5055523 disrupts Kerberos PKINIT on Windows Server environments, leading to issues in Key Trust setups and other third-party authentication systems. This guide explains the affected versions, the root cause linked to CVE-2025-26647, and offers a step-by-step registry workaround.
Introduction
Are your domain controllers throwing errors after installing the April 2025 security update? If you’re experiencing authentication issues on Windows Server 2016, 2019, 2022, or even the latest Windows Server 2025, you’re not alone. The update (KB5055523) has caused significant disruptions with Kerberos-based authentication, particularly affecting Windows Hello for Business (WHfB) and Device Public Key Authentication (Machine PKINIT). This post breaks down the problem, explains the underlying vulnerability, and guides you through troubleshooting these issues.
Which Windows Servers Are Affected?
Microsoft has confirmed that the following server versions can experience authentication failures due to the KB5055523 update:
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
While home users typically won’t see these issues, enterprise environments relying on Active Directory domain controllers are at risk.
Why Is This Happening? Understanding the CVE-2025-26647 Vulnerability
The root of these authentication problems lies with the security measures implemented to address a high-severity vulnerability, tracked as CVE-2025-26647. This vulnerability involves improper input validation in Windows Kerberos, which could allow an authenticated attacker to escalate privileges remotely. Essentially, the KB5055523 update inadvertently causes Kerberos PKINIT authentication failures, affecting scenarios such as:
- Kerberos PKINIT failures
- Certificate-based Service-for-User Delegation issues
- Problems with Resource-Based Constrained Delegation (RBKCD)
For more detail on how this vulnerability superseded NTLM as the default protocol, see this discussion on NTLM vs Kerberos.
How to Fix Authentication Failures
Microsoft recommends a registry fix as a workaround for these authentication issues. If your environment is impacted, follow these steps:
- Open the Registry Editor: Press
Win + R, typeregedit, and press Enter. - Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc - Locate the key:
AllowNtAuthPolicyBypass - Edit its value: Change the numeric value from
2to1 - Restart your server: For the changes to take effect, reboot the affected domain controller.
For further details, refer to Microsoft’s official registry workaround documentation here.
Third-Party Impacts: SSO, Smart Cards, and More
Beyond internal Active Directory issues, the KB5055523 update also affects third-party software environments that depend on Kerberos authentication. This includes:
- Third-party single sign-on (SSO) solutions
- Identity management systems
- Smart card authentication products
Understanding the broad impact can help your IT team prioritize testing and mitigation strategies.
Additional Context: Recent Fixes and Updates
Microsoft has previously addressed similar issues. For instance, in November 2022, emergency out-of-band updates were released to resolve Kerberos sign-in failures. More recently, Microsoft mitigated another authentication issue affecting Windows 11 and Windows Server 2025 devices when Credential Guard is enabled.
Conclusion & Call-to-Action
The April 2025 security updates, particularly KB5055523, have created a challenging scenario for enterprise environments by disrupting Kerberos authentication. Whether you are using Windows Server 2016, 2019, 2022, or 2025, it is crucial to test Microsoft’s recommended registry fix or await further emergency updates.
If you continue to face these issues, we urge IT administrators to download the official fix guide and consult additional resources for safeguarding Key Trust environments. Stay updated with the latest developments and ensure that your systems remain secure in the wake of these critical updates.
For further reading and historical context on similar issues, check out our article on Kerberos authentication fixes and explore insights on past authentication challenges with domain-connected devices.
Remember, keeping your systems secure means staying informed. Regular review of update notes and timely application of recommended workarounds is key to maintaining robust IT infrastructure.