NPS stopped working after May 2022 updates

Grt893 21 Reputation points
2022-05-12T08:31:13.247+00:00

Hello,

after installing the latest patch tuesday (May 2022) updates and restarting the servers the domain computers (Win 10) are not able to join to company's local network via ethernet or Wifi anymore. Both connection methods are using NPS with EAP and certificate based authentication.

Before installing the updates everything was working fine. This problem appeared right after installing the updates and rebooting the servers. No change in any settings regarding NPS or certificates were made before the problem started.

After installing the updates the NPS log stopped logging new events despite it seemed to be still enabled for both success and failure. I disabled and then re-enabled the logging and now it seems to log properly.

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Now the log event for every computer trying to join the company's local network seem to be this:

Event ID: 6273

Keyword: Audit Failure

Reason Code: 16

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

What could be the causing this problem?

Thank you in advance!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,587 questions
{count} votes

Accepted answer
  1. Vasyl Klyuyev 81 Reputation points
    2022-05-12T14:25:46.32+00:00

    For us the workaround was to add reg key here:
    HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\

    value: CertificateMappingMethods
    Data Type: DWORD
    Data: 0x1F

    according to
    https://support.microsoft.com/en-gb/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_certmap


15 additional answers

Sort by: Most helpful
  1. Vasyl Klyuyev 81 Reputation points
    2022-05-12T12:35:57.907+00:00

    Hello, we have the same issues after the update installation.
    All our WiFi clients stop working.

    Microsoft released some KB here https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-21h2#you-might-see-authentication-failures-on-the-server-or-client-for-services

    however it is not clear if its fully safe to do those changes across domain controllers or not

    1 person found this answer helpful.

  2. Grt893 21 Reputation points
    2022-05-12T10:05:32.547+00:00

    Some additional info:

    I found this site.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/9c8e637e-d42a-479e-a703-110986281ee9/kb4025335-kills-certificate-based-computer-authentication?forum=winserverNAP

    I added the registry entry and rebooted the NPS-server. Unfortunately it didn't help and the problem still remains.

    As a workaround, create the following registry on your server: Create DWORD registry key under:
    SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\
    New_DWORD: DisableEndEntityClientCertCheck
    and set value to 0

    0 comments No comments

  3. Nick Franzen 1 Reputation point
    2022-05-12T14:05:10.713+00:00

    We are having similar issues with NPS as well. This update has also caused DHCP to fail.

    I'm thinking of uninstalling the CU.

    0 comments No comments

  4. Grt893 21 Reputation points
    2022-05-16T04:52:00.42+00:00

    Thank you for the help!

    Modifiying the registry as suggested by VasylKlyuyev seems to get authentication working again.

    That is still a temporary workaround, 'cause it uses weak certificate mapping methods - hope that Microsoft will soon provide a proper update to fix this.

    The SChannel registry key default was 0x1F and is now 0x18. If you experience authentication failures with Schannel-based server applications, we suggest that you perform a test. Add or modify the CertificateMappingMethods registry key value on the domain controller and set it to 0x1F and see if that addresses the issue. Look in the System event logs on the domain controller for any errors listed in this article for more information. Keep in mind that changing the SChannel registry key value back to the previous default (0x1F) will revert to using weak certificate mapping methods.

    Here are a couple of links related to this matter.

    0 comments No comments