Microsoft has addressed multiple critical issues affecting Windows Server 2025 domain controllers through its June 2025 Patch Tuesday updates, resolving authentication failures and network connectivity problems that have plagued administrators since April.
The fixes come as part of update KB5060842, which addresses vulnerabilities that were causing significant operational disruptions across enterprise environments.
Kerberos Authentication Problems Traced
The authentication issues stemmed from security update KB5055523, released in April 2025 to address CVE-2025-26647 vulnerability.
This update changed how domain controllers validate certificates used for Kerberos authentication, requiring certificates to chain to an issuing certificate authority (CA) in the NTAuth store.
The change particularly impacted Windows Hello for Business (WHfB) Key Trust deployments and Device Public Key Authentication (Machine PKINIT), causing two distinct scenarios depending on registry configuration.
When the AllowNtAuthPolicyBypass registry value was unconfigured or set to “1”, domain controllers repeatedly logged Kerberos-Key-Distribution-Center event ID 451.
When set to “2”, self-signed certificate-based authentication failed, generating event ID 211.
Microsoft’s June updates resolved the incorrect logging behavior that was triggering these events for self-signed certificates that legitimately never chain to a CA in the NTAuth store.
The fix is included in KB5060842 for Windows Server 2025, along with corresponding updates for earlier server versions.
Network Traffic Management Failures
A separate critical issue affected Windows Server 2025 domain controllers’ ability to manage network traffic correctly after system restarts.
The problem occurred when domain controllers failed to apply domain firewall profiles, instead defaulting to standard firewall profiles.
This misconfiguration resulted in domain controllers becoming unreachable on domain networks or incorrectly accessible over ports and protocols that should have been blocked by proper firewall profiles.
Applications and services running on affected domain controllers or remote devices experienced failures or became unreachable.
Microsoft provided a temporary workaround requiring administrators to restart network adapters manually using the PowerShell command:
powershellRestart-NetAdapter *
However, this workaround needed to be repeated after every reboot until the permanent fix was installed.
Comprehensive Resolution
The June 2025 Patch Tuesday delivered comprehensive fixes addressing both authentication and network management issues.
Microsoft released coordinated updates across multiple Windows Server versions to ensure consistent resolution:
| Windows Version | Update KB | Status |
|---|---|---|
| Windows Server 2025 | KB5060842 | Resolved |
| Windows Server 2022 | KB5060526 | Resolved |
| Windows Server 2019 | KB5060531 | Resolved |
| Windows Server 2016 | KB5061010 | Resolved |
The June updates address 66 total vulnerabilities, including 10 rated as Critical, with one zero-day exploit being actively used by attackers.
Microsoft strongly recommends immediate installation of these updates, emphasizing that they contain “important improvements and issue resolutions”.
For organizations still running pre-June updates, Microsoft advises against setting the AllowNtAuthPolicyBypass registry key to ‘2’ on domain controllers handling self-signed certificate-based authentication until the latest updates are installed.
These fixes represent crucial stability improvements for Windows Server 2025 environments, particularly those utilizing modern authentication protocols and hybrid cloud capabilities.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
Source link
