Microsoft Windows Server Updates Trigger NTLM Authentication Issues

Windows administrators, beware! Recent updates for Windows Server deployed in April 2024 have caused a stir, with reports of widespread NTLM authentication failures. This issue can significantly disrupt access to resources within organizations relying heavily on NTLM (NT Lan Manager) authentication.

NTLM: A Legacy Authentication Protocol

NTLM is a challenge-response authentication protocol that has been around for quite some time. While convenient for its simplicity, NTLM suffers from well-documented security weaknesses. It transmits credentials in a non-encrypted format, making it vulnerable to eavesdropping attacks.

Microsoft, in its push for enhanced security, has been gradually phasing out NTLM in favor of more secure alternatives like Kerberos. However, NTLM remains prevalent in many environments due to legacy applications and compatibility issues.

The list of impacted Windows versions and buggy security updates includes Windows Server 2022 (KB5036909), Windows Server 2019 (KB5036896), Windows Server 2016 (KB5036899), Windows Server 2012 R2 (KB5036960), Windows Server 2012 (KB5036969), Windows Server 2008 R2 (KB5036967), and Windows Server 2008 (KB5036932).

The April Update and Its Impact

The specific details regarding the faulty updates are still emerging. However, Microsoft has acknowledged the problem on its Windows health dashboard. The issue appears to primarily affect organizations with:

• A limited number of primary domain controllers (DCs) in their environment.
• A high volume of NTLM authentication traffic.

In such scenarios, the April updates seem to be causing excessive load on the primary DCs, leading to NTLM authentication failures for users trying to access resources.

Current Status and Recommendations

As of now, Microsoft hasn’t pinpointed the root cause of the problem. While a permanent fix is awaited, here’s what you can do:

• Monitor your environment: Closely monitor domain controller performance and user login activity to identify any NTLM authentication issues.
• Consider a rollback (if feasible): In critical environments experiencing severe disruption, rolling back the April updates on your domain controllers might be a temporary solution. However, proceed with caution, as this reintroduces potential security vulnerabilities.
• Explore alternative authentication methods: If feasible, consider migrating applications away from NTLM and towards more secure protocols like Kerberos. This is a long-term solution that strengthens your overall security posture.
• Stay informed: Keep an eye on official Microsoft channels for updates regarding the issue and the availability of a permanent fix.

Microsoft is likely prioritizing a resolution for this disruptive issue. By following these recommendations and staying informed, you can minimize the impact on your organization’s operations.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.