Certificate-based authentication changes

Symptoms

Recent updates to Windows Server 2019 introduced changes to the Kerberos protocol to address security vulnerabilities. These changes may cause SAML authentication failures, particularly if outdated certificates or configurations are in use

Cause

Applying the latest updates on Windows Server 2019 Domain Controller (DC) and Certificate Authority (CA) does not appear to cause issues directly related to KB5020805 (Kerberos protocol changes).

Older certificates (issued before the update) can still be used for authentication, even when KrbtgtFullPacSignature is enforced (set to 3). 

However, outdated clients faced difficulties discovering the Certificate Authority (CA) due to DCOM security updates.

The Authentication will succeed if devices are in Compatibility mode. Devices in Compatibility Mode can authenticate successfully, but enforcing strong mapping validation without reissuing certificates will cause authentication failures.

0XC000006D – "This is either due to a bad username or authentication information". This error typically indicates authentication failure due to incorrect credentials or certificate validation issues.

Resolution

1. Verify Windows Updates

Ensure your Domain Controller (DC) and Certificate Authority (CA) are fully updated:

• Open Windows Update Settings on the server.
• Check if KB5020805 (Kerberos protocol changes related to CVE-2022-37967) is installed.
• If missing, download the update from Microsoft Support and install it manually.

2. Check Kerberos PAC Signature Enforcement

Some authentication failures occur due to PAC signature enforcement settings.

1. Open Registry.
2. Navigate to HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc and look for KrbtgtFullPacSignature settings.
3. Set value to Enforcement (3)
4. If Enforcement (3) is causing issues, temporarily set it to Audit Mode (2) to monitor failures before making permanent changes.

3. Resolve Certificate Authority Discovery Issues

Outdated clients may struggle to locate the Certificate Authority (CA) due to DCOM security fixes introduced in KB5019966.

1. Ensure KB5019966 is installed by checking Windows Update History.
2. If missing, download and install it from Microsoft Support
3. Restart the affected client machine to apply changes

4. Ensure Compatibility with Certificate-Based Authentication

The Domain Controller may be enforcing stricter authentication rules due to updates from KB5014754 (May 10, 2022).

1. Open Group Policy Editor (gpedit.msc).
2. Navigate to Computer Configuration → Windows Settings → Security Settings → Local Policies.
3. Check Certificate Mapping Methods—if devices are still in Compatibility Mode, authentication will succeed, but strict validation may cause failures.
4. If authentication fails with error 0XC000006D, reissue smartcard certificates for compliance with updated security policies.

5. Test Authentication & Monitor Logs

1. Attempt authentication with a test user account.
2. Open Event Viewer (eventvwr.msc) and navigate to Windows Logs → Security.
3. Look for Kerberos authentication failures that may indicate misconfigurations.

6. Reissue smartcard certificates to comply with enhanced security rules.