locked
KB4025335 - Reg Fix RRS feed

  • Question

  • We have had to apply the Registry workaround as specified here: https://support.microsoft.com/en-gb/help/4025335/windows-8-1-windows-server-2012-r2-update-kb4025335 after applying KB4025335 broke our certificate based machine auth in NPS.

    Does anyone know what this registry key does? I can't seem to find any documentation around this online and would like to know what the consequences are to leaving it set in this way.

    Monday, August 7, 2017 2:31 PM

Answers

  • In case it's helpful for anyone else, we eventually received the following from Microsoft via our account manager regarding the issue: 

    "The registry change just disables a code change that had a bug in the July update.
    There is no impact leaving this registry key in place even after a fix is released."


    • Marked as answer by AC_Ext Friday, August 18, 2017 1:54 PM
    Friday, August 18, 2017 1:54 PM

All replies

  • Hi AC_Ext,

    >>Does anyone know what this registry key does? I can't seem to find any documentation around this online and would like to know what the consequences are to leaving it set in this way.

    The issue is also under discussion. For your reference:

    KB4025335 kills certificate based computer authentication                                 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/9c8e637e-d42a-479e-a703-110986281ee9/kb4025335-kills-certificate-based-computer-authentication?forum=winserverNAP

    As a workaround, Microsoft hasn't published a document talking about this registry key yet.

    I suggest you could open a case with Microsoft, more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

    Here is the link:

    https://support.microsoft.com/en-us/gp/support-options-for-business


    In addition, I will watch closely to this issue, if there is any related updates , I will keep you post as soon as possible.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 8, 2017 5:49 AM
  • Hi AC_Ext

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 11, 2017 8:24 AM
  • Thanks for checking. I'm not AC_Ext, but I have the same question, and I'm sorry to say that the information provided so far--in this thread, in the linked thread, and in a support case--has not been helpful at all.

    I think several of us have the same question: is there any security risk to applying the DisableEndEntityClientCertCheck workaround from KB4034681 or KB4025335 in an environment where NPS is expected to check certificates as part of the authentication process?

    We are relying on NPS to verify that clients' certificates are valid, issued by a Certification Authority trusted by the server, unexpired, and unrevoked. In some scenarios, the client certificate is the only form of authentication that is required, so if the workaround causes NPS to incorrectly accept (for example) certificates not issued by a trusted CA, this would be a serious vulnerability.

    Friday, August 11, 2017 8:05 PM
  • In case it's helpful for anyone else, we eventually received the following from Microsoft via our account manager regarding the issue: 

    "The registry change just disables a code change that had a bug in the July update.
    There is no impact leaving this registry key in place even after a fix is released."


    • Marked as answer by AC_Ext Friday, August 18, 2017 1:54 PM
    Friday, August 18, 2017 1:54 PM
  • In case it's helpful for anyone else, we eventually received the following from Microsoft via our account manager regarding the issue: 

    "The registry change just disables a code change that had a bug in the July update.
    There is no impact leaving this registry key in place even after a fix is released."

    Thanks for sharing this information.

    It's consistent with my own test, in which I tried an otherwise-valid certificate signed by an untrusted CA. NPS matched the certificate to an Active Directory user, but even with the workaround, NPS still rejected the access attempt, as expected, logging Event ID 6273 ("Network Policy Server denied access to a user") in the Security event log, with Reason Code 287, "A certificate chain could not be built to a trusted root authority."

    Friday, August 18, 2017 7:49 PM