Microsoft has published KB5014754—Certificate-based authentication changes on Windows domain controllers for Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 Enterprise ESU, Windows Server 2008 R2 Standard ESU, Windows Server 2008 R2 Datacenter ESU, Windows Server 2008 Service Pack 2, Windows Server 2016 all editions, Windows Server version 20H2 all editions, Windows Server 2022, and Windows Server 2019.

KB5014754—Certificate-based authentication changes on Windows domain controllers

Summary

CVE-2022-34691,  CVE-2022-26931 and  CVE-2022-26923 address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request. Before the May 10, 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. Additionally, conflicts between User Principal Names (UPN) and sAMAccountName introduced other emulation (spoofing) vulnerabilities that we also address with this security update.

KB5014754—Certificate-based authentication changes on Windows domain controllers - Microsoft Support