After the November 2025 Windows Update, if Windows Server 2025 Domain Controllers are running "Additional LSA Protection" they may stop being able to track the correct IP address for LDAP connections. This can lead to failure to permit 2FA logons and/or failure to enforce 2FA on LDAP clients because it doesn't see the traffic as being from an enforced IP.

  • Upgrade to AuthLite 2.5.29 or newer to correct this issue; a reboot is required.
  • You do not need to disable LSA protection, it is a security feature that you should retain. Some bad AI advice will direct you to disable it, due to the fact that AuthLite didn't support it many years ago.
  • As far as we can determine, this issue does not affect other DCs, but you can upgrade them, and in general DCs should be converged to run the same build whenever possible.
  • This issue does not affect member servers or workstations, but it is fine to upgrade them too.  It is also OK to leave them on older builds.

General advice:

  • Recall that in general, DCs should be running the same or newer version compared to other domain member machines. It's a good idea to converge all DCs to the same build.
  • It is permissible to run a newer version on your DCs than your domain members, and to have different members at different versions.
  • To upgrade a server's AuthLite version you may simply install the newest version from the Downloads page over the existing version, then reboot servers (one at a time).  All configuration and keys will be retained.