Server 2025 Security Baseline breaks Failover Cluster

Hi PhilippZiemke,

The security baseline setting is blocking certain custom authentication packages, like CLUSAUTHMGR.DLL, which is needed by the Cluster Service. Disabling the "Allow Custom SSPs and APs" setting seems to fix it because it allows these packages to load. It’s a known issue with the security baseline, and the workaround you found is correct. If you want to keep the security baseline enabled, you might need to find a way to explicitly allow that .dll or modify the security settings to avoid blocking trusted packages like this one.

For that you’ll need to adjust the local security policy or group policy settings. One option is to modify the "LSA Protection" settings and configure it to allow trusted packages. You can also add the specific .dll file to an allowlist or change the Group Policy to enable custom authentication packages. If you're using a GPO, you can update it to permit this specific .dll. You’ll likely need to modify the “Security Options” in Group Policy or registry settings to ensure it is recognized as a trusted package. Make sure to test the changes in a controlled environment before applying them to production.

Hope it helps, Let me know how it goes.