What exactly is happening?
After the update, login attempts to the NoSpamProxy Web App and via the PowerShell module fail silently. Event ID 4625 appears in the Windows Security Event Log with status code 0xC000035B, an indication of a so-called channel-binding-token conflict.
This affects all environments where a firewall, proxy, or endpoint protection solution with TLS inspection is located between the client and the NoSpamProxy server.
Specifically, this concerns the following cumulative updates:
- KB5078766 (Windows Server 2022)
- KB5073723 (Windows Server 2019)
- KB5075904 (Windows Server 2019)
The Cause: EPA Becomes Mandatory
With the January 2026 updates, Microsoft has enabled Enhanced Protection for Authentication (EPA) by default in the http.sys kernel driver. EPA is a legitimate security feature that prevents attacks involving the relaying of login credentials, so-called relay attacks.
The principle: For every HTTPS connection, the client calculates a cryptographic fingerprint (hash) from the server’s TLS certificate. This value, known as the Channel Binding Token (CBT), is embedded in the authentication request. The server calculates the same hash from its own certificate and compares the two values. If they match, the login is successful. If they do not match, the request is rejected.
Why TLS inspection causes the problem
TLS inspection is widely used in corporate networks: firewalls, proxies, and endpoint protection solutions decrypt connections to scan traffic for threats. In doing so, the system in question presents its own certificate to the client, rather than that of the actual server.
This is precisely where the problem lies: the client and server calculate their channel binding tokens from different certificates. The values can never match, and authentication fails.
The process in detail
When TLS inspection is active, the following occurs:
- The client receives Certificate A (firewall) and calculates CBT = Hash (Cert. A).
- The firewall/proxy inspects the traffic and forwards the request.
- NoSpamProxy Server uses its own certificate B and calculates CBT = Hash (Cert. B)
- Hash A and Hash B do not match. Authentication is rejected, status 0xC000035B
Prior to the January updates, this check was silently ignored by http.sys. The update makes validation mandatory. The option to disable it via a registry key (EnableCBT = 0 under HKLMSYSTEMCurrentControlSetServicesHTTPParameters) no longer works.
The Solution: Exclude NoSpamProxy from TLS Inspection
The recommended and secure solution is to exclude the NoSpamProxy server URL from TLS inspection on the firewall or proxy. The connection remains fully encrypted; it is simply no longer decrypted by the intermediary system.
Complete exclusion:
https://nsp-server-fqdn:443/*
Minimum exclusion (Identity Service only):
https://nsp-server-fqdn:443/api/identity-service/*
Replace nsp-server-fqdn with the fully qualified domain name of your NoSpamProxy server, e.g. nsp.example.com.
Frequently Asked Questions
Can I roll back the Windows Update instead?
This is possible, but not recommended. The cumulative updates contain important security fixes. Excluding the NoSpamProxy URL from TLS inspection is the correct solution and does not compromise your security, as the connection between the client and server remains fully encrypted.
Are all NoSpamProxy components affected?
Only logging in to the NoSpamProxy Web App and connecting via the PowerShell module (Connect-Nsp) are affected. Email processing and gateway functions do not use Windows authentication and are not impacted.
Are domain-joined and standalone servers equally affected?
Yes. Channel-binding token validation operates at the TLS transport layer and is independent of Active Directory domain membership.
What alternatives are available?
Customers can use OpenID for authentication instead. OpenID Connect is based on neither NTLM nor Negotiate and is therefore not affected by channel binding token validation or TLS inspection.
Will the issue be permanently resolved?
Yes. Starting with NoSpamProxy 16.1, the Identity Service will be migrated to Basic Authentication over TLS. This method does not use channel binding tokens and is therefore permanently immune to this issue.
