Hi Dochelp,
I'm currently debugging a problem where client seem to have problems with our
MS-BKRP implementation.
I found the following:
<18> Section 3.2.4.1: The process of falling back to server-side wrapping using the BACKUPKEY_BACKUP_GUID when retrieval of the server's public key fails using the
BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID is no longer available by default for the operating systems specified in [MSFT-CVE-2022-21925]. However, the fall back to server-side
wrapping can be enabled by adding a registry key designed for this purpose.
In addition, as noted earlier, Windows clients always retry failing operations once. The resulting process is as follows: The client first tries the
BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID operation, and if it fails, the client performs DC (2) rediscovery and retries the same operation. If the retry fails, the client tries a
BACKUPKEY_BACKUP_GUID operation. If this fails, the client performs DC rediscovery again and retries the BACKUPKEY_BACKUP_GUID operation. If this also fails, an error is
returned to the caller.
I have two questions:
1. what is the name and value is for the registry key in order to allow the
fallback to server-side wrapping to be activated again.
2. Is your tracing tool also able to debug client side powershell scripts? My
customer
is able to trigger the problem with
ConvertFrom-SecureString/ConvertTo-SecureString
Thanks!
metze
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
