Hello Julien and Alexander, Actually, what we need to troubleshoot this issue is to collect a TTD trace of the LSASS process. In order to download the tool needed to collect the trace, you will need a Microsoft account. These can be created free at live.com.
Please send me the Microsoft account email address you will use to download the tools, and I will send the link. Best regards, Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 ________________________________ From: Jeff McCashland (He/him) <[email protected]> Sent: Friday, December 27, 2024 11:30 AM To: Julien Rische <[email protected]>; Alexander Bokovoy <[email protected]> Cc: [email protected] <[email protected]>; Microsoft Support <[email protected]> Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression - TrackingID#2412190040009154 Hi Julien and Alexander, Alexander mentioned ad2025.pcap and ad2025_sha1.pcap, and Julien mentioned 2 additional unnamed captures. Please upload any relevant traces to the link below, as we are not allowed to accept files by email. Also, it would help if you could specify which traces and frames relate to which aspects of your question, that would save time. Also, it's not clear to me (yet), if the additional information from Julien modifies or answers any part of Alexander's original question. Secure file link: https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjgxMTA4NjE5MTQzMTQ1NTc0QUYxMjI3NjhGMEIzNDkyRkYyNTczNEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNjgzMzc2YjUtNjczZC00ZGVkLTlmYzUtYjRiOTUzMmJmNzE4Iiwic3IiOiIyNDEyMTkwMDQwMDA5MTU0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiYjA0NWU2MDgtMWY3MC00OTE3LTk4MTAtZjA0OGJlNGVlODI2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3MzUzMjc3NzAsImV4cCI6MTc0MzEwMzc3MCwiaWF0IjoxNzM1MzI3NzcwLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.d23KDsdUj68vCL0fEY2hpp2wjG65vYVtGh2E9Bu1mqT8YM-Q6bkewOhrHJbML0Fcr_ijDp89UMkAb0h70iCJCQojecjI8NPzgrkCm11GzScvTRcvJqyChhZ-9T731ZGSRV8wnxrrETLsuTjCo88_gAqRF3oBQdUuriBtI5z_xh-qUqrqcl-9q2nqxqhMzd3rA7Chkk5EMSRv5U1hnWhH5etJ-kUj8-HJB4eihMGPQ7NVPjCrVy04opSBf-XgkHjSsx_j_-q7EsbOR7ic3aWdEwZS5eppFpc4C4JMNpCauM4is23XWNoYwDZ9vP9CnyKPZfSMlF-5fC4k_4Q3KzcsNw&wid=683376b5-673d-4ded-9fc5-b4b9532bf718 Best regards, Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 ________________________________ From: Jeff McCashland (He/him) <[email protected]> Sent: Monday, December 23, 2024 8:29 PM To: Julien Rische <[email protected]> Cc: [email protected] <[email protected]>; Alexander Bokovoy <[email protected]>; Microsoft Support <[email protected]> Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression - TrackingID#2412190040009154 [Kristian to BCC] Hi Julien, I will investigate your question, and get back to you. I am out the next 2 days for holiday, back on Thursday. Best regards, Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 ________________________________ From: Kristian Smith <[email protected]> Sent: Monday, December 23, 2024 1:31 PM To: Julien Rische <[email protected]>; Jeff McCashland (He/him) <[email protected]> Cc: [email protected] <[email protected]>; Alexander Bokovoy <[email protected]>; Microsoft Support <[email protected]> Subject: RE: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression - TrackingID#2412190040009154 [Mike to Bcc, adding Jeff]] Hi Julien, Thanks for the information. Also, after some workload adjustments, @Jeff McCashland will be working on your case moving forward. Apologies for the confusion. Regards, Kristian Smith Support Escalation Engineer | Microsoft® Corporation Email: [email protected] -----Original Message----- From: Michael Bowen <[email protected]> Sent: Monday, December 23, 2024 10:05 AM To: Julien Rische <[email protected]>; Kristian Smith <[email protected]> Cc: Alexander Bokovoy <[email protected]>; [email protected]; Microsoft Support <[email protected]> Subject: RE: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression - TrackingID#2412190040009154 Hi Julien, Thanks for the update. @Kristian Smith is handling your case, so I'm forwarding this to him to help him with your issue. Happy Holidays! - Michael -----Original Message----- From: Julien Rische <[email protected]> Sent: Monday, December 23, 2024 5:32 AM To: Michael Bowen <[email protected]> Cc: Alexander Bokovoy <[email protected]>; [email protected]; Microsoft Support <[email protected]> Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression - TrackingID#2412190040009154 [You don't often get email from [email protected]. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hello Michael, It has come to our attention that Windows Server 2025 now has support for allowing and disallowing digest algorithms in PKINIT. We made some tests by modifying the "Computer Configuration\Policies\Administrative Templates\System\KDC\Configure hash algorithms for certificate logon". This configuration seems to take effect, because disallowing SHA-256 causes elliptic curve Diffie-Hellman to fail. However, allowing all SHA versions does not fix the problem when using finite field Diffie-Hellman. In attachment, you will find 2 network traces showing a successful pre-authentication process for ECDH with curve P-256 and RSA/SHA-256 signature, and a failing one for FFDH with MODP group 14 (2046-bit) and RSA/SHA-256 signature. In both cases all SHA versions are allowed in the above group policy. -- Julien Rische On Thu, Dec 19, 2024 at 5:33 PM Michael Bowen via cifs-protocol <[email protected]> wrote: > > [DocHelp to bcc] > > Hi Alexander, > > Thanks for your question about Windows Server 2025 and Kerberos. I've created > case number 2412190040009154 to track this issue, please leave the number in > the subject line when communicating with our team. One of our engineers will > contact you soon. > > Best regards, > Michael Bowen > Sr. Escalation Engineer - Microsoft® Corporation > > -----Original Message----- > From: Alexander Bokovoy <[email protected]> > Sent: Thursday, December 19, 2024 4:26 AM > To: Interoperability Documentation Help <[email protected]> > Cc: [email protected] > Subject: [EXTERNAL] Windows Server 2025 PKINIT regression > > [Some people who received this message don't often get email from > [email protected]. Learn why this is important at > https://aka.ms/LearnAboutSenderIdentification ] > > Hi Dochelp, > > I believe we are seeing a regression in how Windows Server 2025 handles > Kerberos PKINIT, probably due to algorithm agility rewrite. > > Sometime ago we have updated MIT Kerberos implementation of PKINIT to use > sha256WithRSAEncryption in supported CMS types and removed > sha1WithRSAEncryption to be able compliant with FIPS 140-3. > > The commit > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C5305e05aaf6741e7d1d008dd23992f51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638705863012571389%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=NJdhb27Ps%2FYybSGcaVk3PoEM7lM5pPQXGEFgcqUH1PM%3D&reserved=0<https://gith/> > %2F&data=05%7C02%7CKristian.Smith%40microsoft.com%7Ccc530a51018e45fbf1 > b108dd237c4865%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6387057388 > 76787487%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuM > DAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&s > data=vvBUg7U6QcAQSKEUYyCOQ1A78VoSp5eDylGA9lRz0zI%3D&reserved=0 > ub.com%2Fkrb5%2Fkrb5%2Fcommit%2Fcbfe46ce20f3e9265baa9c648390148c739ab8 > 30&data=05%7C02%7Cmike.bowen%40microsoft.com%7C6c48431e145e4de8500c08d > d23562d38%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638705575372721 > 071%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMC > IsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata= > BKt0Ke6K6mn1ONoQTBrHhhybs8HASTsXpFQC4qPKjKo%3D&reserved=0 > is part of MIT Kerberos 1.20 or later releases. > > This change worked well for Windows Server versions prior to Windows Server > 2025 release. With Windows Server 2025, the request is rejected (packet 8 > from ad2025.pcap in attached archive): > > Kerberos > Record Mark: 106 bytes > 0... .... .... .... .... .... .... .... = Reserved: Not set > .000 0000 0000 0000 0000 0000 0110 1010 = Record Length: 106 > krb-error > pvno: 5 > msg-type: krb-error (30) > stime: Dec 18, 2024 15:22:36.000000000 CET > susec: 926640 > error-code: Unknown (79) > realm: WIN2025-UO83.TEST > sname > name-type: kRB5-NT-SRV-INST (2) > sname-string: 2 items > SNameString: krbtgt > SNameString: WIN2025-UO83.TEST > > > We built a custom version of MIT Kerberos which adds both > sha256WithRSAEncryption and sha1WithRSAEncryption to the list of supported > CMS types and still signed with sha256WithRSAEncryption, it failed again. The > corresponding packet exchange can be seen in ad2025_sha1.pcap in the attached > archive. > > Both variants work against Windows Server 2019, so to us this looks like a > regression in Windows Server 2025 implementation. > > If this is not a regression and instead it is an intentional change, could > you please make sure MS-PKCA and other corresponding documents get updated > with a proper logic of the changes. > > -- > / Alexander Bokovoy > > _______________________________________________ > cifs-protocol mailing list > [email protected] > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C5305e05aaf6741e7d1d008dd23992f51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638705863012587493%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=tOmf2C0UUKMnSjz5P89Q5B%2B8QOlCVyANF3Yar27QB3s%3D&reserved=0<https://list/> > %2F&data=05%7C02%7CKristian.Smith%40microsoft.com%7Ccc530a51018e45fbf1 > b108dd237c4865%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6387057388 > 76806372%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuM > DAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&s > data=0Qe6AszCxK%2BkbB47AYraNMeMmtEj88GZtfXvR5jNs1I%3D&reserved=0 > s.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Cmike.b > owen%40microsoft.com%7C6c48431e145e4de8500c08dd23562d38%7C72f988bf86f1 > 41af91ab2d7cd011db47%7C1%7C0%7C638705575372737510%7CUnknown%7CTWFpbGZs > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=JoGoaTxJzMm7ljVciNww4Tdd > UpV9bcqS3whR%2F8JTLVA%3D&reserved=0 >
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
