Hi Metze,
I hope 2025 is off to a good start for you.
I've reached a point in my research on this ACCESS_DENIED issue that I need
some additional information. I can see some changes in the code that could
potentially be the culprit, but I can't be sure until I have a server-side
LSASS trace. Can you please provide me with a network trace (as you had done
before) along with an LSASS trace of the Server 2025 machine that is sending
the ACCESS_DENIED response after GetCapabilities?
Here are some instructions to gather an LSASS trace (all commands are for
PowerShell):
1. Tracing a local machine: Run all commands in an elevated PowerShell prompt
on the machine.
a. Download TTD.zip from the file share link below.
i. Link: https://aka.ms/ttd/download
b. We need to expand the archive before it can be used. You can also
manually extract to C:\TTD.
i. Expand-Archive -Path
$env:HOMEDRIVE\$env:HOMEPATH\Downloads\TTD.zip -DestinationPath C:\TTD
c. When ready to repro the issue, run the following commands to begin
the trace.
i. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
ii. C:\TTD\TTD.exe -Attach ([int](Get-Process -NAME explorer |
Format-Wide -Property ID).formatEntryInfo.formatPropertyField.propertyValue)
-out C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\Trace_Name.run
iii. When the following small window pops up, the trace has
begun and you can now reproduce the issue. To end the trace, simply click
“Tracing Off”.
d. Once the trace operation is complete, we need to compress the .run
file created by TTD for easy transfer.
i. Compress-Archive -Path C:\Traces_$(Get-Date -format
"dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date -format "dd-MMM-yyyy").zip
ii. Note: If this fails, you may need to restart the traced
process to unlock the trace for compression.
1. stop-process -name lsass -force
e. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link below
i. Link:
https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjgxMTA4NjE5MTQzMTQ1NTc0QUYxMjI3NjhGMEIzNDkyRkYyNTczNEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiMDdlMzgxYzMtNmI2OS00MjEwLWJhMWQtM2MyOWIzYjAzZTIyIiwic3IiOiIyNDEyMTgwMDQwMDEwNjQwIiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiZWY1NTJlNDEtZDAzMi00NjU4LTk5ZWEtYmVhMjdhMDE2NDhlIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3MzU5NDE0NDIsImV4cCI6MTc0MzcxNzQ0MiwiaWF0IjoxNzM1OTQxNDQyLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.GyR4YzEDaMptCMEHDid7cgmRAjXtjI75BBWYLkekPBgjKNiZ3qonvHpqujT6H16S9PXLO60FCq8-vpY5Bvft03b7i_JYc3r9mbe89XJ3Dj6icDOTQITMnX0TBBTMHdyqqEmtqBSFm-fshwCSsO0Q-y51ciFISs7I6Yblp4QSNSJiSOefDmGN3n-G2VxkAbb89JPMMDJC9TQGlrjNILfTAMSGZtOoLMiOu4hIUtpXkaeEoz7tR5l8KtkofOFysoAPdPrqC4M--Uw8z3sz1HRbCHtyKqWalechvpnioVeGMAzqTZ1_Jl-_bgSt6011vuGss3SPa9-CUavspMc4HIdgWg&wid=07e381c3-6b69-4210-ba1d-3c29b3b03e22
Thanks for your help!
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: [email protected]
-----Original Message-----
From: Kristian Smith
Sent: Thursday, December 26, 2024 5:25 PM
To: Stefan Metzmacher <[email protected]>
Cc: [email protected]; Microsoft Support <[email protected]>
Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for -
TrackingID#2412180040010640
Hi Metze,
Your patience is appreciated while I continue to investigate your question
regarding ServerAuthenticateKerberos(). I'll share an update as soon as I have
one.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: [email protected]
-----Original Message-----
From: Kristian Smith
Sent: Wednesday, December 18, 2024 10:05 AM
To: Stefan Metzmacher <[email protected]>
Cc: [email protected]; Microsoft Support <[email protected]>
Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for -
TrackingID#2412180040010640
[Mike to Bcc]
Hi Metze,
Thanks for reaching out with your question. I'll be looking into this issue and
will be in touch as soon as I have information to share.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: [email protected]
-----Original Message-----
From: Michael Bowen <[email protected]>
Sent: Wednesday, December 18, 2024 9:14 AM
To: Stefan Metzmacher <[email protected]>
Cc: [email protected]; Microsoft Support <[email protected]>
Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for -
TrackingID#2412180040010640
[DocHelp to bcc]
Hi Stefan,
Thanks for your question about Kerberos authentication. I have created case
number 2412180040010640 to track this issue, please leave the number in the
subject line when communicating with our team. One of our engineers will
contact you soon.
Best regards,
Michael Bowen
Sr. Escalation Engineer - Microsoft® Corporation
-----Original Message-----
From: Stefan Metzmacher <[email protected]>
Sent: Wednesday, December 18, 2024 7:00 AM
To: Interoperability Documentation Help <[email protected]>
Cc: [email protected]
Subject: [EXTERNAL] ServerAuthenticateKerberos() not usable for
Hi DocHelp,
while implementing ServerAuthenticateKerberos() in Samba, I found a strange
behavior when using it for TrustedDnsDomainSecureChannel.
When I'm using it as a client the following LogonGetCapabilities() gets
ACCESS_DENIED.
For all other network visible NETLOGON_SECURE_CHANNEL_TYPE values:
WorkstationSecureChannel, ServerSecureChannel, CdcServerSecureChannel and even
TrustedDomainSecureChannel (used for downlevel NT4 trusts) it works as expected.
I'm testing with a Windows 2025 preview build, but I guess there are no related
changes compared to the final version...
I also noticed that the Windows DC doesn't try to use
ServerAuthenticateKerberos() when connecting to a DC of a trusted domain.
Is this behavior intended?
Is there a flag on the TDO object to allow it to work?
I've attached a network capture that shows the problem.
The problem happens in frames 1528-1531.
All others are just there to show it's working...
With a nightly build of wireshark you should be able to decrypt all kerberos
and netlogon secure channel traffic.
Thanks for any help you can provide!
metze
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
