Hello Jeff, I uploaded the network traces to the file transfer link you provided:
[00_ad2025.pcap] Network trace of a failing pre-authentication process with RSA/SHA-256 and RSA/SHA-512 as supportedCMSTypes. [00_ad2025_sha1.pcap] Network trace of a failing pre-authentication process with RSA/SHA-256, RSA/SHA-512, and RSA/SHA-1 as supportedCMSTypes. [00_ad2025.keytab] All Kerberos keys in the AD domain. [01_gp_pkinit_digest.png] Screenshot of the "Computer Configuration\Policies\Administrative Templates\System\KDC\Configure hash algorithms for certificate logon" global policy settings. [01_pkinit_ffdh_modp14.pcap] Network trace of a failing pre-authentication process for FFDH with MODP group 14 (2046-bit) and RSA/SHA-256 signature. [01_pkinit_ecdh_p256.pcap] Network trace for a successful pre-authentication process for ECDH with curve P-256 and RSA/SHA-256 signature. [01_ad2025.keytab] All Kerberos keys in the AD domain. My Microsoft account uses the present email address: [email protected] -- Julien Rische On Fri, Jan 3, 2025 at 9:12 PM Jeff McCashland (He/him) <[email protected]> wrote: > > Hello Julien and Alexander, > > Actually, what we need to troubleshoot this issue is to collect a TTD trace > of the LSASS process. In order to download the tool needed to collect the > trace, you will need a Microsoft account. These can be created free at > live.com. > > Please send me the Microsoft account email address you will use to download > the tools, and I will send the link. > > Best regards, > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) > Pacific Time (US and Canada) > > Local country phone number found here: > http://support.microsoft.com/globalenglish | Extension 1138300 > > > > > ________________________________ > From: Jeff McCashland (He/him) <[email protected]> > Sent: Friday, December 27, 2024 11:30 AM > To: Julien Rische <[email protected]>; Alexander Bokovoy <[email protected]> > Cc: [email protected] <[email protected]>; Microsoft > Support <[email protected]> > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression > - TrackingID#2412190040009154 > > Hi Julien and Alexander, > > Alexander mentioned ad2025.pcap and ad2025_sha1.pcap, and Julien mentioned 2 > additional unnamed captures. > > Please upload any relevant traces to the link below, as we are not allowed to > accept files by email. Also, it would help if you could specify which traces > and frames relate to which aspects of your question, that would save time. > > Also, it's not clear to me (yet), if the additional information from Julien > modifies or answers any part of Alexander's original question. > > Secure file link: > https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjgxMTA4NjE5MTQzMTQ1NTc0QUYxMjI3NjhGMEIzNDkyRkYyNTczNEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNjgzMzc2YjUtNjczZC00ZGVkLTlmYzUtYjRiOTUzMmJmNzE4Iiwic3IiOiIyNDEyMTkwMDQwMDA5MTU0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiYjA0NWU2MDgtMWY3MC00OTE3LTk4MTAtZjA0OGJlNGVlODI2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3MzUzMjc3NzAsImV4cCI6MTc0MzEwMzc3MCwiaWF0IjoxNzM1MzI3NzcwLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.d23KDsdUj68vCL0fEY2hpp2wjG65vYVtGh2E9Bu1mqT8YM-Q6bkewOhrHJbML0Fcr_ijDp89UMkAb0h70iCJCQojecjI8NPzgrkCm11GzScvTRcvJqyChhZ-9T731ZGSRV8wnxrrETLsuTjCo88_gAqRF3oBQdUuriBtI5z_xh-qUqrqcl-9q2nqxqhMzd3rA7Chkk5EMSRv5U1hnWhH5etJ-kUj8-HJB4eihMGPQ7NVPjCrVy04opSBf-XgkHjSsx_j_-q7EsbOR7ic3aWdEwZS5eppFpc4C4JMNpCauM4is23XWNoYwDZ9vP9CnyKPZfSMlF-5fC4k_4Q3KzcsNw&wid=683376b5-673d-4ded-9fc5-b4b9532bf718 > > Best regards, > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) > Pacific Time (US and Canada) > > Local country phone number found here: > http://support.microsoft.com/globalenglish | Extension 1138300 > > > > ________________________________ > From: Jeff McCashland (He/him) <[email protected]> > Sent: Monday, December 23, 2024 8:29 PM > To: Julien Rische <[email protected]> > Cc: [email protected] <[email protected]>; Alexander > Bokovoy <[email protected]>; Microsoft Support <[email protected]> > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression > - TrackingID#2412190040009154 > > [Kristian to BCC] > > Hi Julien, > > I will investigate your question, and get back to you. I am out the next 2 > days for holiday, back on Thursday. > > > Best regards, > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) > Pacific Time (US and Canada) > > Local country phone number found here: > http://support.microsoft.com/globalenglish | Extension 1138300 > > > > ________________________________ > From: Kristian Smith <[email protected]> > Sent: Monday, December 23, 2024 1:31 PM > To: Julien Rische <[email protected]>; Jeff McCashland (He/him) > <[email protected]> > Cc: [email protected] <[email protected]>; Alexander > Bokovoy <[email protected]>; Microsoft Support <[email protected]> > Subject: RE: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression > - TrackingID#2412190040009154 > > [Mike to Bcc, adding Jeff]] > Hi Julien, > > Thanks for the information. Also, after some workload adjustments, @Jeff > McCashland will be working on your case moving forward. > > Apologies for the confusion. > > Regards, > Kristian Smith > Support Escalation Engineer | Microsoft® Corporation > Email: [email protected] > > -----Original Message----- > From: Michael Bowen <[email protected]> > Sent: Monday, December 23, 2024 10:05 AM > To: Julien Rische <[email protected]>; Kristian Smith > <[email protected]> > Cc: Alexander Bokovoy <[email protected]>; [email protected]; > Microsoft Support <[email protected]> > Subject: RE: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression > - TrackingID#2412190040009154 > > Hi Julien, > > Thanks for the update. @Kristian Smith is handling your case, so I'm > forwarding this to him to help him with your issue. Happy Holidays! > > - Michael > > -----Original Message----- > From: Julien Rische <[email protected]> > Sent: Monday, December 23, 2024 5:32 AM > To: Michael Bowen <[email protected]> > Cc: Alexander Bokovoy <[email protected]>; [email protected]; > Microsoft Support <[email protected]> > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression > - TrackingID#2412190040009154 > > [You don't often get email from [email protected]. Learn why this is > important at https://aka.ms/LearnAboutSenderIdentification ] > > Hello Michael, > > It has come to our attention that Windows Server 2025 now has support for > allowing and disallowing digest algorithms in PKINIT. We made some tests by > modifying the "Computer Configuration\Policies\Administrative > Templates\System\KDC\Configure hash algorithms for certificate logon". > > This configuration seems to take effect, because disallowing SHA-256 causes > elliptic curve Diffie-Hellman to fail. However, allowing all SHA versions > does not fix the problem when using finite field Diffie-Hellman. > > In attachment, you will find 2 network traces showing a successful > pre-authentication process for ECDH with curve P-256 and RSA/SHA-256 > signature, and a failing one for FFDH with MODP group 14 (2046-bit) and > RSA/SHA-256 signature. In both cases all SHA versions are allowed in the > above group policy. > > -- > Julien Rische > > > On Thu, Dec 19, 2024 at 5:33 PM Michael Bowen via cifs-protocol > <[email protected]> wrote: > > > > [DocHelp to bcc] > > > > Hi Alexander, > > > > Thanks for your question about Windows Server 2025 and Kerberos. I've > > created case number 2412190040009154 to track this issue, please leave the > > number in the subject line when communicating with our team. One of our > > engineers will contact you soon. > > > > Best regards, > > Michael Bowen > > Sr. Escalation Engineer - Microsoft® Corporation > > > > -----Original Message----- > > From: Alexander Bokovoy <[email protected]> > > Sent: Thursday, December 19, 2024 4:26 AM > > To: Interoperability Documentation Help <[email protected]> > > Cc: [email protected] > > Subject: [EXTERNAL] Windows Server 2025 PKINIT regression > > > > [Some people who received this message don't often get email from > > [email protected]. Learn why this is important at > > https://aka.ms/LearnAboutSenderIdentification ] > > > > Hi Dochelp, > > > > I believe we are seeing a regression in how Windows Server 2025 handles > > Kerberos PKINIT, probably due to algorithm agility rewrite. > > > > Sometime ago we have updated MIT Kerberos implementation of PKINIT to use > > sha256WithRSAEncryption in supported CMS types and removed > > sha1WithRSAEncryption to be able compliant with FIPS 140-3. > > > > The commit > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C5305e05aaf6741e7d1d008dd23992f51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638705863012571389%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=NJdhb27Ps%2FYybSGcaVk3PoEM7lM5pPQXGEFgcqUH1PM%3D&reserved=0 > > %2F&data=05%7C02%7CKristian.Smith%40microsoft.com%7Ccc530a51018e45fbf1 > > b108dd237c4865%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6387057388 > > 76787487%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuM > > DAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&s > > data=vvBUg7U6QcAQSKEUYyCOQ1A78VoSp5eDylGA9lRz0zI%3D&reserved=0 > > ub.com%2Fkrb5%2Fkrb5%2Fcommit%2Fcbfe46ce20f3e9265baa9c648390148c739ab8 > > 30&data=05%7C02%7Cmike.bowen%40microsoft.com%7C6c48431e145e4de8500c08d > > d23562d38%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638705575372721 > > 071%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMC > > IsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata= > > BKt0Ke6K6mn1ONoQTBrHhhybs8HASTsXpFQC4qPKjKo%3D&reserved=0 > > is part of MIT Kerberos 1.20 or later releases. > > > > This change worked well for Windows Server versions prior to Windows Server > > 2025 release. With Windows Server 2025, the request is rejected (packet 8 > > from ad2025.pcap in attached archive): > > > > Kerberos > > Record Mark: 106 bytes > > 0... .... .... .... .... .... .... .... = Reserved: Not set > > .000 0000 0000 0000 0000 0000 0110 1010 = Record Length: 106 > > krb-error > > pvno: 5 > > msg-type: krb-error (30) > > stime: Dec 18, 2024 15:22:36.000000000 CET > > susec: 926640 > > error-code: Unknown (79) > > realm: WIN2025-UO83.TEST > > sname > > name-type: kRB5-NT-SRV-INST (2) > > sname-string: 2 items > > SNameString: krbtgt > > SNameString: WIN2025-UO83.TEST > > > > > > We built a custom version of MIT Kerberos which adds both > > sha256WithRSAEncryption and sha1WithRSAEncryption to the list of supported > > CMS types and still signed with sha256WithRSAEncryption, it failed again. > > The corresponding packet exchange can be seen in ad2025_sha1.pcap in the > > attached archive. > > > > Both variants work against Windows Server 2019, so to us this looks like a > > regression in Windows Server 2025 implementation. > > > > If this is not a regression and instead it is an intentional change, could > > you please make sure MS-PKCA and other corresponding documents get updated > > with a proper logic of the changes. > > > > -- > > / Alexander Bokovoy > > > > _______________________________________________ > > cifs-protocol mailing list > > [email protected] > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C5305e05aaf6741e7d1d008dd23992f51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638705863012587493%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=tOmf2C0UUKMnSjz5P89Q5B%2B8QOlCVyANF3Yar27QB3s%3D&reserved=0 > > %2F&data=05%7C02%7CKristian.Smith%40microsoft.com%7Ccc530a51018e45fbf1 > > b108dd237c4865%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6387057388 > > 76806372%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuM > > DAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&s > > data=0Qe6AszCxK%2BkbB47AYraNMeMmtEj88GZtfXvR5jNs1I%3D&reserved=0 > > s.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Cmike.b > > owen%40microsoft.com%7C6c48431e145e4de8500c08dd23562d38%7C72f988bf86f1 > > 41af91ab2d7cd011db47%7C1%7C0%7C638705575372737510%7CUnknown%7CTWFpbGZs > > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=JoGoaTxJzMm7ljVciNww4Tdd > > UpV9bcqS3whR%2F8JTLVA%3D&reserved=0 > > _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
