Hi Jeff,
Thank you for confirming this.
Just a last question on this topic: You mentioned section 2.2.3 from
MS-PKCA[1] where PAChecksum2 is defined. However, this definition
references the KERB-ALGORITHM-IDENTIFIER type which is not defined
anywhere in Open Specifications. Is this type actually referring to
AlgorithmIdentifier from X.509-88 (or RFC5280[2])?
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
If so, could you list the OIDs currently accepted by Windows Server
2025 for the "algorithm" element? Are they the OIDs from RFC5754[3]?
--
Julien Rische
[1]
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pkca/8270b791-0201-4231-9d89-e5074459be2f
[2] https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.1.2
[3] https://datatracker.ietf.org/doc/html/rfc5754#section-2
On Tue, Jan 21, 2025 at 8:25 PM Jeff McCashland (He/him)
<[email protected]> wrote:
>
> Hi Julien,
>
> I was able to confirm in our source code that ECDH is a singular exception.
> If you're using ECDH, Windows will not check for paChecksum2, only
> paChecksum. As for what will be required in the future, I wouldn't be able to
> say.
>
> I will file a request to update the documentation and follow up. Let us know
> if you have any other questions.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation
>
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
> Pacific Time (US and Canada)
>
> Local country phone number found here:
> http://support.microsoft.com/globalenglish | Extension 1138300
>
>
>
> ________________________________
> From: Julien Rische <[email protected]>
> Sent: Friday, January 17, 2025 3:27 AM
> To: Jeff McCashland (He/him) <[email protected]>
> Cc: Alexander Bokovoy <[email protected]>; [email protected]
> <[email protected]>; Microsoft Support <[email protected]>
> Subject: [EXTERNAL] Re: Server 2025 PKINIT regression: ECDH works for SHA2
> w/p paChecksum2 - TrackingID#2501140040014216
>
> Hi Jeff,
>
> I just re-uploaded these files from #2412190040009154, as they already
> demonstrate this behavior:
>
> [02_lsass_pkinit_ecdh_p256.zip] Compressed LSASS trace of a successful
> pre-authentication process for ECDH with curve P-256 and RSA/SHA-256
> signature.
> [02_pkinit_ecdh_p256.pcap] Network trace of a successful
> pre-authentication process for ECDH with curve P-256 and RSA/SHA-256
> signature.
> [02_ad2025.keytab] All Kerberos keys in the AD domain.
>
> --
> Julien Rische
> On Thu, Jan 16, 2025 at 8:43 PM Jeff McCashland (He/him)
> <[email protected]> wrote:
> >
> > Hi Julien,
> >
> > Please collect an LSASS TTT trace as before showing the ECDH succeeding and
> > upload it to this new link (below). Let me know if you need the tools or
> > collection instructions again.
> >
> > Upload link:
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Ffiles%3Fworkspace%3DeyJhbGciOiJSUzI1NiIsImtpZCI6IjgxMTA4NjE5MTQzMTQ1NTc0QUYxMjI3NjhGMEIzNDkyRkYyNTczNEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiMGY0NjFjYmQtMDllYi00ZDRlLWIyYTgtZmU1YzhjMGEzNDExIiwic3IiOiIyNTAxMTQwMDQwMDE0MjE2Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiMjk4MGY4N2ItMTc3NC00MDRkLTk4NGQtMzRhZjQ3Y2I0NWNjIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3MzcwNTY1MzgsImV4cCI6MTc0NDgzMjUzOCwiaWF0IjoxNzM3MDU2NTM4LCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.erfTbhyGZ3w3mCMMOeOLnziYzAbaQZgodpaGpq56E1GKFb3MDlFpOs9nFTVDeSGtGAIGT-DyCvCDs9uudYHxqjE5zT1pCiVo9LGpPm9J7y0Thdm41F78tFnqtupKNRjHx7xfid8e4Vflwfw-hXuOVk_E91GbN15YTck4lDnV0W1u8jMTqdEuJ0VeDvotz4gz9yvDQHXkgHnlBZuRKXK8xhjc9YRO4-uKgvYCoO-n-yHXvyULc0Ngd-7pMX1dubWGheqRHTCSwFe-qEDB4Gy5VuVNQ5nnvxew0joDz_ZMRphMOXgubnUqaqWnU535Al-TSnBQZJLmmnMZgz8dm_EBSw%26wid%3D0f461cbd-09eb-4d4e-b2a8-fe5c8c0a3411&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845849446%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=PW7gvcACcc2tOSu74yRiRWZ4yxqKNrqNG%2BHHIqocRDk%3D&reserved=0
> >
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Corporation
> >
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
> > Pacific Time (US and Canada)
> >
> > Local country phone number found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845863194%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=iuJ4kATn1FbKZzj1HoPnPnYO65iTP5SmAJNa3bsyRLE%3D&reserved=0
> > | Extension 1138300
> >
> >
> >
> >
> > ________________________________
> > From: Jeff McCashland (He/him) <[email protected]>
> > Sent: Tuesday, January 14, 2025 3:06 PM
> > To: Julien Rische <[email protected]>
> > Cc: Alexander Bokovoy <[email protected]>; [email protected]
> > <[email protected]>; Microsoft Support
> > <[email protected]>
> > Subject: Server 2025 PKINIT regression: ECDH works for SHA2 w/p paChecksum2
> > - TrackingID#2501140040014216
> >
> > Hi Julien,
> >
> > Thank you for reminding me of that outstanding question. We have created SR
> > 2501140040014216 to track the question of why ECDH with SHA2 works without
> > paChecksum2. I will dig into this and let you know what I find.
> >
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Corporation
> >
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
> > Pacific Time (US and Canada)
> >
> > Local country phone number found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845871061%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=v0d15jLccqzT0L3o8ihhN8msXw%2BgnEfbynKi53%2B6moE%3D&reserved=0
> > | Extension 1138300
> >
> >
> >
> > ________________________________
> > From: Julien Rische <[email protected]>
> > Sent: Tuesday, January 14, 2025 2:26 AM
> > To: Jeff McCashland (He/him) <[email protected]>
> > Cc: Alexander Bokovoy <[email protected]>; [email protected]
> > <[email protected]>; Microsoft Support
> > <[email protected]>
> > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT
> > regression - TrackingID#2412190040009154
> >
> > Hello Jeff,
> >
> > Thank you for your answers.
> >
> > As demonstrated in one of the traces, it seems that AD accepts PKINIT
> > AS-REQ without paChecksum2 when SHA-256 is used with ECDH (contrary to
> > FFDH). Is this behavior here to stay, or will paChecksum2 be required
> > for ECDH+RSA/SHA-2 too in Windows Server 2025 eventually?
> >
> > --
> > Julien Rische
> >
> > On Mon, Jan 13, 2025 at 8:39 PM Jeff McCashland (He/him)
> > <[email protected]> wrote:
> > >
> > > Hi Alexander,
> > >
> > > Excellent observation. The paChecksum2 value follows the freshness token.
> > >
> > > typedef struct PKAuthenticator {
> > > union {
> > > ASN1uint16_t bit_mask;
> > > ASN1octet_t o[1];
> > > };
> > > ASN1uint32_t cusec;
> > > KERB_TIME client_time;
> > > ASN1uint32_t nonce;
> > > # define paChecksum_present 0x80
> > > ASN1octetstring_t paChecksum;
> > > # define freshnessToken_present 0x40
> > > ASN1octetstring_t freshnessToken;
> > > # define paChecksum2_present 0x20
> > > PAChecksum2 paChecksum2;
> > > } PKAuthenticator;
> > >
> > > I will follow up and request any needed documentation updates.
> > >
> > > Best regards,
> > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > Corporation
> > >
> > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
> > > Pacific Time (US and Canada)
> > >
> > > Local country phone number found here:
> > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845878845%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=qpnPBtiC6D2PjtsvQwp8bMPQXiDSczlxvWS6H%2BZfQwQ%3D&reserved=0
> > > | Extension 1138300
> > >
> > >
> > >
> > > ________________________________
> > > From: Alexander Bokovoy <[email protected]>
> > > Sent: Monday, January 13, 2025 11:33 AM
> > > To: Jeff McCashland (He/him) <[email protected]>
> > > Cc: Julien Rische <[email protected]>; [email protected]
> > > <[email protected]>; Microsoft Support
> > > <[email protected]>
> > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT
> > > regression - TrackingID#2412190040009154
> > >
> > > Hi Jeff,
> > >
> > > On Пан, 13 сту 2025, Jeff McCashland (He/him) wrote:
> > > > Hi Julien and Alexander,
> > > >
> > > > What I found in the trace is that the server is finding a paChecksum,
> > > > but no paChecksum2, which is required when using anything other than
> > > > SHA-1:
> > > >
> > > > [MS-PKCA] 2.2.3 PA-PK-AS-REQ
> > > > The PA-PK-AS-REQ message format is specified in [RFC4556] section
> > > > 3.2.1.<10> PKAuthenticator in [RFC4556] is extended to add the
> > > > following PAChecksum2<11>. If a checksum algorithm other than SHA-1 is
> > > > used, this message MUST be present. If this field is present, it will
> > > > always be validated even if it is SHA-1.
> > > > PAChecksum2 ::= SEQUENCE {
> > > > checksum [0] OCTET STRING,
> > > > algorithmIdentifier [1] KERB-ALGORITHM-IDENTIFIER
> > > > }
> > > > <11> Section 2.2.3: The extension of PKAuthenticator in PA-PK-AS-REQ
> > > > is only applicable to Windows Server 2022, 23H2 operating system.
> > > > Windows Server 2022, 23H2 DCs will send back
> > > > TD-CMS-DIGEST-ALGORITHMS-DATA as described in [RFC8636] section 4. CMS
> > > > Digest Algorithm Agility.
> > > >
> > > > I believe the solution is to add a paChecksum2 to the PA-PK-AS-REQ. Let
> > > > me know if you have any questions.
> > >
> > > Thank you for pointing this out.
> > >
> > > There is one problem, though. RFC 8070 extends PKAuthenticator as well,
> > > by adding freshnessToken right after paChecksum:
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8070%23section-4&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845886556%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=bYa%2Bn7mxi7AJ6cKiFS20T8SWdhmN9V56bwIpoPDCryM%3D&reserved=0
> > >
> > > PKAuthenticator ::= SEQUENCE {
> > > cusec [0] INTEGER (0..999999),
> > > ctime [1] KerberosTime,
> > > -- cusec and ctime are used as in [RFC4120], for
> > > -- replay prevention.
> > > nonce [2] INTEGER (0..4294967295),
> > > -- Chosen randomly; this nonce does not need to
> > > -- match with the nonce in the KDC-REQ-BODY.
> > > paChecksum [3] OCTET STRING OPTIONAL,
> > > -- MUST be present.
> > > -- Contains the SHA1 checksum, performed over
> > > -- KDC-REQ-BODY.
> > > ...,
> > > freshnessToken [4] OCTET STRING OPTIONAL,
> > > -- PA_AS_FRESHNESS padata value as received from the
> > > -- KDC. MUST be present if sent by KDC
> > > ...
> > > }
> > >
> > > Can you please expand on whether paChecksum2 is added after or before
> > > the freshnessToken? e.g. does paChecksum2 has index [5] or [4]?
> > >
> > > If it is indeed paChecksum2 [5], then a reference to RFC 8070 is missing
> > > in the MS-PKCA 2.2.3.
> > >
> > > I think MS-PKCA would need an update about this detail as MS-PKCA 3.1.5
> > > explicitly states:
> > >
> > > PKCA SHOULD<14> support the PKINIT Freshness Extension [RFC8070].
> > >
> > > so MS-PKCA 2.2.3 would need to refer to RFC8070, not just to RFC4556.
> > >
> > >
> > > >
> > > >
> > > > Best regards,
> > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > > Corporation
> > > >
> > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > > (UTC-08:00) Pacific Time (US and Canada)
> > > >
> > > > Local country phone number found here:
> > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845894322%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=zv23fEisOLNi7S%2BxyDACPPrRiL3CmLi%2FwP0rM3fcDNU%3D&reserved=0
> > > > | Extension 1138300
> > > >
> > > >
> > > >
> > > > ________________________________
> > > > From: Jeff McCashland (He/him) <[email protected]>
> > > > Sent: Tuesday, January 7, 2025 1:16 PM
> > > > To: Julien Rische <[email protected]>
> > > > Cc: Alexander Bokovoy <[email protected]>; [email protected]
> > > > <[email protected]>; Microsoft Support
> > > > <[email protected]>
> > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT
> > > > regression - TrackingID#2412190040009154
> > > >
> > > > Thank you for the rapid response and for uploading the additional
> > > > traces. I will dig into these and let you know what I find.
> > > >
> > > >
> > > > Best regards,
> > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > > Corporation
> > > >
> > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > > (UTC-08:00) Pacific Time (US and Canada)
> > > >
> > > > Local country phone number found here:
> > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845901974%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OYAojwmvOVV3S87NpzN1njL4zDWGdPGY%2FvuidR8lCDs%3D&reserved=0
> > > > | Extension 1138300
> > > >
> > > >
> > > >
> > > > ________________________________
> > > > From: Julien Rische <[email protected]>
> > > > Sent: Tuesday, January 7, 2025 11:33 AM
> > > > To: Jeff McCashland (He/him) <[email protected]>
> > > > Cc: Alexander Bokovoy <[email protected]>; [email protected]
> > > > <[email protected]>; Microsoft Support
> > > > <[email protected]>
> > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT
> > > > regression - TrackingID#2412190040009154
> > > >
> > > > Hello Jeff,
> > > >
> > > > I uploaded 5 additional files, including the LSASS traces obtained
> > > > following the procedure described in your previous message:
> > > >
> > > > [02_lsass_pkinit_ffdh_modp14.zip] Compressed LSASS trace of a failing
> > > > pre-authentication process for FFDH with MODP group 14 (2046-bit) and
> > > > RSA/SHA-256 signature.
> > > > [02_pkinit_ffdh_modp14.pcap] Network trace of a failing
> > > > pre-authentication process for FFDH with MODP group 14 (2046-bit) and
> > > > RSA/SHA-256 signature.
> > > > [02_lsass_pkinit_ecdh_p256.zip] Compressed LSASS trace of a successful
> > > > pre-authentication process for ECDH with curve P-256 and RSA/SHA-256
> > > > signature.
> > > > [02_pkinit_ecdh_p256.pcap] Network trace of a successful
> > > > pre-authentication process for ECDH with curve P-256 and RSA/SHA-256
> > > > signature.
> > > > [02_ad2025.keytab] All Kerberos keys in the AD domain.
> > > >
> > > > --
> > > > Julien Rische
> > > >
> > > > On Mon, Jan 6, 2025 at 9:03 PM Jeff McCashland (He/him)
> > > > <[email protected]> wrote:
> > > > >
> > > > > Hi Julien,
> > > > >
> > > > > Thank you for uploading the net traces and information. Please follow
> > > > > the instructions below to collect an LSASS trace of the scenario
> > > > > where you get the KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED error
> > > > > ('unknown' error code 79 from Alexander's original description).
> > > > >
> > > > > The LSASS traces can be quite large, but are highly compressible, so
> > > > > please add them to a .zip archive before uploading (file transfer
> > > > > workspace link is below). Please log into the workspace and find
> > > > > PartnerTTDRecorder_x86_x64.zip available for download. The x64 tool
> > > > > can be staged onto the Windows server in any location (instructions
> > > > > below assume C:\TTD).
> > > > >
> > > > > To collect the needed traces:
> > > > > 1. From a PowerShell prompt, execute:
> > > > > C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME lsass |
> > > > > Format-Wide -Property
> > > > > ID).formatEntryInfo.formatPropertyField.propertyValue)
> > > > > 2. Wait for a little window to pop up in top left corner of your
> > > > > screen, titled “lsass01.run”
> > > > > 3. start a network trace using netsh or WireShark, etc.
> > > > > 4. Repro the attempted operation
> > > > > 5. Stop the network trace and save it
> > > > > 6. CAREFULLY: uncheck the checkbox next to “Tracing” in the small
> > > > > “lsass01.run” window. Do not close or exit the small window or you
> > > > > will need to reboot.
> > > > > 7. The TTTracer.exe process will generate a trace file, then print
> > > > > out the name and location of the file.
> > > > > Compress the *.run file into a .zip archive before uploading with the
> > > > > matching network trace. It is a good idea to reboot the machine at
> > > > > the next opportunity to restart the lsass process.
> > > > >
> > > > > Best regards,
> > > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > > > Corporation
> > > > >
> > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > > > (UTC-08:00) Pacific Time (US and Canada)
> > > > >
> > > > > Local country phone number found here:
> > > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845909601%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=TRzWGzO%2BCBS%2BkOhWXF96kEQwckT9LDC7pMjv2kubjto%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845917667%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=uT66ZljlnZVfa11Iog5O%2FtYfd6WrJJYHFsg75cOXzkU%3D&reserved=0>
> > > > > | Extension 1138300
> > > > >
> > > > >
> > > > >
> > > > > ________________________________
> > > > > From: Julien Rische <[email protected]>
> > > > > Sent: Monday, January 6, 2025 2:27 AM
> > > > > To: Jeff McCashland (He/him) <[email protected]>
> > > > > Cc: Alexander Bokovoy <[email protected]>; [email protected]
> > > > > <[email protected]>; Microsoft Support
> > > > > <[email protected]>
> > > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT
> > > > > regression - TrackingID#2412190040009154
> > > > >
> > > > > Hello Jeff,
> > > > >
> > > > > I uploaded the network traces to the file transfer link you provided:
> > > > >
> > > > > [00_ad2025.pcap] Network trace of a failing pre-authentication process
> > > > > with RSA/SHA-256 and RSA/SHA-512 as supportedCMSTypes.
> > > > > [00_ad2025_sha1.pcap] Network trace of a failing pre-authentication
> > > > > process with RSA/SHA-256, RSA/SHA-512, and RSA/SHA-1 as
> > > > > supportedCMSTypes.
> > > > > [00_ad2025.keytab] All Kerberos keys in the AD domain.
> > > > >
> > > > > [01_gp_pkinit_digest.png] Screenshot of the "Computer
> > > > > Configuration\Policies\Administrative Templates\System\KDC\Configure
> > > > > hash algorithms for certificate logon" global policy settings.
> > > > > [01_pkinit_ffdh_modp14.pcap] Network trace of a failing
> > > > > pre-authentication process for FFDH with MODP group 14 (2046-bit) and
> > > > > RSA/SHA-256 signature.
> > > > > [01_pkinit_ecdh_p256.pcap] Network trace for a successful
> > > > > pre-authentication process for ECDH with curve P-256 and RSA/SHA-256
> > > > > signature.
> > > > > [01_ad2025.keytab] All Kerberos keys in the AD domain.
> > > > >
> > > > > My Microsoft account uses the present email address:
> > > > > [email protected]
> > > > >
> > > > > --
> > > > > Julien Rische
> > > > >
> > > > > On Fri, Jan 3, 2025 at 9:12 PM Jeff McCashland (He/him)
> > > > > <[email protected]> wrote:
> > > > > >
> > > > > > Hello Julien and Alexander,
> > > > > >
> > > > > > Actually, what we need to troubleshoot this issue is to collect a
> > > > > > TTD trace of the LSASS process. In order to download the tool
> > > > > > needed to collect the trace, you will need a Microsoft account.
> > > > > > These can be created free at live.com.
> > > > > >
> > > > > > Please send me the Microsoft account email address you will use to
> > > > > > download the tools, and I will send the link.
> > > > > >
> > > > > > Best regards,
> > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > > > > Corporation
> > > > > >
> > > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > > > > (UTC-08:00) Pacific Time (US and Canada)
> > > > > >
> > > > > > Local country phone number found here:
> > > > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845925413%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=dJOfh4wbP6VepLPEZRGoQA%2B0LmpkXmQfX%2Bvit2PySOI%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845933169%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=L3iHQcRSmJFLqU8T%2FGZuZgLHoQHib1ypfwNutXCNmg4%3D&reserved=0>
> > > > > > | Extension 1138300
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ________________________________
> > > > > > From: Jeff McCashland (He/him) <[email protected]>
> > > > > > Sent: Friday, December 27, 2024 11:30 AM
> > > > > > To: Julien Rische <[email protected]>; Alexander Bokovoy
> > > > > > <[email protected]>
> > > > > > Cc: [email protected] <[email protected]>;
> > > > > > Microsoft Support <[email protected]>
> > > > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT
> > > > > > regression - TrackingID#2412190040009154
> > > > > >
> > > > > > Hi Julien and Alexander,
> > > > > >
> > > > > > Alexander mentioned ad2025.pcap and ad2025_sha1.pcap, and Julien
> > > > > > mentioned 2 additional unnamed captures.
> > > > > >
> > > > > > Please upload any relevant traces to the link below, as we are not
> > > > > > allowed to accept files by email. Also, it would help if you could
> > > > > > specify which traces and frames relate to which aspects of your
> > > > > > question, that would save time.
> > > > > >
> > > > > > Also, it's not clear to me (yet), if the additional information
> > > > > > from Julien modifies or answers any part of Alexander's original
> > > > > > question.
> > > > > >
> > > > > > Secure file link:
> > > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Ffiles%3Fworkspace%3DeyJhbGciOiJSUzI1NiIsImtpZCI6IjgxMTA4NjE5MTQzMTQ1NTc0QUYxMjI3NjhGMEIzNDkyRkYyNTczNEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNjgzMzc2YjUtNjczZC00ZGVkLTlmYzUtYjRiOTUzMmJmNzE4Iiwic3IiOiIyNDEyMTkwMDQwMDA5MTU0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiYjA0NWU2MDgtMWY3MC00OTE3LTk4MTAtZjA0OGJlNGVlODI2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3MzUzMjc3NzAsImV4cCI6MTc0MzEwMzc3MCwiaWF0IjoxNzM1MzI3NzcwLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.d23KDsdUj68vCL0fEY2hpp2wjG65vYVtGh2E9Bu1mqT8YM-Q6bkewOhrHJbML0Fcr_ijDp89UMkAb0h70iCJCQojecjI8NPzgrkCm11GzScvTRcvJqyChhZ-9T731ZGSRV8wnxrrETLsuTjCo88_gAqRF3oBQdUuriBtI5z_xh-qUqrqcl-9q2nqxqhMzd3rA7Chkk5EMSRv5U1hnWhH5etJ-kUj8-HJB4eihMGPQ7NVPjCrVy04opSBf-XgkHjSsx_j_-q7EsbOR7ic3aWdEwZS5eppFpc4C4JMNpCauM4is23XWNoYwDZ9vP9CnyKPZfSMlF-5fC4k_4Q3KzcsNw%26wid%3D683376b5-673d-4ded-9fc5-b4b9532bf718&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845943554%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=2EMSr4N%2FlrXrlHEW03SO7qteMSn05LR8PFx28XU%2B%2Bbc%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Ffiles%3Fworkspace%3DeyJhbGciOiJSUzI1NiIsImtpZCI6IjgxMTA4NjE5MTQzMTQ1NTc0QUYxMjI3NjhGMEIzNDkyRkYyNTczNEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNjgzMzc2YjUtNjczZC00ZGVkLTlmYzUtYjRiOTUzMmJmNzE4Iiwic3IiOiIyNDEyMTkwMDQwMDA5MTU0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiYjA0NWU2MDgtMWY3MC00OTE3LTk4MTAtZjA0OGJlNGVlODI2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3MzUzMjc3NzAsImV4cCI6MTc0MzEwMzc3MCwiaWF0IjoxNzM1MzI3NzcwLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.d23KDsdUj68vCL0fEY2hpp2wjG65vYVtGh2E9Bu1mqT8YM-Q6bkewOhrHJbML0Fcr_ijDp89UMkAb0h70iCJCQojecjI8NPzgrkCm11GzScvTRcvJqyChhZ-9T731ZGSRV8wnxrrETLsuTjCo88_gAqRF3oBQdUuriBtI5z_xh-qUqrqcl-9q2nqxqhMzd3rA7Chkk5EMSRv5U1hnWhH5etJ-kUj8-HJB4eihMGPQ7NVPjCrVy04opSBf-XgkHjSsx_j_-q7EsbOR7ic3aWdEwZS5eppFpc4C4JMNpCauM4is23XWNoYwDZ9vP9CnyKPZfSMlF-5fC4k_4Q3KzcsNw%26wid%3D683376b5-673d-4ded-9fc5-b4b9532bf718&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845955186%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=wsbWq7oufNr3GwcmK1PZJMqALuS9RL5kcDJHW4Ckwpg%3D&reserved=0>
> > > > > >
> > > > > > Best regards,
> > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > > > > Corporation
> > > > > >
> > > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > > > > (UTC-08:00) Pacific Time (US and Canada)
> > > > > >
> > > > > > Local country phone number found here:
> > > > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845964586%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=YG8xyg4Nr2wO8rphx6c7uruoaUEFO6nakMZ%2FJF0hue4%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845974103%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Cs9xxFpIcQ17hLhceLZvWdgGc6cRhwztlhAx4grdQXI%3D&reserved=0>
> > > > > > | Extension 1138300
> > > > > >
> > > > > >
> > > > > >
> > > > > > ________________________________
> > > > > > From: Jeff McCashland (He/him) <[email protected]>
> > > > > > Sent: Monday, December 23, 2024 8:29 PM
> > > > > > To: Julien Rische <[email protected]>
> > > > > > Cc: [email protected] <[email protected]>;
> > > > > > Alexander Bokovoy <[email protected]>; Microsoft Support
> > > > > > <[email protected]>
> > > > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT
> > > > > > regression - TrackingID#2412190040009154
> > > > > >
> > > > > > [Kristian to BCC]
> > > > > >
> > > > > > Hi Julien,
> > > > > >
> > > > > > I will investigate your question, and get back to you. I am out the
> > > > > > next 2 days for holiday, back on Thursday.
> > > > > >
> > > > > >
> > > > > > Best regards,
> > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > > > > Corporation
> > > > > >
> > > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > > > > (UTC-08:00) Pacific Time (US and Canada)
> > > > > >
> > > > > > Local country phone number found here:
> > > > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845985468%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=F7Hk%2Fbjop7pAlSxHKW4rYaqUqMWgd4DwQUPENHD3q%2Bg%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100845996081%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=FaR7AlZcSieLsh3PGhT7i7n5fMbcvv1vaUKl%2BR4aXos%3D&reserved=0>
> > > > > > | Extension 1138300
> > > > > >
> > > > > >
> > > > > >
> > > > > > ________________________________
> > > > > > From: Kristian Smith <[email protected]>
> > > > > > Sent: Monday, December 23, 2024 1:31 PM
> > > > > > To: Julien Rische <[email protected]>; Jeff McCashland (He/him)
> > > > > > <[email protected]>
> > > > > > Cc: [email protected] <[email protected]>;
> > > > > > Alexander Bokovoy <[email protected]>; Microsoft Support
> > > > > > <[email protected]>
> > > > > > Subject: RE: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT
> > > > > > regression - TrackingID#2412190040009154
> > > > > >
> > > > > > [Mike to Bcc, adding Jeff]]
> > > > > > Hi Julien,
> > > > > >
> > > > > > Thanks for the information. Also, after some workload adjustments,
> > > > > > @Jeff McCashland will be working on your case moving forward.
> > > > > >
> > > > > > Apologies for the confusion.
> > > > > >
> > > > > > Regards,
> > > > > > Kristian Smith
> > > > > > Support Escalation Engineer | Microsoft® Corporation
> > > > > > Email: [email protected]
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Michael Bowen <[email protected]>
> > > > > > Sent: Monday, December 23, 2024 10:05 AM
> > > > > > To: Julien Rische <[email protected]>; Kristian Smith
> > > > > > <[email protected]>
> > > > > > Cc: Alexander Bokovoy <[email protected]>;
> > > > > > [email protected]; Microsoft Support
> > > > > > <[email protected]>
> > > > > > Subject: RE: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT
> > > > > > regression - TrackingID#2412190040009154
> > > > > >
> > > > > > Hi Julien,
> > > > > >
> > > > > > Thanks for the update. @Kristian Smith is handling your case, so
> > > > > > I'm forwarding this to him to help him with your issue. Happy
> > > > > > Holidays!
> > > > > >
> > > > > > - Michael
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Julien Rische <[email protected]>
> > > > > > Sent: Monday, December 23, 2024 5:32 AM
> > > > > > To: Michael Bowen <[email protected]>
> > > > > > Cc: Alexander Bokovoy <[email protected]>;
> > > > > > [email protected]; Microsoft Support
> > > > > > <[email protected]>
> > > > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT
> > > > > > regression - TrackingID#2412190040009154
> > > > > >
> > > > > > [You don't often get email from [email protected]. Learn why this
> > > > > > is important at https://aka.ms/LearnAboutSenderIdentification ]
> > > > > >
> > > > > > Hello Michael,
> > > > > >
> > > > > > It has come to our attention that Windows Server 2025 now has
> > > > > > support for allowing and disallowing digest algorithms in PKINIT.
> > > > > > We made some tests by modifying the "Computer
> > > > > > Configuration\Policies\Administrative
> > > > > > Templates\System\KDC\Configure hash algorithms for certificate
> > > > > > logon".
> > > > > >
> > > > > > This configuration seems to take effect, because disallowing
> > > > > > SHA-256 causes elliptic curve Diffie-Hellman to fail. However,
> > > > > > allowing all SHA versions does not fix the problem when using
> > > > > > finite field Diffie-Hellman.
> > > > > >
> > > > > > In attachment, you will find 2 network traces showing a successful
> > > > > > pre-authentication process for ECDH with curve P-256 and
> > > > > > RSA/SHA-256 signature, and a failing one for FFDH with MODP group
> > > > > > 14 (2046-bit) and RSA/SHA-256 signature. In both cases all SHA
> > > > > > versions are allowed in the above group policy.
> > > > > >
> > > > > > --
> > > > > > Julien Rische
> > > > > >
> > > > > >
> > > > > > On Thu, Dec 19, 2024 at 5:33 PM Michael Bowen via cifs-protocol
> > > > > > <[email protected]> wrote:
> > > > > > >
> > > > > > > [DocHelp to bcc]
> > > > > > >
> > > > > > > Hi Alexander,
> > > > > > >
> > > > > > > Thanks for your question about Windows Server 2025 and Kerberos.
> > > > > > > I've created case number 2412190040009154 to track this issue,
> > > > > > > please leave the number in the subject line when communicating
> > > > > > > with our team. One of our engineers will contact you soon.
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Michael Bowen
> > > > > > > Sr. Escalation Engineer - Microsoft® Corporation
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Alexander Bokovoy <[email protected]>
> > > > > > > Sent: Thursday, December 19, 2024 4:26 AM
> > > > > > > To: Interoperability Documentation Help <[email protected]>
> > > > > > > Cc: [email protected]
> > > > > > > Subject: [EXTERNAL] Windows Server 2025 PKINIT regression
> > > > > > >
> > > > > > > [Some people who received this message don't often get email from
> > > > > > > [email protected]. Learn why this is important at
> > > > > > > https://aka.ms/LearnAboutSenderIdentification ]
> > > > > > >
> > > > > > > Hi Dochelp,
> > > > > > >
> > > > > > > I believe we are seeing a regression in how Windows Server 2025
> > > > > > > handles Kerberos PKINIT, probably due to algorithm agility
> > > > > > > rewrite.
> > > > > > >
> > > > > > > Sometime ago we have updated MIT Kerberos implementation of
> > > > > > > PKINIT to use sha256WithRSAEncryption in supported CMS types and
> > > > > > > removed sha1WithRSAEncryption to be able compliant with FIPS
> > > > > > > 140-3.
> > > > > > >
> > > > > > > The commit
> > > > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100846005158%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=nNcuXJxpQ1%2Bm7xC37yarp713vwzEHERaz%2FUlrJdqEw4%3D&reserved=0<https://gith/>
> > > > > > > %2F&data=05%7C02%7CKristian.Smith%40microsoft.com%7Ccc530a51018e45fbf1
> > > > > > > b108dd237c4865%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6387057388
> > > > > > > 76787487%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuM
> > > > > > > DAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&s
> > > > > > > data=vvBUg7U6QcAQSKEUYyCOQ1A78VoSp5eDylGA9lRz0zI%3D&reserved=0
> > > > > > > ub.com%2Fkrb5%2Fkrb5%2Fcommit%2Fcbfe46ce20f3e9265baa9c648390148c739ab8
> > > > > > > 30&data=05%7C02%7Cmike.bowen%40microsoft.com%7C6c48431e145e4de8500c08d
> > > > > > > d23562d38%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638705575372721
> > > > > > > 071%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMC
> > > > > > > IsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=
> > > > > > > BKt0Ke6K6mn1ONoQTBrHhhybs8HASTsXpFQC4qPKjKo%3D&reserved=0
> > > > > > > is part of MIT Kerberos 1.20 or later releases.
> > > > > > >
> > > > > > > This change worked well for Windows Server versions prior to
> > > > > > > Windows Server 2025 release. With Windows Server 2025, the
> > > > > > > request is rejected (packet 8 from ad2025.pcap in attached
> > > > > > > archive):
> > > > > > >
> > > > > > > Kerberos
> > > > > > > Record Mark: 106 bytes
> > > > > > > 0... .... .... .... .... .... .... .... = Reserved: Not
> > > > > > > set
> > > > > > > .000 0000 0000 0000 0000 0000 0110 1010 = Record Length:
> > > > > > > 106
> > > > > > > krb-error
> > > > > > > pvno: 5
> > > > > > > msg-type: krb-error (30)
> > > > > > > stime: Dec 18, 2024 15:22:36.000000000 CET
> > > > > > > susec: 926640
> > > > > > > error-code: Unknown (79)
> > > > > > > realm: WIN2025-UO83.TEST
> > > > > > > sname
> > > > > > > name-type: kRB5-NT-SRV-INST (2)
> > > > > > > sname-string: 2 items
> > > > > > > SNameString: krbtgt
> > > > > > > SNameString: WIN2025-UO83.TEST
> > > > > > >
> > > > > > >
> > > > > > > We built a custom version of MIT Kerberos which adds both
> > > > > > > sha256WithRSAEncryption and sha1WithRSAEncryption to the list of
> > > > > > > supported CMS types and still signed with
> > > > > > > sha256WithRSAEncryption, it failed again. The corresponding
> > > > > > > packet exchange can be seen in ad2025_sha1.pcap in the attached
> > > > > > > archive.
> > > > > > >
> > > > > > > Both variants work against Windows Server 2019, so to us this
> > > > > > > looks like a regression in Windows Server 2025 implementation.
> > > > > > >
> > > > > > > If this is not a regression and instead it is an intentional
> > > > > > > change, could you please make sure MS-PKCA and other
> > > > > > > corresponding documents get updated with a proper logic of the
> > > > > > > changes.
> > > > > > >
> > > > > > > --
> > > > > > > / Alexander Bokovoy
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > cifs-protocol mailing list
> > > > > > > [email protected]
> > > > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Ca7a79b9e662047eb1f5a08dd36e9fe7d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638727100846013668%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=%2BdhQURJ4MEIKF8tOd50chAF06%2BqiDTGS5GXz1ZXPj68%3D&reserved=0<https://list/>
> > > > > > > %2F&data=05%7C02%7CKristian.Smith%40microsoft.com%7Ccc530a51018e45fbf1
> > > > > > > b108dd237c4865%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6387057388
> > > > > > > 76806372%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuM
> > > > > > > DAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&s
> > > > > > > data=0Qe6AszCxK%2BkbB47AYraNMeMmtEj88GZtfXvR5jNs1I%3D&reserved=0
> > > > > > > s.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Cmike.b
> > > > > > > owen%40microsoft.com%7C6c48431e145e4de8500c08dd23562d38%7C72f988bf86f1
> > > > > > > 41af91ab2d7cd011db47%7C1%7C0%7C638705575372737510%7CUnknown%7CTWFpbGZs
> > > > > > > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj
> > > > > > > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=JoGoaTxJzMm7ljVciNww4Tdd
> > > > > > > UpV9bcqS3whR%2F8JTLVA%3D&reserved=0
> > > > > > >
> > > > >
> > > >
> > >
> > >
> > > --
> > > / Alexander Bokovoy
> >
>
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
