Hi Metze, Thanks again for your patience. The engineering team has confirmed that you found a bug. ServerAuthenticateKerberos() should indeed be called here, but there is an issue in the Server 2025 implementation that causes fallback to ServerAuthenticate3 before hitting the wire. They are working on root cause.
Thank you for you work in finding this bug and please let me know if you have any additional concerns on this issue. Regards, Kristian Smith Support Escalation Engineer | Microsoft® Corporation Email: [email protected] -----Original Message----- From: Kristian Smith Sent: Thursday, February 6, 2025 9:30 AM To: Stefan Metzmacher <[email protected]> Cc: [email protected]; Microsoft Support <[email protected]> Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093 Hi Metze, In working with the developers of these Netlogon functions, it appears the use of ServerAuthenticate3() versus ServerAuthenticateKerberos() in trust creation is likely a bug in Server 2025. They are currently investigating and I'll let you know once this is confirmed. It appears to me that, since MS-NRPC leaves the choice of which authentication function up to the implementer, there aren't any changes needed to the doc in this case. Please let me know if you disagree. Regards, Kristian Smith Support Escalation Engineer | Microsoft® Corporation Email: [email protected] -----Original Message----- From: Stefan Metzmacher <[email protected]> Sent: Monday, January 27, 2025 10:49 AM To: Kristian Smith <[email protected]> Cc: [email protected]; Microsoft Support <[email protected]> Subject: Re: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093 Hi Kristian, > Just a quick update on the question about ServerAuthenticateKerberos() > between trusted domains. I was able to create a Server 2025 to Server 2025 > 2-way forest trust and confirmed that it's authenticating with > NetrServerAuthenticate3() rather than ServerAuthenticateKerberos(). I'm > still, however, discussing this with the PG and I'll continue to send > periodic updates until I have a concrete answer as to what doc changes need > to be made. Thanks! metze _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
