[DocHelp to Bcc] Hi Andreas,
Thanks for reaching out with your Certificate Auto-enrollment question. I've created case 2507010040006964 to track the issue. I will research this and be in touch soon. Regards, Kristian Smith Support Escalation Engineer | Microsoft(r) Corporation Email: [email protected] -----Original Message----- From: Andreas Schneider <[email protected]> Sent: Tuesday, July 1, 2025 12:38 AM To: Interoperability Documentation Help <[email protected]>; cifs-protocol <[email protected]> Subject: [EXTERNAL] Certificate Auto Enrollment (CEP/CES) and Windows 2025 Hi Dochelp, I'm trying to get CEP/CES (Certificate Auto Enrollment) with Samba working against Windows 2025. This was working fine against earlier versions of Windows but I can't get Kerberos authentication working against CEP/CES configured on Windows Server 2025. I've followed the How-to guides at https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/ to setup the Certificate services. I distilled out a set of reproducible steps using Powershell commands. I set up an AD DC and a domain member for the Certification Authority and its services. You can find them here: https://hackmd.io/@asn/SkHk8rXBz If I try to get the certificate templates on Linux using our cepces client implementation. I'm always getting: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://win-ca01.mars.milkyway.site/ADPolicyProvider_CEP_Kerberos/service.svc/ CEP Looking at the ticket cache, we have the correct ticket: Default principal: [email protected] Valid starting Expires Service principal 07/01/25 09:12:23 07/01/25 19:12:23 krbtgt/ [email protected] renew until 07/08/25 09:12:23 07/01/25 09:12:23 07/01/25 19:12:23 HTTP/win-ca01.mars.milkyway.site@ renew until 07/08/25 09:12:23 Ticket server: HTTP/[email protected] But it looks like the the IIS server doesn't accept the Kerberos ticket, the IIS logs show: #Software: Microsoft Internet Information Services 10.0 #Version: 1.0 #Date: 2025-07-01 07:11:16 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time- taken 2025-07-01 07:11:16 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 243 2025-07-01 07:12:23 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 2 2025-07-01 07:12:23 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 1 2148074310 14 2025-07-01 07:12:23 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 1 2148074310 0 2025-07-01 07:16:18 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 0 2025-07-01 07:17:42 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 0 I'm not able to figure out why the IIS server doesn't allow to authenticate with the ticket. I didn't find anything that I could enable advanced logging here to figure out why it doesn't want to accept the ticket. Could you help trying to find out what the issue is? I can create a TTrace if that helps! Thank you very much. Best regards Andreas -- Andreas Schneider [email protected] Samba Team http://www.samba.org/ GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
