On Monday, 7 July 2025 22:41:30 CEST Kristian Smith wrote:
> Hi Andreas,
Hi Kristian,
> In order to best troubleshoot this issue, it does appear that a TT Trace
> will be the best option. I've created the following steps to gather an
> lsass trace from our modern OS versions. Please gather a simultaneous
> network trace, if possible, as well.
I've uploaded the Time Trace. The correct file is:
NEW_CEP_Kerberos_Traces_10-Jul-2025.zip
I've uploaded two zip files, ignore the other one. The trace is from the
Windows Server hosting the CA.
The network trace wont show you much, as it is an encrypted https connection.
However below is the trace from the cepces application. If you search for:
send:
you can see the raw data the http client sends. And
reply:
is what we get back from the ISS server. In between we talk to the DC's KDC to
get the TGS for the http server.
Best regards
Andreas
root@fedora2:~# KRB5_TRACE=/dev/stderr CERTMONGER_OPERATION=GET-SUPPORTED-
TEMPLATES /usr/bin/python3 /usr/libexec/certmonger/cepces-submit --server=win-
ca01.mars.milkyway.site --auth=Kerbe
ros
2025-07-10 10:15:01,837 cepces.config.Configuration:DEBUG:Initializing
application configuration.
2025-07-10 10:15:01,838 cepces.config.Configuration:DEBUG:Reading: /etc/
cepces/cepces.conf
2025-07-10 10:15:01,839
cepces.auth.KerberosAuthenticationHandler<0x7f561eed6120>:DEBUG:Initializing
cepces.auth.KerberosAuthenticationHandler<0x7f561eed6120>.
2025-07-10 10:15:01,839
cepces.soap.auth.TransportKerberosAuthentication<0x7f561eed6270>:DEBUG:Initializing
cepces.soap.auth.TransportKerberosAuthentication<0x7f561eed6270>.
2025-07-10 10:15:01,839
cepces.krb5.core.Context<0x7f561eed63c0>:DEBUG:Initializing
cepces.krb5.core.Context<0x7f561eed63c0>.
2025-07-10 10:15:01,839 cepces.krb5.core.Context<0x7f561eed63c0>:DEBUG:Handle
<cepces.krb5.types.LP__krb5_context object at 0x7f561f5a0cd0>
2025-07-10 10:15:01,841
cepces.krb5.core.Principal<0x7f561eed6510>:DEBUG:Initializing
cepces.krb5.core.Principal<0x7f561eed6510>.
2025-07-10 10:15:01,841
cepces.krb5.core.Principal<0x7f561eed6510>:DEBUG:Handle
<cepces.krb5.types.LP_krb5_principal_data object at 0x7f561ee86bd0>
2025-07-10 10:15:01,841
cepces.krb5.core.PrincipalName<0x7f561eed6660>:DEBUG:Initializing
cepces.krb5.core.PrincipalName<0x7f561eed6660>.
2025-07-10 10:15:01,841
cepces.krb5.core.PrincipalName<0x7f561eed6660>:DEBUG:Handle None
[5238] 1752135301.845200: Matching [email protected] in collection
with result: -1765328243/Can't find client principal
[email protected] in cache collection
[5238] 1752135301.845201: Getting initial credentials for
[email protected]
[5238] 1752135301.845202: Found entries for [email protected] in
keytab: aes256-cts, aes128-cts, rc4-hmac
[5238] 1752135301.845204: Sending unauthenticated request
[5238] 1752135301.845205: Sending request (216 bytes) to MARS.MILKYWAY.SITE
[5238] 1752135301.845206: Sending DNS URI query for
_kerberos.MARS.MILKYWAY.SITE.
[5238] 1752135301.845207: No URI records found
[5238] 1752135301.845208: Sending DNS SRV query for
_kerberos._udp.MARS.MILKYWAY.SITE.
[5238] 1752135301.845209: SRV answer: 0 100 88 "win-dc02.mars.milkyway.site."
[5238] 1752135301.845210: Sending DNS SRV query for
_kerberos._tcp.MARS.MILKYWAY.SITE.
[5238] 1752135301.845211: SRV answer: 0 100 88 "win-dc02.mars.milkyway.site."
[5238] 1752135301.845212: Resolving hostname win-dc02.mars.milkyway.site.
[5238] 1752135301.845213: Resolving hostname win-dc02.mars.milkyway.site.
[5238] 1752135301.845214: Initiating TCP connection to stream 192.168.56.20:88
[5238] 1752135301.845215: Sending TCP request to stream 192.168.56.20:88
[5238] 1752135301.845216: Received answer (355 bytes) from stream
192.168.56.20:88
[5238] 1752135301.845217: Terminating TCP connection to stream
192.168.56.20:88
[5238] 1752135301.845218: Sending DNS URI query for
_kerberos.MARS.MILKYWAY.SITE.
[5238] 1752135301.845219: No URI records found
[5238] 1752135301.845220: Sending DNS SRV query for _kerberos-
master._tcp.MARS.MILKYWAY.SITE.
[5238] 1752135301.845221: No SRV records found
[5238] 1752135301.845222: Response was not from primary KDC
[5238] 1752135301.845223: Received error from KDC: -1765328359/Additional pre-
authentication required
[5238] 1752135301.845226: Preauthenticating using KDC method data
[5238] 1752135301.845227: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-
AS-REP_OLD (15), PA-ETYPE-INFO2 (19), 111, PA-ENC-TIMESTAMP (2)
[5238] 1752135301.845228: Selected etype info: etype aes256-cts, salt
"MARS.MILKYWAY.SITEhostfedora2.mars.milkyway.site", params ""
[5238] 1752135301.845229: PKINIT client has no configured identity; giving up
[5238] 1752135301.845230: PKINIT client has no configured identity; giving up
[5238] 1752135301.845231: Preauth module pkinit (16) (real) returned: 22/
Invalid argument
[5238] 1752135301.845232: Retrieving [email protected] from FILE:/
etc/samba/cepces.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[5238] 1752135301.845233: AS key obtained for encrypted timestamp: aes256-cts/
ED29
[5238] 1752135301.845235: Encrypted timestamp (for 1752135302.470440): plain
301AA011180F32303235303731303038313530325AA1050203072DA8, encrypted
C95DCE093B998740D238A843E550675FEC62300F20A
39652F6FB07E0CF8747F021CBAD11CA86888BA6CE3BC9B78D194F046A037D0DA2C016
[5238] 1752135301.845236: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[5238] 1752135301.845237: Produced preauth for next request: PA-ENC-TIMESTAMP
(2)
[5238] 1752135301.845238: Sending request (296 bytes) to MARS.MILKYWAY.SITE
[5238] 1752135301.845239: Sending DNS URI query for
_kerberos.MARS.MILKYWAY.SITE.
[5238] 1752135301.845240: No URI records found
[5238] 1752135301.845241: Sending DNS SRV query for
_kerberos._udp.MARS.MILKYWAY.SITE.
[5238] 1752135301.845242: SRV answer: 0 100 88 "win-dc02.mars.milkyway.site."
[5238] 1752135301.845243: Sending DNS SRV query for
_kerberos._tcp.MARS.MILKYWAY.SITE.
[5238] 1752135301.845244: SRV answer: 0 100 88 "win-dc02.mars.milkyway.site."
[5238] 1752135301.845245: Resolving hostname win-dc02.mars.milkyway.site.
[5238] 1752135301.845246: Resolving hostname win-dc02.mars.milkyway.site.
[5238] 1752135301.845247: Initiating TCP connection to stream 192.168.56.20:88
[5238] 1752135301.845248: Sending TCP request to stream 192.168.56.20:88
[5238] 1752135301.845249: Received answer (1699 bytes) from stream
192.168.56.20:88
[5238] 1752135301.845250: Terminating TCP connection to stream
192.168.56.20:88
[5238] 1752135301.845251: Sending DNS URI query for
_kerberos.MARS.MILKYWAY.SITE.
[5238] 1752135301.845252: No URI records found
[5238] 1752135301.845253: Sending DNS SRV query for _kerberos-
master._tcp.MARS.MILKYWAY.SITE.
[5238] 1752135301.845254: No SRV records found
[5238] 1752135301.845255: Response was not from primary KDC
[5238] 1752135301.845256: Processing preauth types: PA-ETYPE-INFO2 (19)
[5238] 1752135301.845257: Selected etype info: etype aes256-cts, salt
"MARS.MILKYWAY.SITEhostfedora2.mars.milkyway.site", params ""
[5238] 1752135301.845258: Produced preauth for next request: (empty)
[5238] 1752135301.845259: AS key determined by preauth: aes256-cts/ED29
[5238] 1752135301.845260: Decrypted AS reply; session key is: aes256-cts/673E
[5238] 1752135301.845261: FAST negotiation: unavailable
[5238] 1752135301.845262: Resolving unique ccache of type MEMORY
[5238] 1752135301.845263: Initializing MEMORY:6s2qkd4 with default princ
[email protected]
[5238] 1752135301.845264: Storing config in MEMORY:6s2qkd4 for krbtgt/
[email protected]: pa_type: 2
[5238] 1752135301.845265: Storing [email protected] ->
krb5_ccache_conf_data/pa_type/krbtgt\/
MARS.MILKYWAY.SITE\@MARS.MILKYWAY.SITE@X-CACHECONF: in MEMORY:6s2qkd4
[5238] 1752135301.845266: Storing [email protected] -> krbtgt/
[email protected] in MEMORY:6s2qkd4
[5238] 1752135301.845267: Moving ccache MEMORY:6s2qkd4 to MEMORY:cepces
[5238] 1752135301.845268: Destroying ccache MEMORY:6s2qkd4
[5238] 1752135301.845269: Storing config in MEMORY:cepces for : refresh_time:
1752153302
[5238] 1752135301.845270: Storing [email protected] ->
krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:cepces
2025-07-10 10:15:01,920
cepces.config.Configuration<0x7f561eed6510>:DEBUG:Initializing
cepces.config.Configuration<0x7f561eed6510>.
2025-07-10 10:15:01,920 cepces.core.Service<0x7f561eed6120>:DEBUG:Initializing
cepces.core.Service<0x7f561eed6120>.
2025-07-10 10:15:01,920
cepces.xcep.service.Service<0x7f561eed6660>:DEBUG:Initializing
cepces.xcep.service.Service<0x7f561eed6660>.
2025-07-10 10:15:01,920
cepces.xcep.service.Service<0x7f561eed6660>:DEBUG:Initializing service
(endpoint: https://win-ca01.mars.milkyway.site/ADPolicyProvider_CEP_Kerberos/
service.svc/CEP,
auth: TransportKerberosAuthentication<0x7f561eed6270>)
2025-07-10 10:15:01,920
cepces.xcep.service.Service<0x7f561eed6660>:DEBUG:Preparing message
urn:uuid:1cf411f9-79c8-4c59-8219-19a21e52a6bf to
https://win-ca01.mars.milkyway.site/ADPolicyPro
vider_CEP_Kerberos/service.svc/CEP with payload: b'<ns0:GetPolicies
xmlns:ns0="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy";
xmlns:xsi="http://www.w3.org/2001/XMLSchem
a-instance"><ns0:client><ns0:lastUpdate xsi:nil="true" /
><ns0:preferredLanguage xsi:nil="true" /></
ns0:client><ns0:requestFilter><ns0:policyOIDs xsi:nil="true" /
><ns0:clientVersion xsi:nil
="true" /><ns0:serverVersion xsi:nil="true" /></ns0:requestFilter></
ns0:GetPolicies>'
2025-07-10 10:15:01,921
cepces.xcep.service.Service<0x7f561eed6660>:DEBUG:Sending message:
2025-07-10 10:15:01,921 cepces.xcep.service.Service<0x7f561eed6660>:DEBUG:
-endpoint: https://win-ca01.mars.milkyway.site/ADPolicyProvider_CEP_Kerberos/
service.svc/CEP
2025-07-10 10:15:01,921 cepces.xcep.service.Service<0x7f561eed6660>:DEBUG:
-headers: {'Content-Type': 'application/soap+xml; charset=utf-8'}
2025-07-10 10:15:01,921 cepces.xcep.service.Service<0x7f561eed6660>:DEBUG:
-verify: True
2025-07-10 10:15:01,921 cepces.xcep.service.Service<0x7f561eed6660>:DEBUG:
-auth: TransportKerberosAuthentication<0x7f561eed6270>
2025-07-10 10:15:01,921 cepces.xcep.service.Service<0x7f561eed6660>:DEBUG:
-data: b'<ns0:Envelope xmlns:ns0="http://www.w3.org/2003/05/soap-envelope";
xmlns:ns1="http://www.w3.org/2005/08/a
ddressing" xmlns:ns2="http://schemas.microsoft.com/windows/pki/2009/01/
enrollmentpolicy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><ns0:Header><ns1:Action
ns0:mustUnderstand="1
">http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/
GetPolicies</
ns1:Action><ns1:MessageID>urn:uuid:1cf411f9-79c8-4c59-8219-19a21e52a6bf</
ns1:MessageID><ns1:To ns0:
mustUnderstand="1">https://win-ca01.mars.milkyway.site/
ADPolicyProvider_CEP_Kerberos/service.svc/CEP</ns1:To></
ns0:Header><ns0:Body><ns2:GetPolicies><ns2:client><ns2:lastUpdate xsi:nil="tr
ue" /><ns2:preferredLanguage xsi:nil="true" /></
ns2:client><ns2:requestFilter><ns2:policyOIDs xsi:nil="true" /
><ns2:clientVersion xsi:nil="true" /><ns2:serverVersion xsi:nil="true" /></ns2
:requestFilter></ns2:GetPolicies></ns0:Body></ns0:Envelope>'
2025-07-10 10:15:01,921 cepces.xcep.service.Service<0x7f561eed6660>:DEBUG:
-data after post-processing: b'<ns0:Envelope xmlns:ns0="http://www.w3.org/
2003/05/soap-envelope" xmlns:ns1="http:
//www.w3.org/2005/08/addressing" xmlns:ns2="http://schemas.microsoft.com/
windows/pki/2009/01/enrollmentpolicy" xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance"><ns0:Header><ns1:Action
ns0:mustUnderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/
enrollmentpolicy/IPolicy/GetPolicies</
ns1:Action><ns1:MessageID>urn:uuid:1cf411f9-79c8-4c59-8219-19a21e52a6bf</ns1:
MessageID><ns1:To ns0:mustUnderstand="1">https://win-ca01.mars.milkyway.site/
ADPolicyProvider_CEP_Kerberos/service.svc/CEP</ns1:To></
ns0:Header><ns0:Body><ns2:GetPolicies><ns2:client><ns2:
lastUpdate xsi:nil="true" /><ns2:preferredLanguage xsi:nil="true" /></
ns2:client><ns2:requestFilter><ns2:policyOIDs xsi:nil="true" /
><ns2:clientVersion xsi:nil="true" /><ns2:serverVersion
xsi:nil="true" /></ns2:requestFilter></ns2:GetPolicies></ns0:Body></
ns0:Envelope>'
send: b'POST /ADPolicyProvider_CEP_Kerberos/service.svc/CEP HTTP/1.1\r\nHost:
win-ca01.mars.milkyway.site\r\nUser-Agent: python-requests/2.32.3\r\nAccept-
Encoding: gzip, deflate\r\nAccept:
*/*\r\nConnection: keep-alive\r\nContent-Type: application/soap+xml;
charset=utf-8\r\nContent-Length: 915\r\n\r\n'
send: b'<ns0:Envelope xmlns:ns0="http://www.w3.org/2003/05/soap-envelope";
xmlns:ns1="http://www.w3.org/2005/08/addressing"; xmlns:ns2="http://
schemas.microsoft.com/windows/pki/2009/01/enrol
lmentpolicy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><ns0:Header><ns1:Action
ns0:mustUnderstand="1">http://
schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/
GetPolicies</
ns1:Action><ns1:MessageID>urn:uuid:1cf411f9-79c8-4c59-8219-19a21e52a6bf</
ns1:MessageID><ns1:To
ns0:mustUnderstand="1">https://win-ca01.mars.milkyway.site/ADPolicyProvider_CEP_
Kerberos/service.svc/CEP</ns1:To></
ns0:Header><ns0:Body><ns2:GetPolicies><ns2:client><ns2:lastUpdate
xsi:nil="true" /><ns2:preferredLanguage xsi:nil="true" /></
ns2:client><ns2:requestFilte
r><ns2:policyOIDs xsi:nil="true" /><ns2:clientVersion xsi:nil="true" /
><ns2:serverVersion xsi:nil="true" /></ns2:requestFilter></ns2:GetPolicies></
ns0:Body></ns0:Envelope>'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Type: text/html
header: Server: Microsoft-IIS/10.0
header: WWW-Authenticate: Negotiate
header: X-Powered-By: ASP.NET
header: Date: Thu, 10 Jul 2025 08:15:03 GMT
header: Content-Length: 1293
[5238] 1752135303.664698: ccselect module realm chose cache MEMORY:cepces with
client principal [email protected] for server principal HTTP/win-
[email protected]
WAY.SITE
[5238] 1752135303.664699: Getting credentials [email protected] ->
HTTP/win-ca01.mars.milkyway.site@ using ccache MEMORY:cepces
[5238] 1752135303.664700: Retrieving [email protected] ->
krb5_ccache_conf_data/start_realm@X-CACHECONF: from MEMORY:cepces with result:
-1765328243/Matching credential not found
[5238] 1752135303.664701: Retrieving [email protected] -> HTTP/win-
ca01.mars.milkyway.site@ from MEMORY:cepces with result: -1765328243/Matching
credential not found
[5238] 1752135303.664702: Retrying [email protected] -> HTTP/win-
[email protected] with result: -1765328243/Matching
credential not found
[5238] 1752135303.664703: Server has referral realm; starting with HTTP/win-
[email protected]
[5238] 1752135303.664704: Retrieving [email protected] -> krbtgt/
[email protected] from MEMORY:cepces with result: 0/
Success
[5238] 1752135303.664705: Starting with TGT for client realm:
[email protected] -> krbtgt/[email protected]
[5238] 1752135303.664706: Requesting tickets for HTTP/win-
[email protected], referrals on
[5238] 1752135303.664707: Generated subkey for TGS request: aes256-cts/C464
[5238] 1752135303.664708: etypes requested in TGS request: aes256-sha2,
aes128-sha2, aes256-cts, aes128-cts, camellia256-cts, camellia128-cts, rc4-
hmac
[5238] 1752135303.664710: Encoding request body and padata into FAST request
[5238] 1752135303.664711: Sending request (1857 bytes) to MARS.MILKYWAY.SITE
[5238] 1752135303.664712: Sending DNS URI query for
_kerberos.MARS.MILKYWAY.SITE.
[5238] 1752135303.664713: No URI records found
[5238] 1752135303.664714: Sending DNS SRV query for
_kerberos._udp.MARS.MILKYWAY.SITE.
[5238] 1752135303.664715: SRV answer: 0 100 88 "win-dc02.mars.milkyway.site."
[5238] 1752135303.664716: Sending DNS SRV query for
_kerberos._tcp.MARS.MILKYWAY.SITE.
[5238] 1752135303.664717: SRV answer: 0 100 88 "win-dc02.mars.milkyway.site."
[5238] 1752135303.664718: Resolving hostname win-dc02.mars.milkyway.site.
[5238] 1752135303.664719: Resolving hostname win-dc02.mars.milkyway.site.
[5238] 1752135303.664720: Initiating TCP connection to stream 192.168.56.20:88
[5238] 1752135303.664721: Sending TCP request to stream 192.168.56.20:88
[5238] 1752135303.664722: Received answer (1818 bytes) from stream
192.168.56.20:88
[5238] 1752135303.664723: Terminating TCP connection to stream
192.168.56.20:88
[5238] 1752135303.664724: Sending DNS URI query for
_kerberos.MARS.MILKYWAY.SITE.
[5238] 1752135303.664725: No URI records found
[5238] 1752135303.664726: Sending DNS SRV query for _kerberos-
master._tcp.MARS.MILKYWAY.SITE.
[5238] 1752135303.664727: No SRV records found
[5238] 1752135303.664728: Response was not from primary KDC
[5238] 1752135303.664729: Decoding FAST response
[5238] 1752135303.664730: FAST reply key: aes256-cts/9FBA
[5238] 1752135303.664731: TGS reply is for [email protected] ->
HTTP/[email protected] with session key aes256-
cts/63D6
[5238] 1752135303.664732: TGS request result: 0/Success
[5238] 1752135303.664733: Received creds for desired service HTTP/win-
[email protected]
[5238] 1752135303.664734: Storing [email protected] -> HTTP/win-
ca01.mars.milkyway.site@ in MEMORY:cepces
[5238] 1752135303.664735: Retrieving [email protected] -> krbtgt/
[email protected] from MEMORY:cepces with result: 0/
Success
[5238] 1752135303.664736: Get cred via TGT krbtgt/
[email protected] after requesting krbtgt/
[email protected] (canonicalize off)
[5238] 1752135303.664737: Generated subkey for TGS request: aes256-cts/6AFC
[5238] 1752135303.664738: etypes requested in TGS request: aes256-cts
[5238] 1752135303.664740: Encoding request body and padata into FAST request
[5238] 1752135303.664741: Sending request (1841 bytes) to MARS.MILKYWAY.SITE
[5238] 1752135303.664742: Sending DNS URI query for
_kerberos.MARS.MILKYWAY.SITE.
[5238] 1752135303.664743: No URI records found
[5238] 1752135303.664744: Sending DNS SRV query for
_kerberos._udp.MARS.MILKYWAY.SITE.
[5238] 1752135303.664745: SRV answer: 0 100 88 "win-dc02.mars.milkyway.site."
[5238] 1752135303.664746: Sending DNS SRV query for
_kerberos._tcp.MARS.MILKYWAY.SITE.
[5238] 1752135303.664747: SRV answer: 0 100 88 "win-dc02.mars.milkyway.site."
[5238] 1752135303.664748: Resolving hostname win-dc02.mars.milkyway.site.
[5238] 1752135303.664749: Resolving hostname win-dc02.mars.milkyway.site.
[5238] 1752135303.664750: Initiating TCP connection to stream 192.168.56.20:88
[5238] 1752135303.664751: Sending TCP request to stream 192.168.56.20:88
[5238] 1752135303.664752: Received answer (1790 bytes) from stream
192.168.56.20:88
[5238] 1752135303.664753: Terminating TCP connection to stream
192.168.56.20:88
[5238] 1752135303.664754: Sending DNS URI query for
_kerberos.MARS.MILKYWAY.SITE.
[5238] 1752135303.664755: No URI records found
[5238] 1752135303.664756: Sending DNS SRV query for _kerberos-
master._tcp.MARS.MILKYWAY.SITE.
[5238] 1752135303.664757: No SRV records found
[5238] 1752135303.664758: Response was not from primary KDC
[5238] 1752135303.664759: Decoding FAST response
[5238] 1752135303.664760: FAST reply key: aes256-cts/9124
[5238] 1752135303.664761: TGS reply is for [email protected] ->
krbtgt/[email protected] with session key aes256-cts/9C95
[5238] 1752135303.664762: Got cred; 0/Success
[5238] 1752135303.664764: Creating authenticator for
[email protected] -> HTTP/win-ca01.mars.milkyway.site@, seqnum
49976059, subkey aes256-cts/42F9, session key aes256-cts/63D6
send: b'POST /ADPolicyProvider_CEP_Kerberos/service.svc/CEP HTTP/1.1\r\nHost:
win-ca01.mars.milkyway.site\r\nUser-Agent: python-requests/2.32.3\r\nAccept-
Encoding: gzip, deflate\r\nAccept:
*/*\r\nConnection: keep-alive\r\nContent-Type: application/soap+xml;
charset=utf-8\r\nContent-Length: 915\r\nAuthorization: Negotiate
YIIMGQYGKwYBBQUCoIIMDTCCDAmgDTALBgkqhkiG9xIBAgKiggv2B
IIL8mCCC+4GCSqGSIb3EgECAgEAboIL3TCCC9mgAwIBBaEDAgEOogcDBQAAAAAAo4IEtGGCBLAwggSsoAMCAQWhFBsSTUFSUy5NSUxLWVdBWS5TSVRFoi4wLKADAgEDoSUwIxsESFRUUBsbd2luLWNhMDEubWFycy5taWxreXdheS5zaXRlo4IEXTCCB
FmgAwIBEqEDAgECooIESwSCBEcmxqTUNpk5cQjDqctsWipszimF2PyBM3KmksjvSsdzIrMOrke3yjKj2jEmdz+j2Nr8HEeTsRXqe0HPIcjwhYXfqrc26ILmPp//
6DnlwM/uHIf82cf6zZafafdvSL0RApO6AH73sgNkES9PlJvT97QBcDegbbwuWFZjG
Q097Jv4tcaAdY7MTXWuG3w/2LUEOy/
fnZesDAjTg32+r3x1orc5Y3cayCdpDzdplbgBFWV8L5Mvhqc5TijgLMFcVDMHiLKj4zeJHyS5BYLY7g6h55bCOlLbuonAN4nn6qs2RtFO6hurETgSu9dLbsp5JGPIt8fba1JLajUwlK0rUdzk0b5cIsHH0dwnG
Udqm5KXR6tu7h2j0/4jtq455VqiPnghPOK9FrOKI0iXPnejzOdN8QGj6wSiyh3aUHscS6d1H8Q49iBt5G2X4kEp3S2mNLYGyBESgQ1/
GyZ+3zIdjlJwWYBUGUlwDYJMi0zI+W3lvkWK1MNIbnnIHDFb2U9igScHuuDfXtmYxw78zlN1Am/
8LxCvRWXav
5pRPt3R9V8/NdtCIeeSWw3YXSKehgcirNxMsIdF/fGLEGz9B6U95vZTs2L61KX1vZDUDe49n7/
CDAvEwsDvzfXAIIT0B/iC0CxCTb/mLOTtf6w8Da5KHS4KT4JqEPW1ZNd52ojHvPYBN/
HX+61MLZxN6vlrD8EUmqFFqKp+C9CsQ1NtpLRmtWgMJkowM
F+nnzrLwwGDeCHzizSPdmC4npDwsyLelwKuJhWQI6WRAbwf09xb6ur8/
iynWengH7A35qNt+VzDknKFlCDpWStbbhJAeBfX29C4SVLjNMN5n5OBX7kU78Bg8ussBpNtzkS5YnBGU37Ua3Blh6Iux7KwVJ1WoQCeid+ZBbEs5mR1kidEx/
XBA6NCwDQ96
FvEiLb0VCXShg0MPWVKa66BkVZ0AUa7vQ0PsW4SNme98pFbUUYnqp/
FSmz8VCRw62lWr8yrnaVZsbcEShaOBerAD4xJHyVzE1TpXf3UkvueEA0SkZMd3Do3ZLATqsUULXmmYHLDECM98+h8Ou3+q0bUpaYPJIdRseO8+JQ6HmrSjHyhCVTV6EhS7YEir
c7Vf1MuoiRRqGfL9tJqrTPPMi5FOwlRuxsGWC+4AkkZb4eU0IQp/
ku6cVTWxLpiq598b+xOaD6OLRF+60kOPrPiPAGqkBMaCZIwL/
1+8h1Ofp54vqc55rh3HqVhnNeCDEvJpfI9BdmfXunlwlljiFvct/
l69W1X+XN03nSr205q05CpqkLnWmWwWtv0v
jjyuzmXNA9xPvd+Kha6BYPHsUtszEreTjGUVWafgjo/
gg99nXtHLZxEEPn3Si+5OPHeMOKOivGIFYxDk0JKNw+/X8uSyOCwyHghBzLKkWe/
6wlZZmB9NTycRoqY2Xlt0md6sSkZsg6LxroJ1xv6c/
7eFPrIhOBI2LueSx9HALakggcKMIIHBqADAgESo
oIG/QSCBvnq1acxP8yJt/UV81SfvzGF31aouJdG8hq93ct87ZtaNv5Vr7SCR/
EhdovkvR8ArBTnQtQ+KYgDoUtqFAD+PPx85o8U7p41w7qGxJnqi+emr2j0jO7DxkRnJREnUzwDMA7+5GsKX9fa0UfQbB5vB+zGdMjB6lJjhye9V/
LOpHoV6Q4hJ3fCm
0Qhm0ejE8a0SmhYyAwmjxKWeN3i6Sxb3e0LtRS/
xinbfcnpdSFDh7qtZuH4ZvKvq9sWQJGf3BC5MR7O3RQblbsKumhA2DANSieB5vUY3+WnpwckljW2G+4xZZCgDs2QJ6mDaOQ+dzIOQmcxyUZHuhT1iaXLJgWnV5mrPC9W98y7Kmnwj3d90W0BCGSBs
VnrPgPdWe9PCEzLGegT9H3Isgnwe+uIe7gK5bAkaCzCYP9GGUZxKbivNx3TomHdtZ3sYOtXXTanvImrWrRwLDOFt0P6G7h+x4H6d9Pp8ZKvgcMfnHnCeR+4tXmY6edSFi6+S+oGg7y0d4hBBVn1JX8TXy3HFHRroqb6lwflP6BeU+pBLof/
1vGX/An+a
rg28lfoB2KZsIWeGFm5GgJgWvhowZv1+yuCH2Ah5JcAdQaIW2YLZvzOXAHIsUJz4lkvxRJBPplvegmEtOPzjCzlWREBWBHE1gaUgScTXWYcWVzUcd4H2OSl833bLxxaDJ/
2VV1LrD1xjvsfnyRV2lKiYpebZR8deceONnb4rQS4c26IGPcmq0GaCI07W
dQT8mGSgBvSvkY7S0PKYpWX1D/9MCZA2P1HGBwA2R8VcE0vOc15k8ndwWhV/rN+SAcUAHTei4CD/
gERRG9Z+XN+fGxeen2WGXwFiHI/fuWu0bg2mr2fXoqTP2/FNKQH8E/
mmFK1BS7X9ppPOXdi7RWNin+QDBW1bfK8xqEx0RJG+Peelz5q99fL1sgZt
CWur507xoXq6GQnkkL8I3oetrMlntwk9yApDg8ekjgTAUqudzlkKRhh96/
nkQz7MfWMseVgInwnX5XHa8m90Q44lrUj8w/
tP30OhzO9qE4AylYv7hDCBqbRmn51SYN3P8+P85lrdDQqx5k5EJnl/
jKIdrNN7Rbr5amV5Lr8Rt905PmqWsnCbaTFbGuYQ
XIaj8nwmzMHl0+xFZ5vgsOK5sKl9JsqGIKez/
CPmCZxWNr9WvY0lnGIpjM8APiKKFJzdrbOXuFntsKN807iLfdYEFERUoB9jcRxTZunL+ZYZ5E6p8t+N+nwmTZkJCe/
HQbmk45sngUdb+zys7HzVOO2oT1ksx1egXBBuDYixxKiyiNJ7mwV0wkbyB/Ki
VtmWmXORYIOtZguduCERPPD6L50XQeqaWWraV3yo0HtsZpDkx5qCJc/
FMXF9cya4swSkkH+KK12NJpXXRY3X65JgTvEDyGmdEvy2tuXDtzugODdwzkTb3HxNz9Ff1KRJ5h8DKQg8OwVHsojLRCyUPip4lOlEO1+mMMZ83RehnG8o80oT/
x+26Qm6aDr4
kS3RzX/NiG15SPluUEjEscpWwvqdAibI8FamhECo+8+gW4b3S25fpCsqVQDqeqfVNB5ZmhNFW3s0/
api5kHror4N27HD/oNrEvmXMf8GT81I+OSP2O/SSIUdGfneUGXXFv6tumQxqx/
T2t8vNgGWikAGqx9EZcl9268UX3hkdqCJOVz03fgSdtlPksFZ
8hIjJH2BwK/6HrbYRydPb/GhKlCMatrdNrDwCpCOOMJH/
KHkB4AdBTgLvClOa7PrMank4JPAYkKyxbpJZaG5qLKpOq4A9yrTwrhcUPdejCA02FKMl5IH0MziyxRud+
+1wq1n5Q0JWTM76Ngx3M9TYjjJUK7KTS41t4akR9FuDI/WnUpBs3lTSRiOjn2k
Ugm/sEpRqWn7dX0sWdn2ZcJNmdjg06CTxKO3YZO+zqaRI8Ya/
LRHMCi8bXWn0YCIYCkVtEjFTZxJztGl34KDtMq5HI4yIdzWYwDHV86VyArX4qMVUez1TcoCzV+/
w87v09EjjUTYqfh75z+kAl0J3yJqH0g8PmsnaKUWjGgrWb8KCJE3NCjCp0TGi2d1
EgD1aeza1ldc0JUuZRjPB/e+h0hK8KLZOdAiUE+FVJ4ii16uBFVadpBgPidPGd3tVajLqJ/
qeeSa7EJ/598gkKIbgl/pHhUXM9780FwkywyAXSNXLauQbrE/
UNbNmW8PaJBgbj0MAqPb5cFCpAYT9lfsRKU1m/U90/W+xtPM10xMg4Tya8OdCk2lZjja
GwdFPSAeTHoNsrxiCjAKoMj8DoiLUmNYoU59ggS/Or/
E70sVKdzI+hR1A56l1rlceHuaj+0nN6bQoFbTJwPJkmQEKgHW4lV2uEn03MLYvlqg6PMLKplwyBrbKxKvJ1yTeE6TFQ=\r\n\r\n'
send: b'<ns0:Envelope xmlns:ns0="http://www.w3.org/2003/05/soap-envelope";
xmlns:ns1="http://www.w3.org/2005/08/addressing"; xmlns:ns2="http://
schemas.microsoft.com/windows/pki/2009/01/enrol
lmentpolicy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><ns0:Header><ns1:Action
ns0:mustUnderstand="1">http://
schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/
GetPolicies</
ns1:Action><ns1:MessageID>urn:uuid:1cf411f9-79c8-4c59-8219-19a21e52a6bf</
ns1:MessageID><ns1:To
ns0:mustUnderstand="1">https://win-ca01.mars.milkyway.site/ADPolicyProvider_CEP_
Kerberos/service.svc/CEP</ns1:To></
ns0:Header><ns0:Body><ns2:GetPolicies><ns2:client><ns2:lastUpdate
xsi:nil="true" /><ns2:preferredLanguage xsi:nil="true" /></
ns2:client><ns2:requestFilte
r><ns2:policyOIDs xsi:nil="true" /><ns2:clientVersion xsi:nil="true" /
><ns2:serverVersion xsi:nil="true" /></ns2:requestFilter></ns2:GetPolicies></
ns0:Body></ns0:Envelope>'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Type: text/html
header: Server: Microsoft-IIS/10.0
header: WWW-Authenticate: Negotiate
header: X-Powered-By: ASP.NET
header: Date: Thu, 10 Jul 2025 08:15:03 GMT
header: Content-Length: 1293
[5238] 1752135304.589112: ccselect module realm chose cache MEMORY:cepces with
client principal [email protected] for server principal HTTP/win-
[email protected]
WAY.SITE
[5238] 1752135304.589113: Getting credentials [email protected] ->
HTTP/win-ca01.mars.milkyway.site@ using ccache MEMORY:cepces
[5238] 1752135304.589114: Retrieving [email protected] ->
krb5_ccache_conf_data/start_realm@X-CACHECONF: from MEMORY:cepces with result:
-1765328243/Matching credential not found
[5238] 1752135304.589115: Retrieving [email protected] -> HTTP/win-
ca01.mars.milkyway.site@ from MEMORY:cepces with result: 0/Success
[5238] 1752135304.589116: Retrieving [email protected] -> krbtgt/
[email protected] from MEMORY:cepces with result: 0/
Success
[5238] 1752135304.589117: Get cred via TGT krbtgt/
[email protected] after requesting krbtgt/
[email protected] (canonicalize off)
[5238] 1752135304.589118: Generated subkey for TGS request: aes256-cts/5A5E
[5238] 1752135304.589119: etypes requested in TGS request: aes256-cts
[5238] 1752135304.589121: Encoding request body and padata into FAST request
[5238] 1752135304.589122: Sending request (1841 bytes) to MARS.MILKYWAY.SITE
[5238] 1752135304.589123: Sending DNS URI query for
_kerberos.MARS.MILKYWAY.SITE.
[5238] 1752135304.589124: No URI records found
[5238] 1752135304.589125: Sending DNS SRV query for
_kerberos._udp.MARS.MILKYWAY.SITE.
[5238] 1752135304.589126: SRV answer: 0 100 88 "win-dc02.mars.milkyway.site."
[5238] 1752135304.589127: Sending DNS SRV query for
_kerberos._tcp.MARS.MILKYWAY.SITE.
[5238] 1752135304.589128: SRV answer: 0 100 88 "win-dc02.mars.milkyway.site."
[5238] 1752135304.589129: Resolving hostname win-dc02.mars.milkyway.site.
[5238] 1752135304.589130: Resolving hostname win-dc02.mars.milkyway.site.
[5238] 1752135304.589131: Initiating TCP connection to stream 192.168.56.20:88
[5238] 1752135304.589132: Sending TCP request to stream 192.168.56.20:88
[5238] 1752135304.589133: Received answer (1790 bytes) from stream
192.168.56.20:88
[5238] 1752135304.589134: Terminating TCP connection to stream
192.168.56.20:88
[5238] 1752135304.589135: Sending DNS URI query for
_kerberos.MARS.MILKYWAY.SITE.
[5238] 1752135304.589136: No URI records found
[5238] 1752135304.589137: Sending DNS SRV query for _kerberos-
master._tcp.MARS.MILKYWAY.SITE.
[5238] 1752135304.589138: No SRV records found
[5238] 1752135304.589139: Response was not from primary KDC
[5238] 1752135304.589140: Decoding FAST response
[5238] 1752135304.589141: FAST reply key: aes256-cts/F31E
[5238] 1752135304.589142: TGS reply is for [email protected] ->
krbtgt/[email protected] with session key aes256-cts/41F3
[5238] 1752135304.589143: Got cred; 0/Success
[5238] 1752135304.589145: Creating authenticator for
[email protected] -> HTTP/win-ca01.mars.milkyway.site@, seqnum
257564344, subkey aes256-cts/1BF1, session key aes256-cts/63D6
send: b'POST /ADPolicyProvider_CEP_Kerberos/service.svc/CEP HTTP/1.1\r\nHost:
win-ca01.mars.milkyway.site\r\nUser-Agent: python-requests/2.32.3\r\nAccept-
Encoding: gzip, deflate\r\nAccept:
*/*\r\nConnection: keep-alive\r\nContent-Type: application/soap+xml;
charset=utf-8\r\nContent-Length: 915\r\nAuthorization: Negotiate
YIIMGQYGKwYBBQUCoIIMDTCCDAmgDTALBgkqhkiG9xIBAgKiggv2B
IIL8mCCC+4GCSqGSIb3EgECAgEAboIL3TCCC9mgAwIBBaEDAgEOogcDBQAAAAAAo4IEtGGCBLAwggSsoAMCAQWhFBsSTUFSUy5NSUxLWVdBWS5TSVRFoi4wLKADAgEDoSUwIxsESFRUUBsbd2luLWNhMDEubWFycy5taWxreXdheS5zaXRlo4IEXTCCB
FmgAwIBEqEDAgECooIESwSCBEcmxqTUNpk5cQjDqctsWipszimF2PyBM3KmksjvSsdzIrMOrke3yjKj2jEmdz+j2Nr8HEeTsRXqe0HPIcjwhYXfqrc26ILmPp//
6DnlwM/uHIf82cf6zZafafdvSL0RApO6AH73sgNkES9PlJvT97QBcDegbbwuWFZjG
Q097Jv4tcaAdY7MTXWuG3w/2LUEOy/
fnZesDAjTg32+r3x1orc5Y3cayCdpDzdplbgBFWV8L5Mvhqc5TijgLMFcVDMHiLKj4zeJHyS5BYLY7g6h55bCOlLbuonAN4nn6qs2RtFO6hurETgSu9dLbsp5JGPIt8fba1JLajUwlK0rUdzk0b5cIsHH0dwnG
Udqm5KXR6tu7h2j0/4jtq455VqiPnghPOK9FrOKI0iXPnejzOdN8QGj6wSiyh3aUHscS6d1H8Q49iBt5G2X4kEp3S2mNLYGyBESgQ1/
GyZ+3zIdjlJwWYBUGUlwDYJMi0zI+W3lvkWK1MNIbnnIHDFb2U9igScHuuDfXtmYxw78zlN1Am/
8LxCvRWXav
5pRPt3R9V8/NdtCIeeSWw3YXSKehgcirNxMsIdF/fGLEGz9B6U95vZTs2L61KX1vZDUDe49n7/
CDAvEwsDvzfXAIIT0B/iC0CxCTb/mLOTtf6w8Da5KHS4KT4JqEPW1ZNd52ojHvPYBN/
HX+61MLZxN6vlrD8EUmqFFqKp+C9CsQ1NtpLRmtWgMJkowM
F+nnzrLwwGDeCHzizSPdmC4npDwsyLelwKuJhWQI6WRAbwf09xb6ur8/
iynWengH7A35qNt+VzDknKFlCDpWStbbhJAeBfX29C4SVLjNMN5n5OBX7kU78Bg8ussBpNtzkS5YnBGU37Ua3Blh6Iux7KwVJ1WoQCeid+ZBbEs5mR1kidEx/
XBA6NCwDQ96
FvEiLb0VCXShg0MPWVKa66BkVZ0AUa7vQ0PsW4SNme98pFbUUYnqp/
FSmz8VCRw62lWr8yrnaVZsbcEShaOBerAD4xJHyVzE1TpXf3UkvueEA0SkZMd3Do3ZLATqsUULXmmYHLDECM98+h8Ou3+q0bUpaYPJIdRseO8+JQ6HmrSjHyhCVTV6EhS7YEir
c7Vf1MuoiRRqGfL9tJqrTPPMi5FOwlRuxsGWC+4AkkZb4eU0IQp/
ku6cVTWxLpiq598b+xOaD6OLRF+60kOPrPiPAGqkBMaCZIwL/
1+8h1Ofp54vqc55rh3HqVhnNeCDEvJpfI9BdmfXunlwlljiFvct/
l69W1X+XN03nSr205q05CpqkLnWmWwWtv0v
jjyuzmXNA9xPvd+Kha6BYPHsUtszEreTjGUVWafgjo/
gg99nXtHLZxEEPn3Si+5OPHeMOKOivGIFYxDk0JKNw+/X8uSyOCwyHghBzLKkWe/
6wlZZmB9NTycRoqY2Xlt0md6sSkZsg6LxroJ1xv6c/
7eFPrIhOBI2LueSx9HALakggcKMIIHBqADAgESo
oIG/
QSCBvna7qkDMIK5oGzVvFp6LqZDRc4NRwIvBIzD5K2n9N1baZfeLc9U+DWO8sYRCPh6P+dxPNjsGObNE0WqV8A6rHU5Sa8/
IMAlWL7bJwC40/3HT0Twf7xxzC3l1j1hUXuEoV0vAujwMbGYGhmp5Pdxrf13mqBf+qz3iHn880lJOps51sIm4AbkA
LOKsCUNCdAeZh89/
N4YHeOYbL0UJZqg2//5xFmLoonW9HHL0zHnNJRruRrl5cTaKWKNrNhDGUCMxZGqs4vdjzV9ByqBzBYPszdFFS+dhFAJObOpQBYDmIE+IW5S/
VBGjli+lW0v/wag9c3upAj4gN3AismBwAhUEkkAN9Gi0pjq8Bj7HyEzRAVrymJmZ
zBk7ff0CwVxmRH7zkKymrYSPyQhwcbkDQuuTsk1BXtdvFgwkPzH3owYwJW4HxrtMupRIgu2s9KzPbEltLN3GefN+VGPK3SPhMFWml3Hr12XfLXM7YIoSJQgMyVk3jfSMDN6EisQn06LGdULZeeL5rcoEBJNZ1rYJWXMQv+8lc7PNXqpUTQU0m3Wvbtbj
t7R4qB6QiKMX9RX2QJZ3nbIMmT61AabgRcJAeeLD2ROznNGpoDKs44dNK65AwJXieFrvN2gBVOKWfXEE376p91wENyXLe3gcp+G65YO1/
FJeRpUx6HhXEgdtFHvJddfahYY5TTePf2ndIOlTbv2vI2zcKWWfIINfKn+96NFQ4f4MNAxRw/
GL9zvPhO8O
nMcX845IUbL638Pm+diQwer54S+3/xvPLMjJgjqDOP/
D8cgEjSuzbu2HLelKGgzlcvEs4sdW4VCoEp2QpMfeBQ06IjQ5gzw/
d4rjY21vxXl4MtPs4t1W8xAwkoXOgzXutWIe8W+JXXd6h277J5LefCUSuA1tNwHCMX83LAcCEjmyol2TPfuixhSAqSai
5imhmhCe2iB3tEtOpa65rHOtcJQ6puUWwkEzBWxj/
o+B72EW619AW4YQ7VJeYxK1uP3Bsw0LkgngcK21Y8FpS0sr9dXBZk4bH4iRQez8U72xoMCupsu+X1TmataE0L2yB28ec08IZ3DVYZwA6rmBLbp7ht7I4rfyIkDdnnIIiZwiDbclaIEJ5JzGCpk+
zST90K17f0Hqc4ugVWJF2VQVu9z+d0I3dJDel6YE4JQIsvrPc4AURT8EDaHTcY9WizEwsw4ujcg4HN6UqRNcnqkVPCh6s3RO0nRI7j9aMLWqHmocDTMaLBzDW+SzveWvmOmWqDqjM+NFeKjfIeulf16FIdOTAc9KxiS3JsTcsaFIbvlQMekNMoUYgtqM
2CMrSY5R3uYmolrjwFOTUOe2JQRvbWH+7J9/
yt40w1jC7y69A922kUCZKMJn7rf1XCYdjHfrKshr0yNxuvhwm++wa3YVVCazaXxw1gS/
QWQS39uhXDNPCq/
tE6HsjZ71ps2D254ZatRcyJQYRJKpVY63TT6yNTjhreKxbdy4YDAuys0oHzLZp2ylWrak
MJBMYiwj8EWZdvGPyjEojj8NDlzVXj6y1OW8Z5ZPX7Cfn8cnNkpwXoVJTHv9fxJftl0ag3MuiYum+yoHuyQy/
90pcNRAix7gIkjEpyLhWGmtKxH/HfhA9cJoY93/Ysjf/
m91uqLMO+mvacTeo7NmVWeXkLZBXraZR9Up2EoRYqe2f9jeGIeuzF1YV4Wy
HFOP09fErM5UeVWw89qCJhvvFtpmz98OOXDHa8bDV9u/
d32X9+2cCIPnGBBBltEqq7NWYAJ12RegXGByHSnAE0Xf0Bso86t6ZHbYJ27IDiP/k/
k11ByU2ibcdegJ2euejjt9IweXmDbsrfyivfoWQ+7+ca81Q8+XBMtV8jLSM7LCv0KzvxfcJvotGjmE
7dPcXhYc/AK4BQyYq1ugOKSB2/NSOcpdBR+pXeUzkVmcNejuBGFh8B47vGGB20pTpj5/0Nh+PQ/
H3vyMURtcE2+zKL107og4PDE2yefMQ3HgVD1kVqAO5/
tjdTc6QW26qra4vv39txxGskKTGT6rcYsXFBqMK/AdelFyBpIiGZ9BiGOE9NcPj3E+mVPd
t/3fv5Uo31ci2U0itIzTkmublUPhT1xHdNZJx2j7KvsPeLdDvQl74cdaFn8f2K//
l80dXCXw7ni+GXkf5NEHaHGEz4uOb1x+RhBmV0WopVwT/
ZrEGuv4LRNGnDQ2rXLOfuI0iBAb4K3FwIyoDhDnABit1Cv8JayiDYLrcIAbm0SjH3uCWS0aDvUaBOoB
2S536lbiLalJmKsaRJAvwr4Z0fjgirmgqynA0zPmxQA4xPXD5K/
ntASMUXg3fstYa7iCsYqxH5WThElLz3ChR04u3VeZxzIloZ7Z9mbgBxHGYWDo2S0AQmtonD3N2F7VNKN/
TE=\r\n\r\n'
send: b'<ns0:Envelope xmlns:ns0="http://www.w3.org/2003/05/soap-envelope";
xmlns:ns1="http://www.w3.org/2005/08/addressing"; xmlns:ns2="http://
schemas.microsoft.com/windows/pki/2009/01/enrol
lmentpolicy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><ns0:Header><ns1:Action
ns0:mustUnderstand="1">http://
schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/
GetPolicies</
ns1:Action><ns1:MessageID>urn:uuid:1cf411f9-79c8-4c59-8219-19a21e52a6bf</
ns1:MessageID><ns1:To
ns0:mustUnderstand="1">https://win-ca01.mars.milkyway.site/ADPolicyProvider_CEP_
Kerberos/service.svc/CEP</ns1:To></
ns0:Header><ns0:Body><ns2:GetPolicies><ns2:client><ns2:lastUpdate
xsi:nil="true" /><ns2:preferredLanguage xsi:nil="true" /></
ns2:client><ns2:requestFilte
r><ns2:policyOIDs xsi:nil="true" /><ns2:clientVersion xsi:nil="true" /
><ns2:serverVersion xsi:nil="true" /></ns2:requestFilter></ns2:GetPolicies></
ns0:Body></ns0:Envelope>'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Type: text/html
header: Server: Microsoft-IIS/10.0
header: WWW-Authenticate: Negotiate
header: X-Powered-By: ASP.NET
header: Date: Thu, 10 Jul 2025 08:15:03 GMT
header: Content-Length: 1293
2025-07-10 10:15:04,604 __main__:ERROR:Traceback (most recent call last):
File "/usr/libexec/certmonger/cepces-submit", line 70, in main
service = Service(config)
File "/usr/lib/python3.13/site-packages/cepces/core.py", line 90, in
__init__
self._policies = self._xcep.get_policies()
~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/site-packages/cepces/xcep/service.py", line 52, in
get_policies
response = self.send(envelope)
File "/usr/lib/python3.13/site-packages/cepces/soap/service.py", line 93, in
send
req.raise_for_status()
~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/site-packages/requests/models.py", line 1024, in
raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url:
https://win-ca01.mars.milkyway.site/ADPolicyProvider_CEP_Kerberos/service.svc/
CEP
> I have added the text-based
> instructions below for collecting the TT Trace and attached a formatted
> version as a docx to the email. These instructions are rather new, so
> please let me know if you encounter any difficulties.
>
> Lsass Tracing on Windows 11 and Server 2025
> 1. Download and run the TTD.appinstaller from our website using the
> following link. Note: An End-User License Agreement (EULA) will appear in a
> command window that you will need to approve. a. Link:
> https://aka.ms/ttd/download
> 2. We need to run lsass.exe as a non-protected process and disable
> Shadow Stacks so that we can run the trace. Run the following commands in
> an administrator-elevated PowerShell instance, then restart the machine.
> Warning: This should not be done on a machine exposed to the Internet. a.
> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
> -Name "RunAsPPL" -Value 0 b. reg add
> "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v
> "UserShadowStacksForceDisabled" /t REG_DWORD /d 1 /f 3. When ready to
> repro the issue, run the following commands to create a destination folder
> and begin the trace. Run the following commands in an elevated PowerShell
> instance. a. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
> b. TTD -Attach ([int](Get-Process -NAME lsass | Format-Wide
> -Property ID).formatEntryInfo.formatPropertyField.propertyValue) -out
> C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\lsass.run c. When the
> following small window pops up, the trace has begun and you can now
> reproduce the issue. To end the trace, simply click "Tracing Off". i.
> <image_found_in_attachment>
> 4. Once the trace operation is complete, we need to compress the .run
> file created by TTD for easy transfer. Run the following command in an
> elevated PowerShell instance. a. Compress-Archive -Path
> C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\ -DestinationPath
> C:\Traces_$(Get-Date -format "dd-MMM-yyyy").zip 5. Now we must undo
> the security changes made prior to taking the trace. Run the following
> commands in an elevated PowerShell instance, then restart the machine.
> After reboot, you are safe to reconnect the computer to the Internet. a.
> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name
> "RunAsPPL" -Value 1 b. reg add
> "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v
> "UserShadowStacksForceDisabled" /t REG_DWORD /d 0 /f 6. Upload
> C:\Traces_dd-MMM-yyyy.zip to the secure file share link below a. Link:
> https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6I
> jUwNjQwRTE0NEREODg5MzE5NzYzRTBFNjM5RjMzNjdFQUNDNzlBRDAiLCJ0eXAiOiJKV1QifQ.ey
> J3c2lkIjoiZDlhZDdlZjYtNTQ2MS00ZTg0LWE0YzAtNzdhNzQ1N2Y0NDg0Iiwic3IiOiIyNTA3MD
> EwMDQwMDA2OTY0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiMzhkNzY3ZTMtZm
> RkYy00NGQwLThjMjQtOWRhNjE0OWMyMTBkIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYm
> UzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3NTE5MjAyNjMsImV4cCI6MTc1OTY5NjI2MywiaWF0Ij
> oxNzUxOTIwMjYzLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsIm
> F1ZCI6Imh0dHA6Ly9zbWMifQ.IrYHu5Pz3IJW7_XS47LnPyXFyccmZi-7EMM32lg-k2IhxyGnGWW
> RiQ36aRI5f9XEiTzYtqO_oTgexVKcAOVUFXxdOodrPXytAd4eJnK3y13GvXBY2Y5Z6odJHySMNaK
> 4h5BWLMEB43UYJLMmF9R0Gwtmb0yY99BpXzrhi88VW8YE21FGoWPrCHrn5Hce_2QZRHJxcvc6j2A
> K6vCRY84upqmwOUvP8GsSO6swyMEoEp4gWZ5NttuUX77KW9Vx7zQfA1FZ_fmaEy30qYw-JSvbckb
> 0os3ZSemU9BPsL5n7h2oQeGkjpHzWOnE5TTlnFCqxsK2CyUxrbs0BhHsJkB4FAA&wid=d9ad7ef6
> -5461-4e84-a4c0-77a7457f4484
>
> Thanks for your help!
>
> Regards,
> Kristian Smith
> Support Escalation Engineer | Microsoft(r) Corporation
> Email: [email protected]
>
> -----Original Message-----
> From: Kristian Smith
> Sent: Tuesday, July 1, 2025 8:45 AM
> To: Andreas Schneider <[email protected]>
> Cc: cifs-protocol <[email protected]>; Microsoft Support
> <[email protected]> Subject: RE: [EXTERNAL] Certificate Auto
> Enrollment (CEP/CES) and Windows 2025 - TrackingID#2507010040006964
>
> [DocHelp to Bcc]
>
> Hi Andreas,
>
> Thanks for reaching out with your Certificate Auto-enrollment question. I've
> created case 2507010040006964 to track the issue. I will research this and
> be in touch soon.
>
> Regards,
> Kristian Smith
> Support Escalation Engineer | Microsoft(r) Corporation
> Email: [email protected]
>
> -----Original Message-----
> From: Andreas Schneider <[email protected]>
> Sent: Tuesday, July 1, 2025 12:38 AM
> To: Interoperability Documentation Help <[email protected]>;
> cifs-protocol <[email protected]> Subject: [EXTERNAL]
> Certificate Auto Enrollment (CEP/CES) and Windows 2025
>
> Hi Dochelp,
>
> I'm trying to get CEP/CES (Certificate Auto Enrollment) with Samba working
> against Windows 2025. This was working fine against earlier versions of
> Windows but I can't get Kerberos authentication working against CEP/CES
> configured on Windows Server 2025.
>
> I've followed the How-to guides at
>
> https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/
>
> to setup the Certificate services. I distilled out a set of reproducible
> steps using Powershell commands. I set up an AD DC and a domain member for
> the Certification Authority and its services.
>
> You can find them here:
>
> https://hackmd.io/@asn/SkHk8rXBz
>
>
> If I try to get the certificate templates on Linux using our cepces client
> implementation. I'm always getting:
>
>
> requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url:
> https://win-ca01.mars.milkyway.site/ADPolicyProvider_CEP_Kerberos/service.sv
> c/ CEP
>
>
> Looking at the ticket cache, we have the correct ticket:
>
>
> Default principal: [email protected]
>
> Valid starting Expires Service principal
> 07/01/25 09:12:23 07/01/25 19:12:23 krbtgt/
> [email protected] renew until 07/08/25 09:12:23
> 07/01/25 09:12:23 07/01/25 19:12:23 HTTP/win-ca01.mars.milkyway.site@
> renew until 07/08/25 09:12:23
> Ticket server: HTTP/[email protected]
>
>
>
> But it looks like the the IIS server doesn't accept the Kerberos ticket, the
> IIS logs show:
>
> #Software: Microsoft Internet Information Services 10.0
> #Version: 1.0
> #Date: 2025-07-01 07:11:16
> #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port
> cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus
> sc-win32-status time- taken 2025-07-01 07:11:16 192.168.56.193 POST
> /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247
> python-requests/2.32.3 - 401 2 5 243 2025-07-01 07:12:23 192.168.56.193
> POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247
> python-requests/2.32.3 - 401 2 5 2 2025-07-01 07:12:23 192.168.56.193 POST
> /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247
> python-requests/2.32.3 - 401 1 2148074310 14
> 2025-07-01 07:12:23 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
> service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 1
> 2148074310 0
> 2025-07-01 07:16:18 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
> service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 0
> 2025-07-01 07:17:42 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
> service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 0
>
>
> I'm not able to figure out why the IIS server doesn't allow to authenticate
> with the ticket. I didn't find anything that I could enable advanced
> logging here to figure out why it doesn't want to accept the ticket.
>
>
> Could you help trying to find out what the issue is?
>
>
> I can create a TTrace if that helps!
>
>
> Thank you very much.
>
>
> Best regards
>
>
> Andreas
>
>
> --
> Andreas Schneider [email protected]
> Samba Team http://www.samba.org/
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
--
Andreas Schneider [email protected]
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
