[Jeff to Bcc] Hi Jennifer,
>From the code, the most likely reason you’re seeing this error is because >Server 2025 is rejecting the chosen hashing algorithm. Please visit the >following link to see the security baseline updates for Server 2025: Windows Server 2025, security baseline | Microsoft Community Hub<https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733> If you scroll down to “Configure hash algorithms for certificate logon”, you’ll see what I think is applicable to this scenario. There are 2 group policies that may help in testing: Computer Configuration->Administrative Templates->System->KDC->Configure hash algorithms for certificate logon Computer Configuration->Administrative Templates->System->Kerberos->Configure hash algorithms for certificate logon These should allow you to explicitly allow certain hashing algorithms. If this does not work, let me know and I’ll send the instructions to gather an LSASS trace to look a bit deeper into your scenario. Regards, Kristian Smith Support Escalation Engineer | Microsoft(r) Corporation Email: [email protected]<mailto:[email protected]> From: Jeff McCashland (He/him) <[email protected]> Sent: Friday, August 22, 2025 6:43 AM To: Jennifer Sutton <[email protected]>; [email protected] Cc: Microsoft Support <[email protected]> Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - TrackingID#2508220040003919 Hi Jennifer, Thank you for your question. We have created SR 2508220040003919 to track this issue. One of our engineers will respond soon to assist. Best regards, Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 ________________________________ From: Jennifer Sutton <[email protected]<mailto:[email protected]>> Sent: Thursday, August 21, 2025 10:10 PM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>; Interoperability Documentation Help <[email protected]<mailto:[email protected]>> Subject: [EXTERNAL] [MS-KILE] PK‐INIT and KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED Hi dochelp, I’m performing tests against Windows Server 2025 and finding that PK‐INIT requests always receive the response KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. The same requests made to Windows Server 2019 succeed. Could you help me find out why I’m getting this error? Cheers, Jennifer (she/her)
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
