Hi Kristian,
I’ve captured traces and uploaded them to the secure file share.
Cheers,
Jennifer (she/her)
On 27/08/25 5:17 am, Kristian Smith wrote:
Hi Jennifer,
Thanks for giving that a try. Here are the instructions for gathering and
uploading an Lsass trace:
Lsass Tracing
1. Download and run the TTD.appinstaller from our website using the
following link. Note: An End-User License Agreement (EULA) will appear in a
command window that you will need to approve.
a. Link: https://aka.ms/ttd/download
2. We need to run lsass.exe as a non-protected process and disable Shadow
Stacks so that we can run the trace. Run the following commands in an
administrator-elevated PowerShell instance, then restart the machine. Warning:
This should not be done on a machine exposed to the Internet.
a. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name
"RunAsPPL" -Value 0
b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v
"UserShadowStacksForceDisabled" /t REG_DWORD /d 1 /f
3. When ready to repro the issue, run the following commands to create a
destination folder and begin the trace. Run the following commands in an
elevated PowerShell instance.
a. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
b. TTD -Attach ([int](Get-Process -NAME lsass | Format-Wide -Property
ID).formatEntryInfo.formatPropertyField.propertyValue) -out C:\Traces_$(Get-Date -format
"dd-MMM-yyyy")\lsass.run
c. When the small window pops up, the trace has begun and you can
now reproduce the issue. To end the trace, simply click “Tracing Off”.
4. Once the trace operation is complete, we need to compress the .run file
created by TTD for easy transfer. Run the following command in an elevated
PowerShell instance.
a. Compress-Archive -Path C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\
-DestinationPath C:\Traces_$(Get-Date -format "dd-MMM-yyyy").zip
b. Note: If this fails, you may need to restart the traced process
to unlock the trace for compression. Using the following command, Lsass will
restart automatically.
1. stop-process -name lsass -force
5. Now we must undo the security changes made prior to taking the trace.
Run the following commands in an elevated PowerShell instance, then restart the
machine. After reboot, you are safe to reconnect the computer to the Internet.
a. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name
"RunAsPPL" -Value 1
b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v
"UserShadowStacksForceDisabled" /t REG_DWORD /d 0 /f
6. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link below
a. Link:
https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjUwNjQwRTE0NEREODg5MzE5NzYzRTBFNjM5RjMzNjdFQUNDNzlBRDAiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiOGQ5OTI3ZGUtNGJhYi00ZGEzLWI0NDgtNWNlNjUyZTdkMGNkIiwic3IiOiIyNTA4MjIwMDQwMDAzOTE5Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiZjc0NmQyNWQtZmY3MS00MjU1LWEyMmUtY2Y4MmE4Y2RmNDJiIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3NTYyMjgxMzUsImV4cCI6MTc2NDAwNDEzNCwiaWF0IjoxNzU2MjI4MTM1LCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.A3gXawCQqeLZ7evd_LpSmkexJY53FfxDjTlKHYk8A7Kan-vQwCGg6UA4KWFXqFx_QNMrX3JtdLVmboAFp_dZiGJ0l0YhVPYGqqyg4Ojb1l115bmPeF0DUaUoHabHnseTMi2opBWtKMsFg4VhLRbuo0aAi0gAP8aT6Rf8XO8KY54B1j5cKuFj98o32y9YGvB9EUUxW3F7JYNWtWtDNoFD_GCg83k41lNqX_23XtmpV_nec74qPa4zZWxxkvnt0j0B9sqX4ImqAIahaN_T8m68LIjijR8i_c4Oc5hcUVf7WVpkiGrzGHy7nMxoW0ZGIPrjPrsbAiRFZvyMjan2GXUwVQ&wid=8d9927de-4bab-4da3-b448-5ce652e7d0cd
Please let me know if you have any questions or issues with the process
outlined above. Thanks for your time.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: [email protected]
-----Original Message-----
From: Jennifer Sutton <[email protected]>
Sent: Sunday, August 24, 2025 4:34 PM
To: Kristian Smith <[email protected]>
Cc: Microsoft Support <[email protected]>; [email protected]
Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - TrackingID#2508220040003919
Hi Kristian,
I enabled the two group policies and set all of the algorithms to ‘supported’,
but I still get the same KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED error code.
Cheers,
Jennifer (she/her)
On 23/08/25 4:44 am, Kristian Smith wrote:
[Jeff to Bcc]
Hi Jennifer,
From the code, the most likely reason you’re seeing this error is
because Server 2025 is rejecting the chosen hashing algorithm. Please
visit the following link to see the security baseline updates for
Server
2025:
Windows Server 2025, security baseline | Microsoft Community Hub
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftec
hcommunity.microsoft.com%2Fblog%2Fmicrosoft-security-baselines%2F&data
=05%7C02%7Ckristian.smith%40microsoft.com%7Cdffe00b00b7d45ba347d08dde3
66c665%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638916752765123651
%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsI
lAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Jt7
TY3EL6hF%2FAiChKPpfLu27s1HQBLSCoFxay8of5HE%3D&reserved=0
windows-server-2025-security-baseline/4358733>
If you scroll down to “Configure hash algorithms for certificate
logon”, you’ll see what I think is applicable to this scenario. There
are 2 group policies that may help in testing:
Computer Configuration->Administrative
Templates->System->KDC->Configure hash algorithms for certificate
logon
Computer Configuration->Administrative Templates->System->Kerberos-
Configure hash algorithms for certificate logon
These should allow you to explicitly allow certain hashing algorithms.
If this does not work, let me know and I’ll send the instructions to
gather an LSASS trace to look a bit deeper into your scenario.
*Regards,*
*Kristian Smith*
Support Escalation Engineer | Microsoft® Corporation
*Email*: [email protected]
<mailto:[email protected]>
*From:*Jeff McCashland (He/him) <[email protected]>
*Sent:* Friday, August 22, 2025 6:43 AM
*To:* Jennifer Sutton <[email protected]>;
[email protected]
*Cc:* Microsoft Support <[email protected]>
*Subject:* Re: [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED -
TrackingID#2508220040003919
Hi Jennifer,
Thank you for your question. We have created SR 2508220040003919 to
track this issue. One of our engineers will respond soon to assist.
Best regards,*
/Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer |
Microsoft Corporation*
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
(UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here:
_https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
ort.microsoft.com%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cd
ffe00b00b7d45ba347d08dde366c665%7C72f988bf86f141af91ab2d7cd011db47%7C1
%7C0%7C638916752765137051%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRy
dWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%
3D%7C0%7C%7C%7C&sdata=FK7r2TWrlUzjdeiPQ4rDZDAh4CPDSOCJtsl6Z28Hvrk%3D&r
eserved=0 globalenglish
<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
ort.microsoft.com%2Fglobalenglish&data=05%7C02%7Ckristian.smith%40micr
osoft.com%7Cdffe00b00b7d45ba347d08dde366c665%7C72f988bf86f141af91ab2d7
cd011db47%7C1%7C0%7C638916752765146291%7CUnknown%7CTWFpbGZsb3d8eyJFbXB
0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsI
ldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Y2BYZ16uGk6ZzUpN4oiZnIEx9n4vgrMZml6
B26IALaM%3D&reserved=0>_ | Extension
1138300
----------------------------------------------------------------------
--
*From:* Jennifer Sutton <[email protected] <mailto:[email protected]>>
*Sent:* Thursday, August 21, 2025 10:10 PM
*To:* [email protected] <mailto:cifs-
[email protected]> <[email protected] <mailto:cifs-
[email protected]>>; Interoperability Documentation Help
<[email protected] <mailto:[email protected]>>
*Subject:* [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED
Hi dochelp,
I’m performing tests against Windows Server 2025 and finding that
PK‐INIT requests always receive the response
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. The same requests made to
Windows Server 2019 succeed. Could you help me find out why I’m
getting this error?
Cheers,
Jennifer (she/her)
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
