Hi Jennifer, I inspected the trace you sent. It appears that when Windows Server 2025 receives the AS ticket, it's expecting one of the following algorithm identifiers:
sha512NoSign 2.16.840.1.101.3.4.2.3 sha384NoSign 2.16.840.1.101.3.4.2.2 sha256NoSign 2.16.840.1.101.3.4.2.1 sha1NoSign 1.3.14.3.2.26 but it received: sha1RSA 1.2.840.113549.1.1.5 If you change the algorithm ID to 1.3.14.3.2.26, I believe it should work. Please let me know if you have additional questions or concerns. Regards, Kristian Smith Support Escalation Engineer | Microsoft® Corporation Email: [email protected] -----Original Message----- From: Kristian Smith Sent: Wednesday, August 27, 2025 3:45 PM To: Jennifer Sutton <[email protected]> Cc: Microsoft Support <[email protected]>; [email protected] Subject: RE: [EXTERNAL] [MS-KILE] PK‐INIT and KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - TrackingID#2508220040003919 Hi Jennifer, Thanks for uploading the trace. I wanted to let you know that I'll be out of the office until the 2nd of September, so I'll inspect it when I return. If this is an urgently blocking issue, or you have other questions, please reach out to [email protected] during my absence. Thanks for your patience. Regards, Kristian Smith Support Escalation Engineer | Microsoft® Corporation Email: [email protected] -----Original Message----- From: Jennifer Sutton <[email protected]> Sent: Tuesday, August 26, 2025 7:31 PM To: Kristian Smith <[email protected]> Cc: Microsoft Support <[email protected]>; [email protected] Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - TrackingID#2508220040003919 Hi Kristian, I’ve captured traces and uploaded them to the secure file share. Cheers, Jennifer (she/her) On 27/08/25 5:17 am, Kristian Smith wrote: > Hi Jennifer, > > Thanks for giving that a try. Here are the instructions for gathering and > uploading an Lsass trace: > > Lsass Tracing > 1. Download and run the TTD.appinstaller from our website using the > following link. Note: An End-User License Agreement (EULA) will appear in a > command window that you will need to approve. > a. Link: https://aka.ms/ttd/download > 2. We need to run lsass.exe as a non-protected process and disable Shadow > Stacks so that we can run the trace. Run the following commands in an > administrator-elevated PowerShell instance, then restart the machine. > Warning: This should not be done on a machine exposed to the Internet. > a. Set-ItemProperty -Path > "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0 > b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session > Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 1 /f > 3. When ready to repro the issue, run the following commands to create a > destination folder and begin the trace. Run the following commands in an > elevated PowerShell instance. > a. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy") > b. TTD -Attach ([int](Get-Process -NAME lsass | Format-Wide > -Property ID).formatEntryInfo.formatPropertyField.propertyValue) -out > C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\lsass.run > c. When the small window pops up, the trace has begun and you can > now reproduce the issue. To end the trace, simply click “Tracing Off”. > 4. Once the trace operation is complete, we need to compress the .run file > created by TTD for easy transfer. Run the following command in an elevated > PowerShell instance. > a. Compress-Archive -Path C:\Traces_$(Get-Date -format > "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date -format > "dd-MMM-yyyy").zip > b. Note: If this fails, you may need to restart the traced process > to unlock the trace for compression. Using the following command, Lsass will > restart automatically. > 1. stop-process -name lsass -force > 5. Now we must undo the security changes made prior to taking the trace. > Run the following commands in an elevated PowerShell instance, then restart > the machine. After reboot, you are safe to reconnect the computer to the > Internet. > a. Set-ItemProperty -Path > "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 > b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session > Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 0 /f > 6. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link below > a. Link: > https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjUwNjQwRTE0NEREODg5MzE5NzYzRTBFNjM5RjMzNjdFQUNDNzlBRDAiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiOGQ5OTI3ZGUtNGJhYi00ZGEzLWI0NDgtNWNlNjUyZTdkMGNkIiwic3IiOiIyNTA4MjIwMDQwMDAzOTE5Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiZjc0NmQyNWQtZmY3MS00MjU1LWEyMmUtY2Y4MmE4Y2RmNDJiIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3NTYyMjgxMzUsImV4cCI6MTc2NDAwNDEzNCwiaWF0IjoxNzU2MjI4MTM1LCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.A3gXawCQqeLZ7evd_LpSmkexJY53FfxDjTlKHYk8A7Kan-vQwCGg6UA4KWFXqFx_QNMrX3JtdLVmboAFp_dZiGJ0l0YhVPYGqqyg4Ojb1l115bmPeF0DUaUoHabHnseTMi2opBWtKMsFg4VhLRbuo0aAi0gAP8aT6Rf8XO8KY54B1j5cKuFj98o32y9YGvB9EUUxW3F7JYNWtWtDNoFD_GCg83k41lNqX_23XtmpV_nec74qPa4zZWxxkvnt0j0B9sqX4ImqAIahaN_T8m68LIjijR8i_c4Oc5hcUVf7WVpkiGrzGHy7nMxoW0ZGIPrjPrsbAiRFZvyMjan2GXUwVQ&wid=8d9927de-4bab-4da3-b448-5ce652e7d0cd > > Please let me know if you have any questions or issues with the process > outlined above. Thanks for your time. > > Regards, > Kristian Smith > Support Escalation Engineer | Microsoft® Corporation > Email: [email protected] > > -----Original Message----- > From: Jennifer Sutton <[email protected]> > Sent: Sunday, August 24, 2025 4:34 PM > To: Kristian Smith <[email protected]> > Cc: Microsoft Support <[email protected]>; > [email protected] > Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and > KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - > TrackingID#2508220040003919 > > Hi Kristian, > > I enabled the two group policies and set all of the algorithms to > ‘supported’, but I still get the same > KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED error code. > > Cheers, > Jennifer (she/her) > > On 23/08/25 4:44 am, Kristian Smith wrote: >> [Jeff to Bcc] >> >> Hi Jennifer, >> >> From the code, the most likely reason you’re seeing this error is >> because Server 2025 is rejecting the chosen hashing algorithm. Please >> visit the following link to see the security baseline updates for >> Server >> 2025: >> >> Windows Server 2025, security baseline | Microsoft Community Hub >> <https://te/ >> c%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfce04779 >> 6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6389185 >> 86803864335%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwL >> jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C >> %7C&sdata=XOwQuM8Ii8dKdKAbmB2OH%2BUogzTPXd9a1Ay2R57WZHI%3D&reserved=0 >> hcommunity.microsoft.com%2Fblog%2Fmicrosoft-security-baselines%2F&dat >> a >> =05%7C02%7Ckristian.smith%40microsoft.com%7Cdffe00b00b7d45ba347d08dde >> 3 >> 66c665%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63891675276512365 >> 1 >> %7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIs >> I >> lAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Jt >> 7 >> TY3EL6hF%2FAiChKPpfLu27s1HQBLSCoFxay8of5HE%3D&reserved=0 >> windows-server-2025-security-baseline/4358733> >> >> If you scroll down to “Configure hash algorithms for certificate >> logon”, you’ll see what I think is applicable to this scenario. There >> are 2 group policies that may help in testing: >> >> Computer Configuration->Administrative >> Templates->System->KDC->Configure hash algorithms for certificate >> logon >> >> Computer Configuration->Administrative Templates->System->Kerberos- >>> Configure hash algorithms for certificate logon >> >> These should allow you to explicitly allow certain hashing algorithms. >> If this does not work, let me know and I’ll send the instructions to >> gather an LSASS trace to look a bit deeper into your scenario. >> >> *Regards,* >> >> *Kristian Smith* >> >> Support Escalation Engineer | Microsoft® Corporation >> >> *Email*: [email protected] >> <mailto:[email protected]> >> >> *From:*Jeff McCashland (He/him) <[email protected]> >> *Sent:* Friday, August 22, 2025 6:43 AM >> *To:* Jennifer Sutton <[email protected]>; >> [email protected] >> *Cc:* Microsoft Support <[email protected]> >> *Subject:* Re: [EXTERNAL] [MS-KILE] PK‐INIT and >> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - >> TrackingID#2508220040003919 >> >> Hi Jennifer, >> >> Thank you for your question. We have created SR 2508220040003919 to >> track this issue. One of our engineers will respond soon to assist. >> >> Best regards,* >> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer | >> Microsoft Corporation* >> >> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: >> (UTC-08:00) Pacific Time (US and Canada) >> >> Local country phone number found here: >> _http://sup/ >> p%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfce04779 >> 6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6389185 >> 86803871849%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwL >> jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C >> %7C&sdata=czHvPWTX%2BNPTRPbUWUhJafF%2FipmfgZH3BkIQj1U0CAU%3D&reserved >> =0 >> ort.microsoft.com%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C >> d >> ffe00b00b7d45ba347d08dde366c665%7C72f988bf86f141af91ab2d7cd011db47%7C >> 1 >> %7C0%7C638916752765137051%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnR >> y >> dWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D >> % >> 3D%7C0%7C%7C%7C&sdata=FK7r2TWrlUzjdeiPQ4rDZDAh4CPDSOCJtsl6Z28Hvrk%3D& >> r >> eserved=0 globalenglish >> <http://sup/ >> p%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfce04779 >> 6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6389185 >> 86803879285%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwL >> jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C >> %7C&sdata=NYTsg5I7H%2BjZlAS6cXLBLrAwRSFQVcj3osz6Loc1yY4%3D&reserved=0 >> ort.microsoft.com%2Fglobalenglish&data=05%7C02%7Ckristian.smith%40mic >> r >> osoft.com%7Cdffe00b00b7d45ba347d08dde366c665%7C72f988bf86f141af91ab2d >> 7 >> cd011db47%7C1%7C0%7C638916752765146291%7CUnknown%7CTWFpbGZsb3d8eyJFbX >> B >> 0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIs >> I >> ldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Y2BYZ16uGk6ZzUpN4oiZnIEx9n4vgrMZml >> 6 >> B26IALaM%3D&reserved=0>_ | Extension >> 1138300 >> >> --------------------------------------------------------------------- >> - >> -- >> >> *From:* Jennifer Sutton <[email protected] >> <mailto:[email protected]>> >> *Sent:* Thursday, August 21, 2025 10:10 PM >> *To:* [email protected] <mailto:cifs- >> [email protected]> <[email protected] >> <mailto:cifs- [email protected]>>; Interoperability >> Documentation Help <[email protected] >> <mailto:[email protected]>> >> *Subject:* [EXTERNAL] [MS-KILE] PK‐INIT and >> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED >> >> Hi dochelp, >> >> I’m performing tests against Windows Server 2025 and finding that >> PK‐INIT requests always receive the response >> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. The same requests made to >> Windows Server 2019 succeed. Could you help me find out why I’m >> getting this error? >> >> Cheers, >> Jennifer (she/her) >> > _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
