Hi Kristian,
Sorry I missed your earlier mail. I’ve captured new traces and uploaded
them to the secure share.
Cheers,
Jennifer (she/her)
On 23/09/25 12:54 pm, Kristian Smith wrote:
Hi Jennifer,
I sent a request for new traces last week, but I'm thinking it got stuck in a
spam filter on one end or the other. From the last traces you provided, it
seemed like the Server 2025 was looking for SHA-2 encryptions, maybe we need to
see if it's looking for PAChecksum2 as well. Can you please follow these [same]
instructions to upload a new lsass trace to this new secure share link below?
Lsass Tracing
1. Download and run the TTD.appinstaller from our website using the
following link. Note: An End-User License Agreement (EULA) will appear in a
command window that you will need to approve.
a. Link: https://aka.ms/ttd/download
2. We need to run lsass.exe as a non-protected process and disable Shadow
Stacks so that we can run the trace. Run the following commands in an
administrator-elevated PowerShell instance, then restart the machine. Warning:
This should not be done on a machine exposed to the Internet.
a. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
-Name "RunAsPPL" -Value 0
b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel"
/v "UserShadowStacksForceDisabled" /t REG_DWORD /d 1 /f
3. When ready to repro the issue, run the following commands to create a
destination folder and begin the trace. Run the following commands in an
elevated PowerShell instance.
a. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
b. TTD -Attach ([int](Get-Process -NAME lsass | Format-Wide -Property
ID).formatEntryInfo.formatPropertyField.propertyValue) -out C:\Traces_$(Get-Date -format
"dd-MMM-yyyy")\lsass.run
c. When the small window pops up, the trace has begun and you can
now reproduce the issue. To end the trace, simply click “Tracing Off”.
4. Once the trace operation is complete, we need to compress the .run file
created by TTD for easy transfer. Run the following command in an elevated
PowerShell instance.
a. Compress-Archive -Path C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\
-DestinationPath C:\Traces_$(Get-Date -format "dd-MMM-yyyy").zip
b. Note: If this fails, you may need to restart the traced
process to unlock the trace for compression. Using the following command, Lsass
will restart automatically.
1. stop-process -name lsass -force
5. Now we must undo the security changes made prior to taking the trace.
Run the following commands in an elevated PowerShell instance, then restart the
machine. After reboot, you are safe to reconnect the computer to the Internet.
a. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
-Name "RunAsPPL" -Value 1
b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel"
/v "UserShadowStacksForceDisabled" /t REG_DWORD /d 0 /f
6. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link below
a. Link:
https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjJBNzk1QUQxMDNDQTM4OEZENEQzREQxQTZERkU4QTE2RDkyMkNDQkMiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNTNlOWVjNDEtYmI5ZC00Y2UzLWJjMzMtM2ZmODkwMDZkOWRmIiwic3IiOiIyNTA5MTIwMDQwMDA4MTY0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiZmUyNjdhMWQtOWE1Zi00MmIwLWI1MGYtNmUxY2JmOWYyZGIxIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3NTgxNTQ3NjAsImV4cCI6MTc2NTkzMDc2MCwiaWF0IjoxNzU4MTU0NzYwLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.Ad9E8Z3TJDY4k_yuZ7rp5xBlQaae1ZsyJkQTxuiCbSwo2AL7stTcqSqqCD7BSHMWSSSJHblzMtHfKJ6PGFUgHUJLsYGBQ8kPuo9aXJbNMoa2VqbfhQKrUZxxwL8UV1MsDG8PQ-WykR9SOK3a1UxbSFpRFBlbUv9Nx--Bvf-p7FrC2PjCujEp9KuN5UayfN8lIMEyQq2u9yyTXt30JbpGhGJz8ysVQA4tkWF--9TDDLyGaWWXSkNaTtTOwWKjM_UMlw_EpmrqNtpBuoMLr66UXR0iMJStnTLqy8cuHG6IeDyUo3VD7hxrTHjoO_qxmsQj7a9Z3VP2tGq1rWKVXCtc7w&wid=53e9ec41-bb9d-4ce3-bc33-3ff89006d9df
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: [email protected]
-----Original Message-----
From: Jennifer Sutton <[email protected]>
Sent: Sunday, September 21, 2025 4:29 PM
To: Kristian Smith <[email protected]>
Cc: Microsoft Support <[email protected]>; [email protected]
Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - TrackingID#2508220040003919
Hi Kristian,
I wondered if you could offer any pointers as to why Windows might be refusing
my requests? I would greatly appreciate any advice.
Cheers,
Jennifer (she/her)
On 12/09/25 2:03 pm, Jennifer Sutton wrote:
Hi Kristian,
Apologies for the delayed reply. I followed your advice and made sure
that the SignedData digest algorithm was sha1NoSign, but the response
I get from Windows is the error code KDC_ERR_GENERIC. I would
appreciate any help as to why Windows is refusing my requests.
Cheers,
Jennifer (she/her)
On 9/09/25 3:49 am, Kristian Smith wrote:
Hi Jennifer,
I'm reaching out to see if you had any additional questions regarding
this error you received. You likely saw that Julien provided some
valuable information on August 28th. The following document section
discusses the inclusion of PAChecksum2 along with the expected OID's
discussed in my prior email.
---------------------------------------------------------------------
-----------------------
MS-PKCA 2.2.3 PA-PK-AS-REQ
PKAuthenticator in [RFC4556] is extended to add the following
PAChecksum2. If SHA-1 is disabled as a checksum algorithm PAChecksum2
SHOULD be present; if this field is present, it will always be
validated even if it is SHA-1.<11>
---------------------------------------------------------------------
----------------------- <11> Section 2.2.3: The extension of
PKAuthenticator in PA-PK-AS-REQ applies to Windows Server 2022, 23H2
operating system.and later versions. Windows Server 2022,
23H2 and later DCs will send
back TD-CMS-DIGEST-ALGORITHMS-DATA as described in [RFC8636] section
4, CMS Digest Algorithm Agility.
On supported versions of Windows, PAChecksum2 is validated if any one
of the following conditions is
true:
1. The field is present
2. If an EC algorithm is not allowed and the signedAuthPack
algorithm is not SHA-1
3. SHA-1 is disabled
---------------------------------------------------------------------
----------------------
Please let me know if you still have any blocking issues or concerns
with accuracy of the open specs. If I don't hear back from you by
Wednesday, I'll assume that you were able to resolve the issue and
I'll archive the case.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: [email protected]
-----Original Message-----
From: Kristian Smith
Sent: Sunday, August 31, 2025 7:15 AM
To: 'Jennifer Sutton' <[email protected]>
Cc: Microsoft Support <[email protected]>; 'cifs-
[email protected]' <[email protected]>
Subject: RE: [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED -
TrackingID#2508220040003919
Hi Jennifer,
I inspected the trace you sent. It appears that when Windows Server
2025 receives the AS ticket, it's expecting one of the following
algorithm identifiers:
sha512NoSign 2.16.840.1.101.3.4.2.3
sha384NoSign 2.16.840.1.101.3.4.2.2
sha256NoSign 2.16.840.1.101.3.4.2.1
sha1NoSign 1.3.14.3.2.26
but it received:
sha1RSA 1.2.840.113549.1.1.5
If you change the algorithm ID to 1.3.14.3.2.26, I believe it should
work. Please let me know if you have additional questions or concerns.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: [email protected]
-----Original Message-----
From: Kristian Smith
Sent: Wednesday, August 27, 2025 3:45 PM
To: Jennifer Sutton <[email protected]>
Cc: Microsoft Support <[email protected]>; cifs-
[email protected]
Subject: RE: [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED -
TrackingID#2508220040003919
Hi Jennifer,
Thanks for uploading the trace. I wanted to let you know that I'll be
out of the office until the 2nd of September, so I'll inspect it when
I return. If this is an urgently blocking issue, or you have other
questions, please reach out to [email protected] during my absence.
Thanks for your patience.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: [email protected]
-----Original Message-----
From: Jennifer Sutton <[email protected]>
Sent: Tuesday, August 26, 2025 7:31 PM
To: Kristian Smith <[email protected]>
Cc: Microsoft Support <[email protected]>; cifs-
[email protected]
Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED -
TrackingID#2508220040003919
Hi Kristian,
I’ve captured traces and uploaded them to the secure file share.
Cheers,
Jennifer (she/her)
On 27/08/25 5:17 am, Kristian Smith wrote:
Hi Jennifer,
Thanks for giving that a try. Here are the instructions for
gathering and uploading an Lsass trace:
Lsass Tracing
1. Download and run the TTD.appinstaller from our website using
the following link. Note: An End-User License Agreement (EULA) will
appear in a command window that you will need to approve.
a. Link:
https://ak/
a.ms%2Fttd%2Fdownload&data=05%7C02%7Ckristian.smith%40microsoft.com%
7C75c6dd9a928749d6adae08ddf966b3a6%7C72f988bf86f141af91ab2d7cd011db4
7%7C1%7C0%7C638940941880760954%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hc
GkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUI
joyfQ%3D%3D%7C0%7C%7C%7C&sdata=1VcSu%2BS4kukydhanT08IBbJ1BVz8ejvik8y
VDA4C%2BlY%3D&reserved=0 2. We need to run lsass.exe as a
non-protected process and disable Shadow Stacks so that we can run
the trace. Run the following commands in an administrator-elevated
PowerShell instance, then restart the machine. Warning: This should
not be done on a machine exposed to the Internet.
a. Set-ItemProperty -Path "HKLM:
\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0
b. reg add
"HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 1
/f 3. When ready to repro the issue, run the following commands
to create a destination folder and begin the trace. Run the
following commands in an elevated PowerShell instance.
a. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
b. TTD -Attach ([int](Get-Process -NAME lsass | Format-
Wide -Property
ID).formatEntryInfo.formatPropertyField.propertyValue)
-out C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\lsass.run
c. When the small window pops up, the trace has begun
and you can now reproduce the issue. To end the trace, simply click
“Tracing Off”.
4. Once the trace operation is complete, we need to compress the
.run file created by TTD for easy transfer. Run the following
command in an elevated PowerShell instance.
a. Compress-Archive -Path C:\Traces_$(Get-Date -format
"dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date -format "dd-
MMM-yyyy").zip
b. Note: If this fails, you may need to restart the
traced process to unlock the trace for compression. Using the
following command, Lsass will restart automatically.
1. stop-process -name lsass -force 5. Now we
must undo the security changes made prior to taking the trace. Run
the following commands in an elevated PowerShell instance, then
restart the machine. After reboot, you are safe to reconnect the
computer to the Internet.
a. Set-ItemProperty -Path "HKLM:
\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1
b. reg add
"HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 0
/f 6. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share
link below
a. Link: https://support.microsoft.com/files?
workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjUwNjQwRTE0NEREODg5MzE5NzYzRT
BFNjM5RjMzNjdFQUNDNzlBRDAiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiOGQ5OTI3ZGU
tNGJhYi00ZGEzLWI0NDgtNWNlNjUyZTdkMGNkIiwic3IiOiIyNTA4MjIwMDQwMDAzOTE
5Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiZjc0NmQyNWQtZmY3MS0
0MjU1LWEyMmUtY2Y4MmE4Y2RmNDJiIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWU
tYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3NTYyMjgxMzUsImV4cCI6MTc2NDAwNDE
zNCwiaWF0IjoxNzU2MjI4MTM1LCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWl
jcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.A3gXawCQqeLZ7evd_LpSmkex
JY53FfxDjTlKHYk8A7Kan-vQwCGg6UA4KWFXqFx_QNMrX3JtdLVmboAFp_dZiGJ0l0Yh
VPYGqqyg4Ojb1l115bmPeF0DUaUoHabHnseTMi2opBWtKMsFg4VhLRbuo0aAi0gAP8aT
6Rf8XO8KY54B1j5cKuFj98o32y9YGvB9EUUxW3F7JYNWtWtDNoFD_GCg83k41lNqX_23
XtmpV_nec74qPa4zZWxxkvnt0j0B9sqX4ImqAIahaN_T8m68LIjijR8i_c4Oc5hcUVf7
WVpkiGrzGHy7nMxoW0ZGIPrjPrsbAiRFZvyMjan2GXUwVQ&wid=8d9927de-4bab-4da
3-b448-5ce652e7d0cd
Please let me know if you have any questions or issues with the
process outlined above. Thanks for your time.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: [email protected]
-----Original Message-----
From: Jennifer Sutton <[email protected]>
Sent: Sunday, August 24, 2025 4:34 PM
To: Kristian Smith <[email protected]>
Cc: Microsoft Support <[email protected]>;
[email protected]
Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED -
TrackingID#2508220040003919
Hi Kristian,
I enabled the two group policies and set all of the algorithms to
‘supported’, but I still get the same
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED error code.
Cheers,
Jennifer (she/her)
On 23/08/25 4:44 am, Kristian Smith wrote:
[Jeff to Bcc]
Hi Jennifer,
From the code, the most likely reason you’re seeing this error
is because Server 2025 is rejecting the chosen hashing algorithm.
Please visit the following link to see the security baseline
updates for Server
2025:
Windows Server 2025, security baseline | Microsoft Community Hub
<https://te/
c%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfce047
79
6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63891
85
86803864335%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiI
wL
jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%
7C
%7C&sdata=XOwQuM8Ii8dKdKAbmB2OH%2BUogzTPXd9a1Ay2R57WZHI%3D&reserved
=0
hcommunity.microsoft.com%2Fblog%2Fmicrosoft-security-baselines%2F&d
at
a
=05%7C02%7Ckristian.smith%40microsoft.com%7Cdffe00b00b7d45ba347d08d
de
3
66c665%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638916752765123
65
1
%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMC
Is
I
lAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=
Jt
7
TY3EL6hF%2FAiChKPpfLu27s1HQBLSCoFxay8of5HE%3D&reserved=0
windows-server-2025-security-baseline/4358733>
If you scroll down to “Configure hash algorithms for certificate
logon”, you’ll see what I think is applicable to this scenario.
There are 2 group policies that may help in testing:
Computer Configuration->Administrative
Templates->System->KDC->Configure hash algorithms for certificate
logon
Computer Configuration->Administrative Templates->System->Kerberos-
Configure hash algorithms for certificate logon
These should allow you to explicitly allow certain hashing algorithms.
If this does not work, let me know and I’ll send the instructions
to gather an LSASS trace to look a bit deeper into your scenario.
*Regards,*
*Kristian Smith*
Support Escalation Engineer | Microsoft® Corporation
*Email*: [email protected]
<mailto:[email protected]>
*From:*Jeff McCashland (He/him) <[email protected]>
*Sent:* Friday, August 22, 2025 6:43 AM
*To:* Jennifer Sutton <[email protected]>;
[email protected]
*Cc:* Microsoft Support <[email protected]>
*Subject:* Re: [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED -
TrackingID#2508220040003919
Hi Jennifer,
Thank you for your question. We have created SR 2508220040003919 to
track this issue. One of our engineers will respond soon to assist.
Best regards,*
/Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer
| Microsoft Corporation*
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
(UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here:
_http://sup/
p%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfce047
79
6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63891
85
86803871849%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiI
wL
jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%
7C
%7C&sdata=czHvPWTX%2BNPTRPbUWUhJafF%2FipmfgZH3BkIQj1U0CAU%3D&reserv
ed
=0
ort.microsoft.com%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%
7C
d
ffe00b00b7d45ba347d08dde366c665%7C72f988bf86f141af91ab2d7cd011db47%
7C
1
%7C0%7C638916752765137051%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiO
nR
y
dWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%
3D
%
3D%7C0%7C%7C%7C&sdata=FK7r2TWrlUzjdeiPQ4rDZDAh4CPDSOCJtsl6Z28Hvrk%3
D&
r
eserved=0 globalenglish
<http://sup/
p%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfce047
79
6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63891
85
86803879285%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiI
wL
jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%
7C
%7C&sdata=NYTsg5I7H%2BjZlAS6cXLBLrAwRSFQVcj3osz6Loc1yY4%3D&reserved
=0
ort.microsoft.com%2Fglobalenglish&data=05%7C02%7Ckristian.smith%40m
ic
r
osoft.com%7Cdffe00b00b7d45ba347d08dde366c665%7C72f988bf86f141af91ab
2d
7
cd011db47%7C1%7C0%7C638916752765146291%7CUnknown%7CTWFpbGZsb3d8eyJF
bX
B
0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbC
Is
I
ldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Y2BYZ16uGk6ZzUpN4oiZnIEx9n4vgrMZ
ml
6
B26IALaM%3D&reserved=0>_ | Extension
1138300
-------------------------------------------------------------------
--
-
--
*From:* Jennifer Sutton <[email protected]
<mailto:[email protected]>>
*Sent:* Thursday, August 21, 2025 10:10 PM
*To:* [email protected] <mailto:cifs-
[email protected]> <[email protected]
<mailto:cifs- [email protected]>>; Interoperability
Documentation Help <[email protected]
<mailto:[email protected]>>
*Subject:* [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED
Hi dochelp,
I’m performing tests against Windows Server 2025 and finding that
PK‐INIT requests always receive the response
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. The same requests made
to Windows Server 2019 succeed. Could you help me find out why I’m
getting this error?
Cheers,
Jennifer (she/her)
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
