Thanks, Jennifer. I'll pass this info along to the PG and let you know if we need anything else.
Regards, Kristian Smith Escalation Engineer | Microsoft® Corporation Email: [email protected] -----Original Message----- From: Jennifer Sutton <[email protected]> Sent: Sunday, November 2, 2025 5:39 PM To: Kristian Smith <[email protected]> Cc: Microsoft Support <[email protected]>; [email protected] Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and KDC_ERR_GENERIC - TrackingID#2509120040008164 Hi Kristian, For the ‘DigestAlgorithmIdentifier’ field I entered id-sha1 (1.3.14.3.2.26) and for the ‘SignatureAlgorithmIdentifier’ field I entered sha1WithRSAEncryption (1.2.840.113549.1.1.5). The signedAttrs field contains the OID for MessageDigest, and the signature field contains the signedAttrs signed with the client’s private key. Let me know if you need any more information. Cheers, Jennifer (she/her) On 1/11/25 11:28 am, Kristian Smith wrote: > Hi Jennifer, > > The engineering team has requested some additional information. They're > interested in understanding how you built your SignerInfo in the SignedData > CMS structure attached to the SignedAuthPack. > > Most specifically, they'd like to know what you entered in the > DigestAlgorithmIdentifier and SignatureAlgorithmIdentifier fields. > > Thanks! > > Regards, > Kristian Smith > Escalation Engineer | Microsoft® Corporation > Email: > [email protected] > > -----Original Message----- > From: Jennifer Sutton <[email protected]> > Sent: Wednesday, October 22, 2025 6:54 PM > To: Kristian Smith <[email protected]> > Cc: Microsoft Support <[email protected]>; > [email protected] > Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and KDC_ERR_GENERIC - > TrackingID#2509120040008164 > > Thank you, Kristian! > > Cheers, > Jennifer (she/her) > > On 23/10/25 1:58 pm, Kristian Smith wrote: >> Hi Jennifer, >> >> Sorry for the lack of responses lately. It looks to be an issue with the >> type of checksum algorithm used, but I'm still not certain if it's an issue >> on our end. I reached out to the engineering team early last week with my >> analysis and some questions. I bumped the thread with them on Monday and >> they informed me that they're looking into it. I'm currently awaiting their >> response. >> >> Regards, >> Kristian Smith >> Escalation Engineer | Microsoft® Corporation >> Email: [email protected] >> >> -----Original Message----- >> From: Jennifer Sutton <[email protected]> >> Sent: Wednesday, October 22, 2025 5:07 PM >> To: Kristian Smith <[email protected]> >> Cc: Microsoft Support <[email protected]>; >> [email protected] >> Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and KDC_ERR_GENERIC - >> TrackingID#2509120040008164 >> >> Hi Kristian, >> >> Any news on this ticket? :) >> >> Cheers, >> Jennifer (she/her) >> >> On 3/10/25 6:57 pm, Kristian Smith wrote: >>> Hi Jennifer, >>> >>> I was able to locate where KDC_ERR_GENERIC is arising in the trace you >>> provided. It surfaces because there is no signature provided. Obviously if >>> you're using a no-sign algorithm, there would not be a signature, so I'm >>> still investigating the rationale. I'll keep you posted as I learn more. >>> >>> Thanks for your patience. >>> >>> Regards, >>> Kristian Smith >>> Support Escalation Engineer | Microsoft® Corporation >>> Email: [email protected] >>> >>> -----Original Message----- >>> From: Kristian Smith >>> Sent: Tuesday, September 23, 2025 6:12 PM >>> To: Jennifer Sutton <[email protected]> >>> Cc: Microsoft Support <[email protected]>; >>> [email protected] >>> Subject: RE: [EXTERNAL] [MS-KILE] PK‐INIT and KDC_ERR_GENERIC - >>> TrackingID#2509120040008164 >>> >>> Not a problem; thanks for your efforts. I'll inspect the trace and let you >>> know what I find. >>> >>> Regards, >>> Kristian Smith >>> Support Escalation Engineer | Microsoft® Corporation >>> Email: [email protected] >>> >>> -----Original Message----- >>> From: Jennifer Sutton <[email protected]> >>> Sent: Tuesday, September 23, 2025 6:08 PM >>> To: Kristian Smith <[email protected]> >>> Cc: Microsoft Support <[email protected]>; >>> [email protected] >>> Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and KDC_ERR_GENERIC - >>> TrackingID#2509120040008164 >>> >>> Hi Kristian, >>> >>> Sorry I missed your earlier mail. I’ve captured new traces and uploaded >>> them to the secure share. >>> >>> Cheers, >>> Jennifer (she/her) >>> >>> On 23/09/25 12:54 pm, Kristian Smith wrote: >>>> Hi Jennifer, >>>> >>>> I sent a request for new traces last week, but I'm thinking it got stuck >>>> in a spam filter on one end or the other. From the last traces you >>>> provided, it seemed like the Server 2025 was looking for SHA-2 >>>> encryptions, maybe we need to see if it's looking for PAChecksum2 as well. >>>> Can you please follow these [same] instructions to upload a new lsass >>>> trace to this new secure share link below? >>>> >>>> Lsass Tracing >>>> 1. Download and run the TTD.appinstaller from our website using the >>>> following link. Note: An End-User License Agreement (EULA) will appear in >>>> a command window that you will need to approve. >>>> a. Link: https://aka.ms/ttd/download >>>> 2. We need to run lsass.exe as a non-protected process and disable >>>> Shadow Stacks so that we can run the trace. Run the following commands in >>>> an administrator-elevated PowerShell instance, then restart the machine. >>>> Warning: This should not be done on a machine exposed to the Internet. >>>> a. Set-ItemProperty -Path >>>> "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0 >>>> b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session >>>> Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 1 /f >>>> 3. When ready to repro the issue, run the following commands to >>>> create a destination folder and begin the trace. Run the following >>>> commands in an elevated PowerShell instance. >>>> a. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy") >>>> b. TTD -Attach ([int](Get-Process -NAME lsass | >>>> Format-Wide -Property >>>> ID).formatEntryInfo.formatPropertyField.propertyValue) -out >>>> C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\lsass.run >>>> c. When the small window pops up, the trace has begun and >>>> you can now reproduce the issue. To end the trace, simply click “Tracing >>>> Off”. >>>> 4. Once the trace operation is complete, we need to compress the .run >>>> file created by TTD for easy transfer. Run the following command in an >>>> elevated PowerShell instance. >>>> a. Compress-Archive -Path C:\Traces_$(Get-Date -format >>>> "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date -format >>>> "dd-MMM-yyyy").zip >>>> b. Note: If this fails, you may need to restart the >>>> traced process to unlock the trace for compression. Using the following >>>> command, Lsass will restart automatically. >>>> 1. stop-process -name lsass -force >>>> 5. Now we must undo the security changes made prior to taking the >>>> trace. Run the following commands in an elevated PowerShell instance, then >>>> restart the machine. After reboot, you are safe to reconnect the computer >>>> to the Internet. >>>> a. Set-ItemProperty -Path >>>> "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 >>>> b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session >>>> Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 0 /f >>>> 6. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link >>>> below >>>> a. Link: >>>> https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjJBNzk1QUQxMDNDQTM4OEZENEQzREQxQTZERkU4QTE2RDkyMkNDQkMiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNTNlOWVjNDEtYmI5ZC00Y2UzLWJjMzMtM2ZmODkwMDZkOWRmIiwic3IiOiIyNTA5MTIwMDQwMDA4MTY0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiZmUyNjdhMWQtOWE1Zi00MmIwLWI1MGYtNmUxY2JmOWYyZGIxIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3NTgxNTQ3NjAsImV4cCI6MTc2NTkzMDc2MCwiaWF0IjoxNzU4MTU0NzYwLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.Ad9E8Z3TJDY4k_yuZ7rp5xBlQaae1ZsyJkQTxuiCbSwo2AL7stTcqSqqCD7BSHMWSSSJHblzMtHfKJ6PGFUgHUJLsYGBQ8kPuo9aXJbNMoa2VqbfhQKrUZxxwL8UV1MsDG8PQ-WykR9SOK3a1UxbSFpRFBlbUv9Nx--Bvf-p7FrC2PjCujEp9KuN5UayfN8lIMEyQq2u9yyTXt30JbpGhGJz8ysVQA4tkWF--9TDDLyGaWWXSkNaTtTOwWKjM_UMlw_EpmrqNtpBuoMLr66UXR0iMJStnTLqy8cuHG6IeDyUo3VD7hxrTHjoO_qxmsQj7a9Z3VP2tGq1rWKVXCtc7w&wid=53e9ec41-bb9d-4ce3-bc33-3ff89006d9df >>>> >>>> Regards, >>>> Kristian Smith >>>> Support Escalation Engineer | Microsoft® Corporation >>>> Email: [email protected] >>>> >>>> -----Original Message----- >>>> From: Jennifer Sutton <[email protected]> >>>> Sent: Sunday, September 21, 2025 4:29 PM >>>> To: Kristian Smith <[email protected]> >>>> Cc: Microsoft Support <[email protected]>; >>>> [email protected] >>>> Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and >>>> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - >>>> TrackingID#2508220040003919 >>>> >>>> Hi Kristian, >>>> >>>> I wondered if you could offer any pointers as to why Windows might be >>>> refusing my requests? I would greatly appreciate any advice. >>>> >>>> Cheers, >>>> Jennifer (she/her) >>>> >>>> On 12/09/25 2:03 pm, Jennifer Sutton wrote: >>>>> Hi Kristian, >>>>> >>>>> Apologies for the delayed reply. I followed your advice and made >>>>> sure that the SignedData digest algorithm was sha1NoSign, but the >>>>> response I get from Windows is the error code KDC_ERR_GENERIC. I >>>>> would appreciate any help as to why Windows is refusing my requests. >>>>> >>>>> Cheers, >>>>> Jennifer (she/her) >>>>> >>>>> On 9/09/25 3:49 am, Kristian Smith wrote: >>>>>> Hi Jennifer, >>>>>> >>>>>> I'm reaching out to see if you had any additional questions >>>>>> regarding this error you received. You likely saw that Julien >>>>>> provided some valuable information on August 28th. The following >>>>>> document section discusses the inclusion of PAChecksum2 along >>>>>> with the expected OID's discussed in my prior email. >>>>>> >>>>>> ----------------------------------------------------------------- >>>>>> - >>>>>> - >>>>>> - >>>>>> - >>>>>> ----------------------- >>>>>> MS-PKCA 2.2.3 PA-PK-AS-REQ >>>>>> >>>>>> PKAuthenticator in [RFC4556] is extended to add the following >>>>>> PAChecksum2. If SHA-1 is disabled as a checksum algorithm >>>>>> PAChecksum2 SHOULD be present; if this field is present, it will >>>>>> always be validated even if it is SHA-1.<11> >>>>>> ----------------------------------------------------------------- >>>>>> - >>>>>> - >>>>>> - >>>>>> - >>>>>> ----------------------- <11> Section 2.2.3: The extension of >>>>>> PKAuthenticator in PA-PK-AS-REQ applies to Windows Server 2022, >>>>>> 23H2 operating system.and later versions. Windows Server 2022, >>>>>> 23H2 and later DCs will send >>>>>> back TD-CMS-DIGEST-ALGORITHMS-DATA as described in [RFC8636] >>>>>> section 4, CMS Digest Algorithm Agility. >>>>>> On supported versions of Windows, PAChecksum2 is validated if any >>>>>> one of the following conditions is >>>>>> true: >>>>>> 1. The field is present >>>>>> 2. If an EC algorithm is not allowed and the >>>>>> signedAuthPack algorithm is not SHA-1 >>>>>> 3. SHA-1 is disabled >>>>>> ----------------------------------------------------------------- >>>>>> - >>>>>> - >>>>>> - >>>>>> - >>>>>> ---------------------- >>>>>> >>>>>> Please let me know if you still have any blocking issues or >>>>>> concerns with accuracy of the open specs. If I don't hear back >>>>>> from you by Wednesday, I'll assume that you were able to resolve >>>>>> the issue and I'll archive the case. >>>>>> >>>>>> Regards, >>>>>> Kristian Smith >>>>>> Support Escalation Engineer | Microsoft® Corporation >>>>>> Email: [email protected] >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: Kristian Smith >>>>>> Sent: Sunday, August 31, 2025 7:15 AM >>>>>> To: 'Jennifer Sutton' <[email protected]> >>>>>> Cc: Microsoft Support <[email protected]>; 'cifs- >>>>>> [email protected]' <[email protected]> >>>>>> Subject: RE: [EXTERNAL] [MS-KILE] PK‐INIT and >>>>>> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - >>>>>> TrackingID#2508220040003919 >>>>>> >>>>>> Hi Jennifer, >>>>>> >>>>>> I inspected the trace you sent. It appears that when Windows >>>>>> Server >>>>>> 2025 receives the AS ticket, it's expecting one of the following >>>>>> algorithm identifiers: >>>>>> >>>>>> sha512NoSign 2.16.840.1.101.3.4.2.3 sha384NoSign >>>>>> 2.16.840.1.101.3.4.2.2 sha256NoSign 2.16.840.1.101.3.4.2.1 >>>>>> sha1NoSign 1.3.14.3.2.26 >>>>>> >>>>>> but it received: >>>>>> sha1RSA 1.2.840.113549.1.1.5 >>>>>> >>>>>> If you change the algorithm ID to 1.3.14.3.2.26, I believe it >>>>>> should work. Please let me know if you have additional questions or >>>>>> concerns. >>>>>> >>>>>> Regards, >>>>>> Kristian Smith >>>>>> Support Escalation Engineer | Microsoft® Corporation >>>>>> Email: [email protected] >>>>>> >>>>>> -----Original Message----- >>>>>> From: Kristian Smith >>>>>> Sent: Wednesday, August 27, 2025 3:45 PM >>>>>> To: Jennifer Sutton <[email protected]> >>>>>> Cc: Microsoft Support <[email protected]>; cifs- >>>>>> [email protected] >>>>>> Subject: RE: [EXTERNAL] [MS-KILE] PK‐INIT and >>>>>> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - >>>>>> TrackingID#2508220040003919 >>>>>> >>>>>> Hi Jennifer, >>>>>> >>>>>> Thanks for uploading the trace. I wanted to let you know that >>>>>> I'll be out of the office until the 2nd of September, so I'll >>>>>> inspect it when I return. If this is an urgently blocking issue, >>>>>> or you have other questions, please reach out to [email protected] >>>>>> during my absence. >>>>>> >>>>>> Thanks for your patience. >>>>>> >>>>>> Regards, >>>>>> Kristian Smith >>>>>> Support Escalation Engineer | Microsoft® Corporation >>>>>> Email: [email protected] >>>>>> >>>>>> -----Original Message----- >>>>>> From: Jennifer Sutton <[email protected]> >>>>>> Sent: Tuesday, August 26, 2025 7:31 PM >>>>>> To: Kristian Smith <[email protected]> >>>>>> Cc: Microsoft Support <[email protected]>; cifs- >>>>>> [email protected] >>>>>> Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and >>>>>> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - >>>>>> TrackingID#2508220040003919 >>>>>> >>>>>> Hi Kristian, >>>>>> >>>>>> I’ve captured traces and uploaded them to the secure file share. >>>>>> >>>>>> Cheers, >>>>>> Jennifer (she/her) >>>>>> >>>>>> On 27/08/25 5:17 am, Kristian Smith wrote: >>>>>>> Hi Jennifer, >>>>>>> >>>>>>> Thanks for giving that a try. Here are the instructions for >>>>>>> gathering and uploading an Lsass trace: >>>>>>> >>>>>>> Lsass Tracing >>>>>>> 1. Download and run the TTD.appinstaller from our website using >>>>>>> the following link. Note: An End-User License Agreement (EULA) >>>>>>> will appear in a command window that you will need to approve. >>>>>>> a. Link: >>>>>>> https://ak/ >>>>>>> a.ms%2Fttd%2Fdownload&data=05%7C02%7Ckristian.smith%40microsoft. >>>>>>> c >>>>>>> o >>>>>>> m >>>>>>> % >>>>>>> 7C75c6dd9a928749d6adae08ddf966b3a6%7C72f988bf86f141af91ab2d7cd01 >>>>>>> 1 >>>>>>> d >>>>>>> b >>>>>>> 4 >>>>>>> 7%7C1%7C0%7C638940941880760954%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0e >>>>>>> U >>>>>>> 1 >>>>>>> h >>>>>>> c >>>>>>> GkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsI >>>>>>> l >>>>>>> d >>>>>>> U >>>>>>> I >>>>>>> joyfQ%3D%3D%7C0%7C%7C%7C&sdata=1VcSu%2BS4kukydhanT08IBbJ1BVz8ejvik8y >>>>>>> VDA4C%2BlY%3D&reserved=0 2. We need to run lsass.exe as a >>>>>>> non-protected process and disable Shadow Stacks so that we can >>>>>>> run the trace. Run the following commands in an >>>>>>> administrator-elevated PowerShell instance, then restart the >>>>>>> machine. Warning: This should not be done on a machine exposed to the >>>>>>> Internet. >>>>>>> a. Set-ItemProperty -Path "HKLM: >>>>>>> \SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0 >>>>>>> b. reg add >>>>>>> "HKLM\SYSTEM\CurrentControlSet\Control\Session >>>>>>> Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 1 >>>>>>> /f 3. When ready to repro the issue, run the following commands >>>>>>> to create a destination folder and begin the trace. Run the >>>>>>> following commands in an elevated PowerShell instance. >>>>>>> a. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy") >>>>>>> b. TTD -Attach ([int](Get-Process -NAME lsass | Format- >>>>>>> Wide -Property >>>>>>> ID).formatEntryInfo.formatPropertyField.propertyValue) >>>>>>> -out C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\lsass.run >>>>>>> c. When the small window pops up, the trace has begun >>>>>>> and you can now reproduce the issue. To end the trace, simply >>>>>>> click “Tracing Off”. >>>>>>> 4. Once the trace operation is complete, we need to compress the >>>>>>> .run file created by TTD for easy transfer. Run the following >>>>>>> command in an elevated PowerShell instance. >>>>>>> a. Compress-Archive -Path C:\Traces_$(Get-Date -format >>>>>>> "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date -format >>>>>>> "dd- MMM-yyyy").zip >>>>>>> b. Note: If this fails, you may need to restart the >>>>>>> traced process to unlock the trace for compression. Using the >>>>>>> following command, Lsass will restart automatically. >>>>>>> 1. stop-process -name lsass -force 5. Now we >>>>>>> must undo the security changes made prior to taking the trace. >>>>>>> Run the following commands in an elevated PowerShell instance, >>>>>>> then restart the machine. After reboot, you are safe to >>>>>>> reconnect the computer to the Internet. >>>>>>> a. Set-ItemProperty -Path "HKLM: >>>>>>> \SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 >>>>>>> b. reg add >>>>>>> "HKLM\SYSTEM\CurrentControlSet\Control\Session >>>>>>> Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 0 >>>>>>> /f 6. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share >>>>>>> link below >>>>>>> a. Link: https://support.microsoft.com/files? >>>>>>> workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjUwNjQwRTE0NEREODg5MzE5Nz >>>>>>> Y >>>>>>> z >>>>>>> R >>>>>>> T >>>>>>> BFNjM5RjMzNjdFQUNDNzlBRDAiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiOGQ5OTI >>>>>>> 3 >>>>>>> Z >>>>>>> G >>>>>>> U >>>>>>> tNGJhYi00ZGEzLWI0NDgtNWNlNjUyZTdkMGNkIiwic3IiOiIyNTA4MjIwMDQwMDA >>>>>>> z >>>>>>> O >>>>>>> T >>>>>>> E >>>>>>> 5Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiZjc0NmQyNWQtZmY >>>>>>> 3 >>>>>>> M >>>>>>> S >>>>>>> 0 >>>>>>> 0MjU1LWEyMmUtY2Y4MmE4Y2RmNDJiIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTR >>>>>>> l >>>>>>> N >>>>>>> W >>>>>>> U >>>>>>> tYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3NTYyMjgxMzUsImV4cCI6MTc2NDA >>>>>>> w >>>>>>> N >>>>>>> D >>>>>>> E >>>>>>> zNCwiaWF0IjoxNzU2MjI4MTM1LCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGE >>>>>>> u >>>>>>> b >>>>>>> W >>>>>>> l >>>>>>> jcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.A3gXawCQqeLZ7evd_LpS >>>>>>> m >>>>>>> k >>>>>>> e >>>>>>> x >>>>>>> JY53FfxDjTlKHYk8A7Kan-vQwCGg6UA4KWFXqFx_QNMrX3JtdLVmboAFp_dZiGJ0 >>>>>>> l >>>>>>> 0 >>>>>>> Y >>>>>>> h >>>>>>> VPYGqqyg4Ojb1l115bmPeF0DUaUoHabHnseTMi2opBWtKMsFg4VhLRbuo0aAi0gA >>>>>>> P >>>>>>> 8 >>>>>>> a >>>>>>> T >>>>>>> 6Rf8XO8KY54B1j5cKuFj98o32y9YGvB9EUUxW3F7JYNWtWtDNoFD_GCg83k41lNq >>>>>>> X >>>>>>> _ >>>>>>> 2 >>>>>>> 3 >>>>>>> XtmpV_nec74qPa4zZWxxkvnt0j0B9sqX4ImqAIahaN_T8m68LIjijR8i_c4Oc5hc >>>>>>> U >>>>>>> V >>>>>>> f >>>>>>> 7 >>>>>>> WVpkiGrzGHy7nMxoW0ZGIPrjPrsbAiRFZvyMjan2GXUwVQ&wid=8d9927de-4bab >>>>>>> - >>>>>>> 4 >>>>>>> d >>>>>>> a >>>>>>> 3-b448-5ce652e7d0cd >>>>>>> >>>>>>> Please let me know if you have any questions or issues with the >>>>>>> process outlined above. Thanks for your time. >>>>>>> >>>>>>> Regards, >>>>>>> Kristian Smith >>>>>>> Support Escalation Engineer | Microsoft® Corporation >>>>>>> Email: [email protected] >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Jennifer Sutton <[email protected]> >>>>>>> Sent: Sunday, August 24, 2025 4:34 PM >>>>>>> To: Kristian Smith <[email protected]> >>>>>>> Cc: Microsoft Support <[email protected]>; >>>>>>> [email protected] >>>>>>> Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and >>>>>>> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - >>>>>>> TrackingID#2508220040003919 >>>>>>> >>>>>>> Hi Kristian, >>>>>>> >>>>>>> I enabled the two group policies and set all of the algorithms >>>>>>> to ‘supported’, but I still get the same >>>>>>> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED error code. >>>>>>> >>>>>>> Cheers, >>>>>>> Jennifer (she/her) >>>>>>> >>>>>>> On 23/08/25 4:44 am, Kristian Smith wrote: >>>>>>>> [Jeff to Bcc] >>>>>>>> >>>>>>>> Hi Jennifer, >>>>>>>> >>>>>>>> From the code, the most likely reason you’re seeing this >>>>>>>> error is because Server 2025 is rejecting the chosen hashing algorithm. >>>>>>>> Please visit the following link to see the security baseline >>>>>>>> updates for Server >>>>>>>> 2025: >>>>>>>> >>>>>>>> Windows Server 2025, security baseline | Microsoft Community >>>>>>>> Hub <https://te/ >>>>>>>> c%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfc >>>>>>>> e >>>>>>>> 0 >>>>>>>> 4 >>>>>>>> 7 >>>>>>>> 79 >>>>>>>> 6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6 >>>>>>>> 3 >>>>>>>> 8 >>>>>>>> 9 >>>>>>>> 1 >>>>>>>> 85 >>>>>>>> 86803864335%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlY >>>>>>>> i >>>>>>>> O >>>>>>>> i >>>>>>>> I >>>>>>>> wL >>>>>>>> jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0 >>>>>>>> % >>>>>>>> 7 >>>>>>>> C >>>>>>>> % >>>>>>>> 7C >>>>>>>> %7C&sdata=XOwQuM8Ii8dKdKAbmB2OH%2BUogzTPXd9a1Ay2R57WZHI%3D&rese >>>>>>>> r >>>>>>>> v >>>>>>>> e >>>>>>>> d >>>>>>>> =0 >>>>>>>> hcommunity.microsoft.com%2Fblog%2Fmicrosoft-security-baselines% >>>>>>>> 2 >>>>>>>> F >>>>>>>> & >>>>>>>> d >>>>>>>> at >>>>>>>> a >>>>>>>> =05%7C02%7Ckristian.smith%40microsoft.com%7Cdffe00b00b7d45ba347 >>>>>>>> d >>>>>>>> 0 >>>>>>>> 8 >>>>>>>> d >>>>>>>> de >>>>>>>> 3 >>>>>>>> 66c665%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63891675276 >>>>>>>> 5 >>>>>>>> 1 >>>>>>>> 2 >>>>>>>> 3 >>>>>>>> 65 >>>>>>>> 1 >>>>>>>> %7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMD >>>>>>>> A >>>>>>>> w >>>>>>>> M >>>>>>>> C >>>>>>>> Is >>>>>>>> I >>>>>>>> lAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sd >>>>>>>> a >>>>>>>> t >>>>>>>> a >>>>>>>> = >>>>>>>> Jt >>>>>>>> 7 >>>>>>>> TY3EL6hF%2FAiChKPpfLu27s1HQBLSCoFxay8of5HE%3D&reserved=0 >>>>>>>> windows-server-2025-security-baseline/4358733> >>>>>>>> >>>>>>>> If you scroll down to “Configure hash algorithms for >>>>>>>> certificate logon”, you’ll see what I think is applicable to this >>>>>>>> scenario. >>>>>>>> There are 2 group policies that may help in testing: >>>>>>>> >>>>>>>> Computer Configuration->Administrative >>>>>>>> Templates->System->KDC->Configure hash algorithms for >>>>>>>> Templates->System->KDC->certificate >>>>>>>> logon >>>>>>>> >>>>>>>> Computer Configuration->Administrative >>>>>>>> Templates->System->Kerberos- >>>>>>>>> Configure hash algorithms for certificate logon >>>>>>>> >>>>>>>> These should allow you to explicitly allow certain hashing algorithms. >>>>>>>> If this does not work, let me know and I’ll send the >>>>>>>> instructions to gather an LSASS trace to look a bit deeper into your >>>>>>>> scenario. >>>>>>>> >>>>>>>> *Regards,* >>>>>>>> >>>>>>>> *Kristian Smith* >>>>>>>> >>>>>>>> Support Escalation Engineer | Microsoft® Corporation >>>>>>>> >>>>>>>> *Email*: [email protected] >>>>>>>> <mailto:[email protected]> >>>>>>>> >>>>>>>> *From:*Jeff McCashland (He/him) <[email protected]> >>>>>>>> *Sent:* Friday, August 22, 2025 6:43 AM >>>>>>>> *To:* Jennifer Sutton <[email protected]>; >>>>>>>> [email protected] >>>>>>>> *Cc:* Microsoft Support <[email protected]> >>>>>>>> *Subject:* Re: [EXTERNAL] [MS-KILE] PK‐INIT and >>>>>>>> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - >>>>>>>> TrackingID#2508220040003919 >>>>>>>> >>>>>>>> Hi Jennifer, >>>>>>>> >>>>>>>> Thank you for your question. We have created SR >>>>>>>> 2508220040003919 to track this issue. One of our engineers will >>>>>>>> respond soon to assist. >>>>>>>> >>>>>>>> Best regards,* >>>>>>>> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation >>>>>>>> Engineer >>>>>>>> | Microsoft Corporation* >>>>>>>> >>>>>>>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: >>>>>>>> (UTC-08:00) Pacific Time (US and Canada) >>>>>>>> >>>>>>>> Local country phone number found here: >>>>>>>> _http://sup/ >>>>>>>> p%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfc >>>>>>>> e >>>>>>>> 0 >>>>>>>> 4 >>>>>>>> 7 >>>>>>>> 79 >>>>>>>> 6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6 >>>>>>>> 3 >>>>>>>> 8 >>>>>>>> 9 >>>>>>>> 1 >>>>>>>> 85 >>>>>>>> 86803871849%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlY >>>>>>>> i >>>>>>>> O >>>>>>>> i >>>>>>>> I >>>>>>>> wL >>>>>>>> jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0 >>>>>>>> % >>>>>>>> 7 >>>>>>>> C >>>>>>>> % >>>>>>>> 7C >>>>>>>> %7C&sdata=czHvPWTX%2BNPTRPbUWUhJafF%2FipmfgZH3BkIQj1U0CAU%3D&re >>>>>>>> s >>>>>>>> e >>>>>>>> r >>>>>>>> v >>>>>>>> ed >>>>>>>> =0 >>>>>>>> ort.microsoft.com%2F&data=05%7C02%7Ckristian.smith%40microsoft. >>>>>>>> c >>>>>>>> o >>>>>>>> m >>>>>>>> % >>>>>>>> 7C >>>>>>>> d >>>>>>>> ffe00b00b7d45ba347d08dde366c665%7C72f988bf86f141af91ab2d7cd011d >>>>>>>> b >>>>>>>> 4 >>>>>>>> 7 >>>>>>>> % >>>>>>>> 7C >>>>>>>> 1 >>>>>>>> %7C0%7C638916752765137051%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hc >>>>>>>> G >>>>>>>> k >>>>>>>> i >>>>>>>> O >>>>>>>> nR >>>>>>>> y >>>>>>>> dWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjo >>>>>>>> y >>>>>>>> f >>>>>>>> Q >>>>>>>> % >>>>>>>> 3D >>>>>>>> % >>>>>>>> 3D%7C0%7C%7C%7C&sdata=FK7r2TWrlUzjdeiPQ4rDZDAh4CPDSOCJtsl6Z28Hv >>>>>>>> r >>>>>>>> k >>>>>>>> % >>>>>>>> 3 >>>>>>>> D& >>>>>>>> r >>>>>>>> eserved=0 globalenglish >>>>>>>> <http://sup/ >>>>>>>> p%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfc >>>>>>>> e >>>>>>>> 0 >>>>>>>> 4 >>>>>>>> 7 >>>>>>>> 79 >>>>>>>> 6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6 >>>>>>>> 3 >>>>>>>> 8 >>>>>>>> 9 >>>>>>>> 1 >>>>>>>> 85 >>>>>>>> 86803879285%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlY >>>>>>>> i >>>>>>>> O >>>>>>>> i >>>>>>>> I >>>>>>>> wL >>>>>>>> jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0 >>>>>>>> % >>>>>>>> 7 >>>>>>>> C >>>>>>>> % >>>>>>>> 7C >>>>>>>> %7C&sdata=NYTsg5I7H%2BjZlAS6cXLBLrAwRSFQVcj3osz6Loc1yY4%3D&rese >>>>>>>> r >>>>>>>> v >>>>>>>> e >>>>>>>> d >>>>>>>> =0 >>>>>>>> ort.microsoft.com%2Fglobalenglish&data=05%7C02%7Ckristian.smith >>>>>>>> % >>>>>>>> 4 >>>>>>>> 0 >>>>>>>> m >>>>>>>> ic >>>>>>>> r >>>>>>>> osoft.com%7Cdffe00b00b7d45ba347d08dde366c665%7C72f988bf86f141af >>>>>>>> 9 >>>>>>>> 1 >>>>>>>> a >>>>>>>> b >>>>>>>> 2d >>>>>>>> 7 >>>>>>>> cd011db47%7C1%7C0%7C638916752765146291%7CUnknown%7CTWFpbGZsb3d8 >>>>>>>> e >>>>>>>> y >>>>>>>> J >>>>>>>> F >>>>>>>> bX >>>>>>>> B >>>>>>>> 0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTW >>>>>>>> F >>>>>>>> p >>>>>>>> b >>>>>>>> C >>>>>>>> Is >>>>>>>> I >>>>>>>> ldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Y2BYZ16uGk6ZzUpN4oiZnIEx9n4v >>>>>>>> g >>>>>>>> r >>>>>>>> M >>>>>>>> Z >>>>>>>> ml >>>>>>>> 6 >>>>>>>> B26IALaM%3D&reserved=0>_ | Extension >>>>>>>> 1138300 >>>>>>>> >>>>>>>> --------------------------------------------------------------- >>>>>>>> - >>>>>>>> - >>>>>>>> - >>>>>>>> - >>>>>>>> -- >>>>>>>> - >>>>>>>> -- >>>>>>>> >>>>>>>> *From:* Jennifer Sutton <[email protected] >>>>>>>> <mailto:[email protected]>> >>>>>>>> *Sent:* Thursday, August 21, 2025 10:10 PM >>>>>>>> *To:* [email protected] <mailto:cifs- >>>>>>>> [email protected]> <[email protected] >>>>>>>> <mailto:cifs- [email protected]>>; Interoperability >>>>>>>> Documentation Help <[email protected] >>>>>>>> <mailto:[email protected]>> >>>>>>>> *Subject:* [EXTERNAL] [MS-KILE] PK‐INIT and >>>>>>>> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED >>>>>>>> >>>>>>>> Hi dochelp, >>>>>>>> >>>>>>>> I’m performing tests against Windows Server 2025 and finding >>>>>>>> that PK‐INIT requests always receive the response >>>>>>>> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. The same requests >>>>>>>> made to Windows Server 2019 succeed. Could you help me find out >>>>>>>> why I’m getting this error? >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Jennifer (she/her) >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
