Re: [cifs-protocol] [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550

[Obaid Farooqi via cifs-protocol]

Hi Kacper:
I don’t support products, which means I don’t help customer configure systems. 
As such, please elaborate on the following as I have never done this.
3) Create new GPO with user settings, say with a mapped drive

As for mutual authentication, it is not related to integrity and privacy.
Mutual authentication means that only Kerberos can be used for authentication 
(mutual authentication means that not only server will authenticate client, 
client will also authenticate server). NTLM cannot do mutual authentication.

Session key is always established whether you do mutual authentication or not.


Regards,
Obaid Farooqi
Sr. Escalation Engineer | Microsoft

From: Kacper <kac...@kacper.se>
Sent: Friday, December 12, 2025 12:34 PM
To: Obaid Farooqi <oba...@microsoft.com>
Cc: Microsoft Support <supportm...@microsoft.com>; cifs-protocol 
<cifs-protocol@lists.samba.org>
Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies 
on logon when Hardened UNC paths are configured - TrackingID#2512040040010550

Hi Obaid,

I’ve done some additional testing. When I set RequireMutualAuthentication=0 
while keeping RequireIntegrity=1 and RequirePrivacy=1, Windows does not fail 
the signature verification. My understanding is that mutual authentication is 
required to establish a session key, which is then used to enable integrity 
(signing) and privacy (encryption).
If that’s the case, then integrity and privacy shouldn’t work when mutual 
authentication is disabled—correct? In other words, RequireMutualAuthentication 
would need to be enabled in order to use either integrity or privacy?

Additionally, I tested this scenario on Windows 10 22H2, and the issue does not 
occur there.

To reproduce the issue;
1) Provision a Samba DC and create a new domain
3) Join a Windows 11 client to the Samba domain
2) Create a GPO, preferably using RSAT, and configure the setting "Hardened UNC 
paths" with RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1 
(Computer Configuration → Administrative Templates → Network → Network Provider 
→ Hardened UNC Paths)
3) Create new GPO with user settings, say with a mapped drive
4) Create a new user, either using RSAT or samba-tool user create, and set a 
known password for the user
5) Logon with that user on the Windows 11 client
6) The mapped drive does not get mapped, no group policies have been applied 
during logon and the Windows event log will log an event with event id 1058, 
error code 2148073478 and the description invalid signature
7) running gpupdate /force manually will apply policies for both computer and 
user without errors

Regards,
Kacper

On Fri, 12 Dec 2025 at 16:41, Kacper 
<kac...@kacper.se<mailto:kac...@kacper.se>> wrote:
Hi Obaid,

I'm using the Group Policy Management Console (GPMC) snap-in. I'm configuring 
hardened UNC paths for \\*\NETLOGON<file://*/NETLOGON> and 
\\*\SYSVOL<file://*/SYSVOL>. I've uploaded a screenshot of the GPO setting to 
the secure file exchange.

Regards,
Kacper

On Fri, 12 Dec 2025 at 01:32, Obaid Farooqi 
<oba...@microsoft.com<mailto:oba...@microsoft.com>> wrote:
Hi Kacper:
How are you applying this group policy on a Samba DC? If you are doing it on a 
Windows DC, what is the UNC path that you are configuring in the group policy 
editor?


Regards,
Obaid Farooqi
Sr. Escalation Engineer | Microsoft

From: Kacper <kac...@kacper.se<mailto:kac...@kacper.se>>
Sent: Thursday, December 11, 2025 4:59 PM
To: Obaid Farooqi <oba...@microsoft.com<mailto:oba...@microsoft.com>>
Cc: Microsoft Support 
<supportm...@microsoft.com<mailto:supportm...@microsoft.com>>; cifs-protocol 
<cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>>
Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies 
on logon when Hardened UNC paths are configured - TrackingID#2512040040010550

Hi Obaid,

If session setup responses are always signed I would like to understand why the 
signature verification fails when Hardened UNC Paths are configured with 
RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1 (Computer 
Configuration → Administrative Templates → Network → Network Provider → 
Hardened UNC Paths) and why the signature verification succeeds
1) when Hardened UNC Paths are not configured (e.g. the gpo is left at its not 
configured setting)
2) after logon when manually refreshing group policies with gpupdate /force.

Regards,
Kacper

On Thu, Dec 11, 2025, 20:34 Obaid Farooqi 
<oba...@microsoft.com<mailto:oba...@microsoft.com>> wrote:
Hi Kacper:
Looking at the traces, here is what’s happening:

  1.  Just before sending the create request for gpt.ini, client determines 
that it is a 3-part SPN and there fore it needs to reauthenticate.
  2.  Client sends a session setup request
  3.  Server (in this case Samba DC) responds with session set up response
  4.  Session set up response is always signed. Client tries to verify the 
signature and that fails.

Please let me know if this does not answer your question.

Regards,
Obaid Farooqi
Sr. Escalation Engineer | Microsoft

From: Kacper <kac...@kacper.se<mailto:kac...@kacper.se>>
Sent: Wednesday, December 10, 2025 4:30 AM
To: Obaid Farooqi <oba...@microsoft.com<mailto:oba...@microsoft.com>>
Cc: Microsoft Support 
<supportm...@microsoft.com<mailto:supportm...@microsoft.com>>; cifs-protocol 
<cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>>
Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies 
on logon when Hardened UNC paths are configured - TrackingID#2512040040010550

Hi Obaid,

I have not been able to reproduce this problem against a Windows DC. I've 
uploaded the requested t.cmd traces to the secure file exchange.

Regards,
Kacper

On Tue, 9 Dec 2025 at 21:13, Obaid Farooqi 
<oba...@microsoft.com<mailto:oba...@microsoft.com>> wrote:
Hi Kacper:
You’ll have to rename t.txt to t.cmd. Your email provider does not allow .cmd 
files.

Regards,
Obaid Farooqi
Sr. Escalation Engineer | Microsoft

From: Obaid Farooqi
Sent: Tuesday, December 9, 2025 2:10 PM
To: 'Kacper' <kac...@kacper.se<mailto:kac...@kacper.se>>
Cc: Microsoft Support 
<supportm...@microsoft.com<mailto:supportm...@microsoft.com>>; 'cifs-protocol' 
<cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>>
Subject: RE: [EXTERNAL] Re: Windows 11 does not appear to apply group policies 
on logon when Hardened UNC paths are configured - TrackingID#2512040040010550


Hi Kacper:
I want to reproduce this for Windows to Windows. Please let me know the exact 
steps and set up.

Alternatively, you can collect ETW traces for me on the Windows 11 client. The 
script I have attached to this email does not survive reboot. So, if you can 
reproduce the scenario without rebooting, here are the steps.


  1.  Unzip and copy the file t.cmd on your windows 11 client.
  2.  Login as administrator and in a cmd (elevated), execute the following 
command:
>t.cmd clion
  3.  Reproduce the scenario, which I guess will require you to log off and 
login again (preferably as a different user)
  4.  Once you see the error in Event Viewer, repro is complete.
  5.  Open an elevated Cmd window and execute the following command:
>t.cmd clioff
  6.  Upload the resulting t*.cab file to the link I provided you.

Regards,
Obaid Farooqi
Sr. Escalation Engineer | Microsoft

From: Obaid Farooqi
Sent: Monday, December 8, 2025 10:38 AM
To: 'Kacper' <kac...@kacper.se<mailto:kac...@kacper.se>>
Cc: Microsoft Support 
<supportm...@microsoft.com<mailto:supportm...@microsoft.com>>; cifs-protocol 
<cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>>
Subject: RE: [EXTERNAL] Re: Windows 11 does not appear to apply group policies 
on logon when Hardened UNC paths are configured - TrackingID#2512040040010550

Hi Kacper:
Thank you for the traces. I’ll look into them and get back to you as soon as I 
have anything conceret.
Regards,
Obaid Farooqi
Sr. Escalation Engineer | Microsoft

From: Kacper <kac...@kacper.se<mailto:kac...@kacper.se>>
Sent: Monday, December 8, 2025 4:20 AM
To: Obaid Farooqi <oba...@microsoft.com<mailto:oba...@microsoft.com>>
Cc: Microsoft Support 
<supportm...@microsoft.com<mailto:supportm...@microsoft.com>>; cifs-protocol 
<cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>>
Subject: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on 
logon when Hardened UNC paths are configured - TrackingID#2512040040010550

Hello Obaid,

Thank you for taking over this issue. The issue occurs between a Windows 11 
client and a Samba DC. I’ve tested the same scenario against a Windows DC, and 
it works correctly there.
My testing was done with Windows 11 (24H2, OS version 26100.7171) and Samba 
4.21.10. I’ve uploaded the network trace, the event log entry, and the auth 
trace.
Manually running gpupdate /force after the user logs on works without any 
issues.

I would like to understand why Windows fails to apply GPOs during logon when 
Hardened UNC Paths are configured and the domain controller is Samba.

Regards,
Kacper

_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol