On Wednesday, 17 December 2025 18:19:50 Central European Standard Time Michael
Bowen wrote:
> [DocHelp to bcc]
>
> Hi Andreas,
>
> Thanks for reaching out with your inquiry. I've created case
> 2512170040007357 to track this issue. One of our engineers will reach out
> to you soon.
I was able to figure out the issue. A friend pointed me to the right
direction. The Microsoft documentation describes to set up a cepces service
account for running the CA with constrained delegation.
You need to enable Kernel-mode Authentication for Kerberos in IIS.
Why Kernel-mode Authentication is Required?
The Problem: SPN and Ticket Decryption Mismatch
When a Kerberos client authenticates to IIS, it sends a service ticket
encrypted for a specific Service Principal Name (SPN). IIS must have the
correct credentials to decrypt this ticket.
Without Kernel-mode authentication:
- IIS uses the application pool identity to decrypt Kerberos tickets
- The SPN must be registered on that identity's account
- If the SPN is registered elsewhere, decryption fails
With Kernel-mode authentication:
- IIS uses the machine account (COMPUTER$) to decrypt tickets
- This works when SPNs are registered on the machine account
Best regards
Andreas
> Best regards,
> Michael Bowen
> Sr. Escalation Engineer - Microsoft(r) Corporation
>
> -----Original Message-----
> From: Andreas Schneider <[email protected]>
> Sent: Wednesday, December 17, 2025 6:46 AM
> To: Interoperability Documentation Help <[email protected]>;
> cifs-protocol <[email protected]> Subject: [EXTERNAL]
> Certificate Auto Enrollment (CES) and Windows 2025
>
> Hi Dochelp,
>
>
> I'm trying to get CEP/CES (Certificate Auto Enrollment) with Samba working
> against Windows 2025. The last time [1] I had issues with CEP and we
> debugged it and I was to fix it.
>
> This time I'm struggling with CES trying to request a user certificate.
> Looking at the IIS logs I can see that I successfully talked to CEP, but I'm
> not able to talk to CES.
>
> 2025-12-03 15:20:33 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
> service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.5 - 401 2 5 149
> 2025-12-03 15:20:33 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
> service.svc/CEP - 443 MARS\alice 192.168.56.247 python-requests/2.32.5 -
> 200 0 0 186
> 2025-12-03 15:20:33 192.168.56.193 POST /MARS-ROOT-CA_CES_Kerberos/
> service.svc/CES - 443 - 192.168.56.247 python-requests/2.32.5 - 401 2 5 135
> 2025-12-03 15:20:33 192.168.56.193 POST /MARS-ROOT-CA_CES_Kerberos/
> service.svc/CES - 443 - 192.168.56.247 python-requests/2.32.5 - 401 1
> 2148074254 5
> 2025-12-03 15:20:33 192.168.56.193 POST /MARS-ROOT-CA_CES_Kerberos/
> service.svc/CES - 443 - 192.168.56.247 python-requests/2.32.5 - 401 1
> 2148074254 0
>
>
> Sadly I don't see why exactly it gives Unauthorized. I'm happy to create a
> TTrace to figure out why what exactly fails. That often helps to fix the
> issue
> :-)
>
> My setup is described here:
> https://github.com/openSUSE/cepces/blob/master/doc/TESTING_SETUP.md
>
>
> Looking forward to hear from you.
>
>
>
>
>
> Best regards
>
>
> Andreas
>
>
>
> [1] https://lists.samba.org/archive/cifs-protocol/2025-July/004500.html
>
> --
> Andreas Schneider [email protected]
> Samba Team http://www.samba.org/
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
--
Andreas Schneider [email protected]
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
