[Mike to Bcc, +Obaid]
Hi Andreas,
Thanks for letting us know what the resolution was! We'll save this information in case anyone else encounters the same issue. As always, please let us know if you encounter any further issues with the specs.
Have a great holiday season!
Regards,
Kristian Smith
Support Escalation Engineer | Azure DevOps, Windows Protocols | Microsoft® Corporation
Office phone: +1 425-421-4442
Email: [email protected]
Working hours: 8:00 am - 5:00 pm PST, Monday – Friday
Team Manager: Gary Ranne [email protected]
ServiceHub: https://serviceshub.microsoft.com/support/contactsupport_
In case you don't hear from me, please call your regional number here: https://support.microsoft.com/help/13948/global-customer-service-phone-numbers.
If you need assistance outside my normal working hours, please reach out to [email protected]. One of my colleagues will gladly continue working on this issue.
Kristian Smith
Support Escalation Engineer | Azure DevOps, Windows Protocols | Microsoft® Corporation
Office phone: +1 425-421-4442
Email: [email protected]
Working hours: 8:00 am - 5:00 pm PST, Monday – Friday
Team Manager: Gary Ranne [email protected]
ServiceHub: https://serviceshub.microsoft.com/support/contactsupport_
In case you don't hear from me, please call your regional number here: https://support.microsoft.com/help/13948/global-customer-service-phone-numbers.
If you need assistance outside my normal working hours, please reach out to [email protected]. One of my colleagues will gladly continue working on this issue.
------------------- Original Message -------------------
From: [email protected];
Received: Fri Dec 19 2025 02:11:56 GMT-0800 (Pacific Standard Time)
To: [email protected]; [email protected];
Cc: [email protected];
Subject: Re: [EXTERNAL] Certificate Auto Enrollment (CES... - TrackingID#2512170040007357
On Wednesday, 17 December 2025 18:19:50 Central European Standard Time Michael Bowen wrote: > [DocHelp to bcc] > > Hi Andreas, > > Thanks for reaching out with your inquiry. I've created case > 2512170040007357 to track this issue. One of our engineers will reach out > to you soon.
I was able to figure out the issue. A friend pointed me to the right direction. The Microsoft documentation describes to set up a cepces service account for running the CA with constrained delegation. You need to enable Kernel-mode Authentication for Kerberos in IIS. Why Kernel-mode Authentication is Required? The Problem: SPN and Ticket Decryption Mismatch When a Kerberos client authenticates to IIS, it sends a service ticket encrypted for a specific Service Principal Name (SPN). IIS must have the correct credentials to decrypt this ticket. Without Kernel-mode authentication: - IIS uses the application pool identity to decrypt Kerberos tickets - The SPN must be registered on that identity's account - If the SPN is registered elsewhere, decryption fails With Kernel-mode authentication: - IIS uses the machine account (COMPUTER$) to decrypt tickets - This works when SPNs are registered on the machine account Best regards Andreas > Best regards, > Michael Bowen > Sr. Escalation Engineer - Microsoft(r) Corporation > > -----Original Message----- > From: Andreas Schneider > Sent: Wednesday, December 17, 2025 6:46 AM > To: Interoperability Documentation Help ; > cifs-protocol Subject: [EXTERNAL] > Certificate Auto Enrollment (CES) and Windows 2025 > > Hi Dochelp, > > > I'm trying to get CEP/CES (Certificate Auto Enrollment) with Samba working > against Windows 2025. The last time [1] I had issues with CEP and we > debugged it and I was to fix it. > > This time I'm struggling with CES trying to request a user certificate. > Looking at the IIS logs I can see that I successfully talked to CEP, but I'm > not able to talk to CES. > > 2025-12-03 15:20:33 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ > service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.5 - 401 2 5 149 > 2025-12-03 15:20:33 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ > service.svc/CEP - 443 MARS\alice 192.168.56.247 python-requests/2.32.5 - > 200 0 0 186 > 2025-12-03 15:20:33 192.168.56.193 POST /MARS-ROOT-CA_CES_Kerberos/ > service.svc/CES - 443 - 192.168.56.247 python-requests/2.32.5 - 401 2 5 135 > 2025-12-03 15:20:33 192.168.56.193 POST /MARS-ROOT-CA_CES_Kerberos/ > service.svc/CES - 443 - 192.168.56.247 python-requests/2.32.5 - 401 1 > 2148074254 5 > 2025-12-03 15:20:33 192.168.56.193 POST /MARS-ROOT-CA_CES_Kerberos/ > service.svc/CES - 443 - 192.168.56.247 python-requests/2.32.5 - 401 1 > 2148074254 0 > > > Sadly I don't see why exactly it gives Unauthorized. I'm happy to create a > TTrace to figure out why what exactly fails. That often helps to fix the > issue > :-) > > My setup is described here: > https://github.com/openSUSE/cepces/blob/master/doc/TESTING_SETUP.md > > > Looking forward to hear from you. > > > > > > Best regards > > > Andreas > > > > [1] https://lists.samba.org/archive/cifs-protocol/2025-July/004500.html > > -- > Andreas Schneider [email protected] > Samba Team http://www.samba.org/ > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D -- Andreas Schneider [email protected] Samba Team http://www.samba.org/ GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
