[DocHelp to bcc] Hi Andreas, Merry Christmas and Happy New Year to you too! I've created case 2512200040000944 to track this issue, one of our engineers will contact you soon. Please note some responses may be delayed because of the holiday season. Have a wonderful holiday season!
Best regards, Michael Bowen Sr. Escalation Engineer - Microsoft(r) Corporation -----Original Message----- From: Andreas Schneider <[email protected]> Sent: Friday, December 19, 2025 11:32 PM To: Interoperability Documentation Help <[email protected]>; [email protected] Subject: [EXTERNAL] [MS-XCEP] 3.1.4.1.3.22 RequestFilter Merry Christmas Dochelp Team! This is about [MS-XCEP] 3.1.4.1.3.22 RequestFilter clientVersion: The server SHOULD only return CertificateEnrollmentPolicy objects whose bitwise AND of the <privateKeyFlags> element of the <attributes> element with 0x0F000000 is smaller than or equal to 0x0Z000000, where Z denotes the value of the clientVersion.<2> serverVersion: The server SHOULD only return the CertificateEnrollmentPolicy objects whose bitwise AND of the <privateKeyFlags> element of the <attributes> element with 0x000F0000 is smaller than or equal to 0x000Y0000, where Y denotes the value of the serverVersion.<3> Normally you should set the value for the clientVersion for what responses you're able to parse. However the values are not documented. >From a research on the web [1][2][3], we compiled the following list: 0: Legacy / unspecified: Minimal response. Often treated as 'no version negotiation' 1: Initial schema: Basic template enumeration. Only template names and OIDs are returned 2-3: Intermediate schemas: Adds more attributes (e.g., key usage, issuance requirements). Used in older Windows releases 4: Windows Server 2012: Includes richer template metadata, subject name requirements, and issuance policies 5: Windows Server 2016: Adds support for newer template flags and enrollment restrictions 6: Current schema (Windows 10/11, Server 2019/2022/2025): Full detail: template properties, issuance requirements, key usage, renewal policies, and advanced flags. This is the most complete and recommended version today The server should then check what it supports and return the information in the highest supported version number of both. However it is not documented how the server chooses the version number nor how the response looks like for the different version numbers. Could you please clarify? Merry Christmas and a happy new year! Looking forward to hear back from you next year ;-) Best regards Andreas [1] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/ windows-server-2008-R2-and-2008/cc725838(v=ws.11)?redirectedfrom=MSDN [2] https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/ certificate-template-concepts [3] https://www.gradenegger.eu/en/description-of-the-generations-of-certificate-templates/ -- Andreas Schneider [email protected] Samba Team http://www.samba.org/ GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
