On Tuesday, 6 January 2026 21:48:59 Central European Standard Time Obaid
Farooqi wrote:
> Hi Andreas:
Hi Obaid,
> Can you please send me network captures of showing the request and response
> for all seven versions? You can upload the decrypted traces to the
> following link:
I've uploaded debug logs. They include a sslkeys.log which can be used in
wireshark to decrypt the traffic.
### How ClientBits and ServerBits are Calculated
>From MS-XCEP specification:
```
ClientBits = (privateKeyFlags & 0x0F000000) >> 24
ServerBits = (privateKeyFlags & 0x000F0000) >> 16
```
A template is returned if:
- `ClientBits <= clientVersion` (or clientVersion is nil/0)
- `ServerBits <= serverVersion` (or serverVersion is nil/0)
## Results Matrix
Number of policies returned for each clientVersion/serverVersion combination:
```
client\server nil 0 1 2 3 4 5 6 7 8
---------------------------------------------------------------------------
nil 3 3 2 2 3 3 3 3 3 3
0 3 4 2 2 3 3 4 4 4 4
1 1 1 1 1 1 1 1 1 1 1
2 1 1 1 1 1 1 1 1 1 1
3 3 3 2 2 3 3 3 3 3 3
4 3 4 2 2 3 3 4 4 4 4
5 3 4 2 2 3 3 4 4 4 4
6 3 4 2 2 3 3 4 4 4 4
7 3 4 2 2 3 3 4 4 4 4
8 3 4 2 2 3 3 4 4 4 4
```
## Key Findings
### 1. clientVersion 1 or 2 is Too Restrictive
Only returns 1 template (Machine) regardless of serverVersion. This is
because:
- Test-Schema-v2/v3 require ClientBits >= 3
- Test-Schema-v4 requires ClientBits >= 4
### 2. serverVersion 1 or 2 Limits Results
Only returns 2 templates (Machine + Test-Schema-v2). This is because:
- Test-Schema-v3 requires ServerBits >= 3
- Test-Schema-v4 requires ServerBits >= 5
### 3. nil Behaves Like a Default Value
- `clientVersion=nil` behaves like ~3 (returns v2/v3 but not v4)
- `serverVersion=nil` behaves like ~4 (returns v3 but not v4)
This is **different** from what MS-XCEP states (nil should mean "no filter").
### 4. Version 0 Bypasses Filtering
- `clientVersion=0` combined with `serverVersion=0` or `serverVersion>=5`
returns all 4 templates
- This suggests 0 is treated as "no version restriction"
### 5. To Get All Templates
Need **both**:
- `clientVersion >= 4` (to get Test-Schema-v4 with ClientBits=4)
- `serverVersion >= 5` (to get Test-Schema-v4 with ServerBits=5)
Or use `clientVersion=0, serverVersion=0` which bypasses filtering.
### 6. Versions 7 and 8 Behave Like 6
No additional templates returned with versions 7 or 8. The server caps at
version 6 behavior for filtering purposes.
### 7. Test-Schema-v5 Missing (Known Microsoft Bug)
Test-Schema-v5 was not returned even with the highest version values tested.
**Root Cause:** This is a known Microsoft bug in Windows Server 2016 CEP/CES
and newer.
Templates with "Windows Server 2016" compatibility settings are NOT returned
by the CEP web service.
See: https://learn.microsoft.com/en-us/troubleshoot/windows-server/
certificates-and-public-key-infrastructure-pki/cannot-select-windows-
server-2016-ca-compatible-certificate-templa
tes
**Affected:** Templates with:
- Certification Authority: Windows Server 2016
- Certificate recipient: Windows 10 / Server 2016
I hope that helps to get started. I can share my template setup and debug
script if you're interested.
Thank for your help.
Best regards
Andreas
>
> File Transfer - Case 2512200040000944
> https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6Ik
> NBRjFBNjdERDUxQjI4QzVCNjg0N0Y5NTFCQTM2QkVDNDk0MkQ4NEYiLCJ0eXAiOiJKV1QifQ.eyJ
> 3c2lkIjoiNGNmMjg3ZjEtNGI4OS00N2NlLWIxNTctZjEyNTcxNzBlZDFkIiwic3IiOiIyNTEyMjA
> wMDQwMDAwOTQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiMGQxYTVkZmItNDd
> hYy00NGQzLWJjZmEtMzg5NWZhMTQ1ODhkIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmU
> zOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3Njc3MzIzOTksImV4cCI6MTc3NTUwODM5OSwiaWF0Ijo
> xNzY3NzMyMzk5LCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF
> 1ZCI6Imh0dHA6Ly9zbWMifQ.YufISWWy38xpDDOgQRnepwVEMO2aLHjzgmsf7ih_2yI-UefrcUF1
> aXmOHxnKsjoxBs7fFa9hSUkpgI8tO7h3DF8_FJELgaaZPNei0pUqbsNFSu5l0sm7YEmsFzCvsKLF
> L-JhZXSdxdvZtjiu_5Idp0uD6piQ1cYA4K2Ai-rYSlnOnF7NqQ9HwDGi1yPa94she_BQkEoZJTdO
> pQcskH4NQp_Xlh6AQ19azdw5QU1ftA21fKaSuElZoRHXLMvJedzKg4LOSiJp_7uSfhasZeDK5x4h
> ZVMImXxMLqAIuoT8n0Sd-6sa4bLHafmtSUUJEzQr1VNY58rgxV6K4CDNAbTXMg&wid=4cf287f1-
> 4b89-47ce-b157-f1257170ed1d
>
> Regards,
> Obaid Farooqi
> Sr. Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Michael Bowen <[email protected]>
> Sent: Saturday, December 20, 2025 10:39 AM
> To: Andreas Schneider <[email protected]>; [email protected]
> Cc: Microsoft Support <[email protected]>
> Subject: RE: [EXTERNAL] [MS-XCEP] 3.1.4.1.3.22 RequestFilter -
> TrackingID#2512200040000944
>
> [DocHelp to bcc]
> Hi Andreas,
>
> Merry Christmas and Happy New Year to you too! I've created case
> 2512200040000944 to track this issue, one of our engineers will contact you
> soon. Please note some responses may be delayed because of the holiday
> season. Have a wonderful holiday season!
>
> Best regards,
> Michael Bowen
> Sr. Escalation Engineer - Microsoft(r) Corporation
>
> -----Original Message-----
> From: Andreas Schneider <[email protected]>
> Sent: Friday, December 19, 2025 11:32 PM
> To: Interoperability Documentation Help <[email protected]>;
> [email protected] Subject: [EXTERNAL] [MS-XCEP] 3.1.4.1.3.22
> RequestFilter
>
> Merry Christmas Dochelp Team!
>
>
> This is about [MS-XCEP] 3.1.4.1.3.22 RequestFilter
>
>
> clientVersion: The server SHOULD only return CertificateEnrollmentPolicy
> objects whose bitwise AND of the <privateKeyFlags> element of the
> <attributes> element with 0x0F000000 is smaller than or equal to
> 0x0Z000000, where Z denotes the value of the clientVersion.<2>
>
> serverVersion: The server SHOULD only return the CertificateEnrollmentPolicy
> objects whose bitwise AND of the <privateKeyFlags> element of the
> <attributes> element with 0x000F0000 is smaller than or equal to
> 0x000Y0000, where Y denotes the value of the serverVersion.<3>
>
>
> Normally you should set the value for the clientVersion for what responses
> you're able to parse. However the values are not documented.
>
> From a research on the web [1][2][3], we compiled the following list:
>
> 0: Legacy / unspecified: Minimal response. Often treated as 'no version
> negotiation' 1: Initial schema: Basic template enumeration. Only template
> names and OIDs are returned 2-3: Intermediate schemas: Adds more attributes
> (e.g., key usage, issuance requirements). Used in older Windows releases 4:
> Windows Server 2012: Includes richer template metadata, subject name
> requirements, and issuance policies 5: Windows Server 2016: Adds support
> for newer template flags and enrollment restrictions 6: Current schema
> (Windows 10/11, Server 2019/2022/2025): Full detail: template properties,
> issuance requirements, key usage, renewal policies, and advanced flags.
> This is the most complete and recommended version today
>
>
> The server should then check what it supports and return the information in
> the highest supported version number of both. However it is not documented
> how the server chooses the version number nor how the response looks like
> for the different version numbers.
>
>
> Could you please clarify?
>
>
> Merry Christmas and a happy new year! Looking forward to hear back from you
> next year ;-)
>
>
> Best regards
>
>
> Andreas
>
>
> [1] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/
> windows-server-2008-R2-and-2008/cc725838(v=ws.11)?redirectedfrom=MSDN
> [2] https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/
> certificate-template-concepts
> [3]
> https://www.gradenegger.eu/en/description-of-the-generations-of-certificate
> -templates/
>
> --
> Andreas Schneider [email protected]
> Samba Team http://www.samba.org/
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
--
Andreas Schneider [email protected]
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
