Hi Andreas: Thanks for the network captures and decrypted logs. Decrypted logs are very useful. Not all network captures have TLS handshake. Sslkeylog file requires handshake to be able to decrypt the TLS traffic, but you included decrypted logs and that helps.
I am looking into these. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft -----Original Message----- From: Andreas Schneider <[email protected]> Sent: Monday, January 12, 2026 8:27 AM To: Obaid Farooqi <[email protected]> Cc: Microsoft Support <[email protected]>; [email protected] Subject: Re: [EXTERNAL] [MS-XCEP] 3.1.4.1.3.22 RequestFilter - TrackingID#2512200040000944 On Tuesday, 6 January 2026 21:48:59 Central European Standard Time Obaid Farooqi wrote: > Hi Andreas: Hi Obaid, > Can you please send me network captures of showing the request and response > for all seven versions? You can upload the decrypted traces to the > following link: I've uploaded debug logs. They include a sslkeys.log which can be used in wireshark to decrypt the traffic. ### How ClientBits and ServerBits are Calculated >From MS-XCEP specification: ``` ClientBits = (privateKeyFlags & 0x0F000000) >> 24 ServerBits = (privateKeyFlags & 0x000F0000) >> 16 ``` A template is returned if: - `ClientBits <= clientVersion` (or clientVersion is nil/0) - `ServerBits <= serverVersion` (or serverVersion is nil/0) ## Results Matrix Number of policies returned for each clientVersion/serverVersion combination: ``` client\server nil 0 1 2 3 4 5 6 7 8 --------------------------------------------------------------------------- nil 3 3 2 2 3 3 3 3 3 3 0 3 4 2 2 3 3 4 4 4 4 1 1 1 1 1 1 1 1 1 1 1 2 1 1 1 1 1 1 1 1 1 1 3 3 3 2 2 3 3 3 3 3 3 4 3 4 2 2 3 3 4 4 4 4 5 3 4 2 2 3 3 4 4 4 4 6 3 4 2 2 3 3 4 4 4 4 7 3 4 2 2 3 3 4 4 4 4 8 3 4 2 2 3 3 4 4 4 4 ``` ## Key Findings ### 1. clientVersion 1 or 2 is Too Restrictive Only returns 1 template (Machine) regardless of serverVersion. This is because: - Test-Schema-v2/v3 require ClientBits >= 3 - Test-Schema-v4 requires ClientBits >= 4 ### 2. serverVersion 1 or 2 Limits Results Only returns 2 templates (Machine + Test-Schema-v2). This is because: - Test-Schema-v3 requires ServerBits >= 3 - Test-Schema-v4 requires ServerBits >= 5 ### 3. nil Behaves Like a Default Value - `clientVersion=nil` behaves like ~3 (returns v2/v3 but not v4) - `serverVersion=nil` behaves like ~4 (returns v3 but not v4) This is **different** from what MS-XCEP states (nil should mean "no filter"). ### 4. Version 0 Bypasses Filtering - `clientVersion=0` combined with `serverVersion=0` or `serverVersion>=5` returns all 4 templates - This suggests 0 is treated as "no version restriction" ### 5. To Get All Templates Need **both**: - `clientVersion >= 4` (to get Test-Schema-v4 with ClientBits=4) - `serverVersion >= 5` (to get Test-Schema-v4 with ServerBits=5) Or use `clientVersion=0, serverVersion=0` which bypasses filtering. ### 6. Versions 7 and 8 Behave Like 6 No additional templates returned with versions 7 or 8. The server caps at version 6 behavior for filtering purposes. ### 7. Test-Schema-v5 Missing (Known Microsoft Bug) Test-Schema-v5 was not returned even with the highest version values tested. **Root Cause:** This is a known Microsoft bug in Windows Server 2016 CEP/CES and newer. Templates with "Windows Server 2016" compatibility settings are NOT returned by the CEP web service. See: https://learn.microsoft.com/en-us/troubleshoot/windows-server/ certificates-and-public-key-infrastructure-pki/cannot-select-windows- server-2016-ca-compatible-certificate-templa tes **Affected:** Templates with: - Certification Authority: Windows Server 2016 - Certificate recipient: Windows 10 / Server 2016 I hope that helps to get started. I can share my template setup and debug script if you're interested. Thank for your help. Best regards Andreas > > File Transfer - Case 2512200040000944 > https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6Ik > NBRjFBNjdERDUxQjI4QzVCNjg0N0Y5NTFCQTM2QkVDNDk0MkQ4NEYiLCJ0eXAiOiJKV1QifQ.eyJ > 3c2lkIjoiNGNmMjg3ZjEtNGI4OS00N2NlLWIxNTctZjEyNTcxNzBlZDFkIiwic3IiOiIyNTEyMjA > wMDQwMDAwOTQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiMGQxYTVkZmItNDd > hYy00NGQzLWJjZmEtMzg5NWZhMTQ1ODhkIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmU > zOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3Njc3MzIzOTksImV4cCI6MTc3NTUwODM5OSwiaWF0Ijo > xNzY3NzMyMzk5LCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF > 1ZCI6Imh0dHA6Ly9zbWMifQ.YufISWWy38xpDDOgQRnepwVEMO2aLHjzgmsf7ih_2yI-UefrcUF1 > aXmOHxnKsjoxBs7fFa9hSUkpgI8tO7h3DF8_FJELgaaZPNei0pUqbsNFSu5l0sm7YEmsFzCvsKLF > L-JhZXSdxdvZtjiu_5Idp0uD6piQ1cYA4K2Ai-rYSlnOnF7NqQ9HwDGi1yPa94she_BQkEoZJTdO > pQcskH4NQp_Xlh6AQ19azdw5QU1ftA21fKaSuElZoRHXLMvJedzKg4LOSiJp_7uSfhasZeDK5x4h > ZVMImXxMLqAIuoT8n0Sd-6sa4bLHafmtSUUJEzQr1VNY58rgxV6K4CDNAbTXMg&wid=4cf287f1- > 4b89-47ce-b157-f1257170ed1d > > Regards, > Obaid Farooqi > Sr. Escalation Engineer | Microsoft > > -----Original Message----- > From: Michael Bowen <[email protected]> > Sent: Saturday, December 20, 2025 10:39 AM > To: Andreas Schneider <[email protected]>; [email protected] > Cc: Microsoft Support <[email protected]> > Subject: RE: [EXTERNAL] [MS-XCEP] 3.1.4.1.3.22 RequestFilter - > TrackingID#2512200040000944 > > [DocHelp to bcc] > Hi Andreas, > > Merry Christmas and Happy New Year to you too! I've created case > 2512200040000944 to track this issue, one of our engineers will contact you > soon. Please note some responses may be delayed because of the holiday > season. Have a wonderful holiday season! > > Best regards, > Michael Bowen > Sr. Escalation Engineer - Microsoft(r) Corporation > > -----Original Message----- > From: Andreas Schneider <[email protected]> > Sent: Friday, December 19, 2025 11:32 PM > To: Interoperability Documentation Help <[email protected]>; > [email protected] Subject: [EXTERNAL] [MS-XCEP] 3.1.4.1.3.22 > RequestFilter > > Merry Christmas Dochelp Team! > > > This is about [MS-XCEP] 3.1.4.1.3.22 RequestFilter > > > clientVersion: The server SHOULD only return CertificateEnrollmentPolicy > objects whose bitwise AND of the <privateKeyFlags> element of the > <attributes> element with 0x0F000000 is smaller than or equal to > 0x0Z000000, where Z denotes the value of the clientVersion.<2> > > serverVersion: The server SHOULD only return the CertificateEnrollmentPolicy > objects whose bitwise AND of the <privateKeyFlags> element of the > <attributes> element with 0x000F0000 is smaller than or equal to > 0x000Y0000, where Y denotes the value of the serverVersion.<3> > > > Normally you should set the value for the clientVersion for what responses > you're able to parse. However the values are not documented. > > From a research on the web [1][2][3], we compiled the following list: > > 0: Legacy / unspecified: Minimal response. Often treated as 'no version > negotiation' 1: Initial schema: Basic template enumeration. Only template > names and OIDs are returned 2-3: Intermediate schemas: Adds more attributes > (e.g., key usage, issuance requirements). Used in older Windows releases 4: > Windows Server 2012: Includes richer template metadata, subject name > requirements, and issuance policies 5: Windows Server 2016: Adds support > for newer template flags and enrollment restrictions 6: Current schema > (Windows 10/11, Server 2019/2022/2025): Full detail: template properties, > issuance requirements, key usage, renewal policies, and advanced flags. > This is the most complete and recommended version today > > > The server should then check what it supports and return the information in > the highest supported version number of both. However it is not documented > how the server chooses the version number nor how the response looks like > for the different version numbers. > > > Could you please clarify? > > > Merry Christmas and a happy new year! Looking forward to hear back from you > next year ;-) > > > Best regards > > > Andreas > > > [1] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/ > windows-server-2008-R2-and-2008/cc725838(v=ws.11)?redirectedfrom=MSDN > [2] https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/ > certificate-template-concepts > [3] > https://www.gradenegger.eu/en/description-of-the-generations-of-certificate > -templates/ > > -- > Andreas Schneider [email protected] > Samba Team http://www.samba.org/ > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D -- Andreas Schneider [email protected] Samba Team http://www.samba.org/ GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
