<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:"Segoe UI";

        panose-1:2 11 5 2 4 2 4 2 2 3;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:#0563C1;

        text-decoration:underline;}

span.EmailStyle17

        {mso-style-type:personal-compose;

        font-family:"Calibri",sans-serif;

        color:#1F4E79;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-family:"Calibri",sans-serif;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">

<div class="WordSection1">

<p class="MsoNormal"><span style="color:#1F4E79">Hi metze,<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79">The registry entry to restore the default behavior is:<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79">[HKLM\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]EnableWeakCryptography = 0x1<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79">Note that the plan is at some point this will go away, as will the ability to restore the default behavior.

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79">I have created a DTM workspace for exchanging files related to this issue (credentials and link below). Please find on the workspace ‘PartnerTTDRecorder_x86_x64.zip’ available for download. These tools can be

 staged on the Windows client for collecting traces. The instructions below assume they were staged to C:\TDD.

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>

<p style="margin:0in"><span style="color:#1F4E79">These traces are highly compressible, please add them to a .zip archive for transferring.

</span><span style="color:#2F5496">To collect the needed traces:<o:p></o:p></span></p>

<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:27.0pt">

<span style="color:#2F5496">1. From a PowerShell prompt, execute: <o:p></o:p></span></p>

<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in">

C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME lsass | Format-Wide -Property ID).formatEntryInfo.formatPropertyField.propertyValue)<o:p></o:p></p>

<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:27.0pt">

<span style="color:#2F5496">2. Wait for a little window to pop up in top left corner of your screen, titled “lsass01.run”<o:p></o:p></span></p>

<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:27.0pt">

<span style="color:#2F5496">3. start a network trace using netsh or WireShark, etc.

<o:p></o:p></span></p>

<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:27.0pt">

<span style="color:#2F5496">4. Repro the attempted operation<o:p></o:p></span></p>

<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:27.0pt">

<span style="color:#2F5496">5. Stop the network trace and save it<o:p></o:p></span></p>

<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:27.0pt">

<span style="color:#2F5496">6. CAREFULLY: uncheck the checkbox next to “Tracing” in the small “lsass01.run” window. Do not close or exit the small window or you will need to reboot.

<o:p></o:p></span></p>

<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:27.0pt">

<span style="color:#2F5496">7. The TTTracer.exe process will generate a trace file, then print out the name and location of the file.

<o:p></o:p></span></p>

<p style="margin:0in"><span style="color:#2F5496">Compress the *.run file into a .zip archive before uploading with the matching network trace. It is a good idea to reboot the machine at the next opportunity to restart the lsass process.

<o:p></o:p></span></p>

<p style="margin:0in"> <o:p></o:p></p>

<p class="MsoNormal"><span style="color:#1F4E79">Workspace credentials and link:<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79">Log in as: 2207200040005482_metze@dtmxfer.onmicrosoft.com<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79">1-time: M7_h@91f<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79">Link: <a href="https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiZjY5NGMxMTItN2Y4OS00MzNmLWIwYmYtYjhiNjk3ZThmZjlhIiwic3IiOiIyMjA3MjAwMDQwMDA1NDgyIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiI4ZjhmOTk0NS01ZDE4LTRkYWQtOThhMS01ZWY3MjI0ODU5ZWYiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2NjYyOTI0MTksIm5iZiI6MTY1ODUxNjQxOX0.p_X_ajVstNCxah482jUaWEp-gWBwVEpjlEsKdU2CwM7M5-fOms77Z34KslF76XVzv8uiSEmUWAC7tMGNjsv7WvPe8aiE_Ufp1OJZZOjFccnnoiMx4NVP32J1_CD-vSxV6GCzkbo1iF9VMysXd3cUnjgQ6Gk-x41l9HJFZ8AAHFac4aQ5JhXZOgPwr23GwB-H-OYVp91h1UsWQgpYj286biL1_HXktGgudBAJnUr1cpbB150BGCOGorEjV4N3eOdWdoVyjhcc25d1UGhR4JwpgF8PplV7VV6wXqznBrnO8-AbA7huIScacfkwH3ijxnJoz4RWNlKPwoXBDQtlcuzFPQ&wid=f694c112-7f89-433f-b0bf-b8b697e8ff9a">

https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiZjY5NGMxMTItN2Y4OS00MzNmLWIwYmYtYjhiNjk3ZThmZjlhIiwic3IiOiIyMjA3MjAwMDQwMDA1NDgyIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiI4ZjhmOTk0NS01ZDE4LTRkYWQtOThhMS01ZWY3MjI0ODU5ZWYiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2NjYyOTI0MTksIm5iZiI6MTY1ODUxNjQxOX0.p_X_ajVstNCxah482jUaWEp-gWBwVEpjlEsKdU2CwM7M5-fOms77Z34KslF76XVzv8uiSEmUWAC7tMGNjsv7WvPe8aiE_Ufp1OJZZOjFccnnoiMx4NVP32J1_CD-vSxV6GCzkbo1iF9VMysXd3cUnjgQ6Gk-x41l9HJFZ8AAHFac4aQ5JhXZOgPwr23GwB-H-OYVp91h1UsWQgpYj286biL1_HXktGgudBAJnUr1cpbB150BGCOGorEjV4N3eOdWdoVyjhcc25d1UGhR4JwpgF8PplV7VV6wXqznBrnO8-AbA7huIScacfkwH3ijxnJoz4RWNlKPwoXBDQtlcuzFPQ&wid=f694c112-7f89-433f-b0bf-b8b697e8ff9a</a><o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>

<div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best regards,</span><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br>

<i>Jeff M</i></span></b><b><i><sup><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland (He/him)

</span></i></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">| Senior Escalation Engineer<i> | Microsoft</i></span></b><b><span style="font-family:"Arial",sans-serif;color:navy">

</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol Open Specifications Team

<o:p></o:p></span></b></p>

<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local country phone number found here:

</span><span style="color:#2F5496"><a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=02%7C01%7Cjeffm%40microsoft.com%7C92c4c7bb8c6d4412e78108d80d79f45f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637274164726698458&sdata=KtEL7V58Q7rscYvr9cPik%2FmYKZIv0rh3E3kBdGywwwI%3D&reserved=0"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">http://support.microsoft.com/globalenglish</span></a></span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">

 | Extension 1138300<o:p></o:p></span></p>

</div>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal"><span lang="EN" style="font-family:"Segoe UI",sans-serif;color:#212529">-----Original Message-----<br>

From: Stefan Metzmacher <a href="mailto:metze@samba.org">metze@samba.org</a> <br>

Sent: Wednesday, July 20, 2022 5:55 AM<br>

To: Interoperability Documentation Help <a href="mailto:dochelp@microsoft.com">dochelp@microsoft.com</a><br>

Cc: <a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a><br>

Subject: [EXTERNAL] MSFT-CVE-2022-21925 MS-BKRP 3.2.4.1 Performing Client-Side Wrapping of Secrets<br>

<br>

Hi Dochelp,<br>

<br>

I'm currently debugging a problem where client seem to have problems with our MS-BKRP implementation.<br>

<br>

I found the following:<br>

<br>

<18> Section 3.2.4.1: The process of falling back to server-side wrapping using the BACKUPKEY_BACKUP_GUID when retrieval of the server's public key fails using the BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID is no longer available by default for the operating systems

 specified in [MSFT-CVE-2022-21925]. However, the fall back to server-side wrapping can be enabled by adding a registry key designed for this purpose.<br>

<br>

In addition, as noted earlier, Windows clients always retry failing operations once. The resulting process is as follows: The client first tries the BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID operation, and if it fails, the client performs DC (2) rediscovery and retries

 the same operation. If the retry fails, the client tries a BACKUPKEY_BACKUP_GUID operation. If this fails, the client performs DC rediscovery again and retries the BACKUPKEY_BACKUP_GUID operation. If this also fails, an error is returned to the caller.<br>

<br>

I have two questions:<br>

<br>

1. what is the name and value is for the registry key in order to allow the fallback to server-side wrapping to be activated again.<br>

<br>

2. Is your tracing tool also able to debug client side powershell scripts? My customer<br>

is able to trigger the problem with ConvertFrom-SecureString/ConvertTo-SecureString<br>

<br>

Thanks!<br>

metze</span><o:p></o:p></p>

</div>

</body>

</html>