[cifs-protocol] GUI and AD LDAP settings required to enable FAST

Andrew Bartlett abartlet at samba.org
Tue Apr 27 09:38:54 UTC 2021

On Tue, 2021-04-27 at 10:18 +0200, Stefan Metzmacher via cifs-protocol
> I uploaded the captures here:
> https://www.samba.org/~metze/presentations/2020/SambaXP/captures/fast/
> I guess this was the one that finally worked:
> w2012r2-189-logon-FAST-administrator-w2012r2-l6.base-try-13-client-
> compound-first-kdc-enabled-compound.pcap.gz
> wireshark >= 3.3.0 should be able to decrypt and dissect everything
> using
> w2012r2-l6.base.keytab.20200422

Thanks so much metze.  

Looking at packets 133 -> 156 I think I find the issue Gary was having,
which is that it looks like the Windows KDC doesn't advertise PA-FX-
FAST in an AS-REQ PREAUTH_REQUIRED error (RFC 6113 5.4.2).  


Is my understanding correct?  Do clients just need to know out-of-band
that FAST should be used?  Is there any other easy way to tell that
FAST is configured correctly and operating?


Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the cifs-protocol mailing list