[cifs-protocol] [EXTERNAL] Re: GUI and AD LDAP settings required to enable FAST - TrackingID#2104270040006933
Jeff McCashland
jeffm at microsoft.com
Tue Apr 27 16:28:29 UTC 2021
[DocHelp to BCC, support on CC, SR ID on Subject]
Hi Andrew,
Thank you for engaging us. We have created SR 2104270040006933 to track this issue. One of our engineers will respond soon to assist.
Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback. My manager is Natesha Morrison (namorri), +1 (704) 430-4292
-----Original Message-----
From: metze <metze at samba.org>
Sent: Tuesday, April 27, 2021 3:41 AM
To: Andrew Bartlett <abartlet at samba.org>; Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; gary at samba.org
Subject: [EXTERNAL] Re: [cifs-protocol] GUI and AD LDAP settings required to enable FAST
Am 27.04.21 um 11:38 schrieb Andrew Bartlett:
> On Tue, 2021-04-27 at 10:18 +0200, Stefan Metzmacher via cifs-protocol
> wrote:
>>
>>
>> I uploaded the captures here:
>> https://www.samba.org/~metze/presentations/2020/SambaXP/captures/fast
>> / I guess this was the one that finally worked:
>> w2012r2-189-logon-FAST-administrator-w2012r2-l6.base-try-13-client-
>> compound-first-kdc-enabled-compound.pcap.gz
>> wireshark >= 3.3.0 should be able to decrypt and dissect everything
>> using
>> w2012r2-l6.base.keytab.20200422
>
> Thanks so much metze.
>
> Looking at packets 133 -> 156 I think I find the issue Gary was
> having, which is that it looks like the Windows KDC doesn't advertise
> PA-FX- FAST in an AS-REQ PREAUTH_REQUIRED error (RFC 6113 5.4.2).
>
> Dochelp,
>
> Is my understanding correct? Do clients just need to know out-of-band
> that FAST should be used? Is there any other easy way to tell that
> FAST is configured correctly and operating?
I guess the client gets it from encrypted-pa-data of frame 125, as the response to the initial AS-REQ as machine account.
This maybe together with its applied computer GPO's...
But lets see what dochelp finds...
metze
More information about the cifs-protocol
mailing list