[cifs-protocol] [EXTERNAL] Re: GUI and AD LDAP settings required to enable FAST - TrackingID#2104270040006933

Jeff McCashland jeffm at microsoft.com
Tue Apr 27 16:28:29 UTC 2021

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Andrew,

Thank you for engaging us. We have created SR 2104270040006933 to track this issue. One of our engineers will respond soon to assist. 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: metze <metze at samba.org> 
Sent: Tuesday, April 27, 2021 3:41 AM
To: Andrew Bartlett <abartlet at samba.org>; Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; gary at samba.org
Subject: [EXTERNAL] Re: [cifs-protocol] GUI and AD LDAP settings required to enable FAST

Am 27.04.21 um 11:38 schrieb Andrew Bartlett:
> On Tue, 2021-04-27 at 10:18 +0200, Stefan Metzmacher via cifs-protocol
> wrote:
>> I uploaded the captures here:
>> https://www.samba.org/~metze/presentations/2020/SambaXP/captures/fast
>> / I guess this was the one that finally worked:
>> w2012r2-189-logon-FAST-administrator-w2012r2-l6.base-try-13-client-
>> compound-first-kdc-enabled-compound.pcap.gz
>> wireshark >= 3.3.0 should be able to decrypt and dissect everything 
>> using
>> w2012r2-l6.base.keytab.20200422
> Thanks so much metze.  
> Looking at packets 133 -> 156 I think I find the issue Gary was 
> having, which is that it looks like the Windows KDC doesn't advertise 
> PA-FX- FAST in an AS-REQ PREAUTH_REQUIRED error (RFC 6113 5.4.2).
> Dochelp,
> Is my understanding correct?  Do clients just need to know out-of-band 
> that FAST should be used?  Is there any other easy way to tell that 
> FAST is configured correctly and operating?

I guess the client gets it from encrypted-pa-data of frame 125, as the response to the initial AS-REQ as machine account.
This maybe together with its applied computer GPO's...

But lets see what dochelp finds...


More information about the cifs-protocol mailing list