[cifs-protocol] GUI and AD LDAP settings required to enable FAST - TrackingID#2104270040006933

Obaid Farooqi obaidf at microsoft.com
Wed Apr 28 04:56:51 UTC 2021 

Hi Andrew:
I'll help you with this issue and will be in touch as soon as I have an answer.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Jeff McCashland <jeffm at microsoft.com> 
Sent: Tuesday, April 27, 2021 11:28 AM
To: metze <metze at samba.org>; Andrew Bartlett <abartlet at samba.org>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; gary at samba.org; Jeff McCashland <jeffm at microsoftsupport.com>
Subject: RE: [EXTERNAL] Re: [cifs-protocol] GUI and AD LDAP settings required to enable FAST - TrackingID#2104270040006933

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Andrew,

Thank you for engaging us. We have created SR 2104270040006933 to track this issue. One of our engineers will respond soon to assist.

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=04%7C01%7Cobaidf%40microsoft.com%7Ca6623bbf76cb4b167c6908d909998242%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637551377188884639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WOdPusWTCB%2FwJWp23UPXtrGI1cvMIGVZQ0FpJmQwrcM%3D&reserved=0 | Extension 1138300 We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: metze <metze at samba.org>
Sent: Tuesday, April 27, 2021 3:41 AM
To: Andrew Bartlett <abartlet at samba.org>; Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; gary at samba.org
Subject: [EXTERNAL] Re: [cifs-protocol] GUI and AD LDAP settings required to enable FAST

Am 27.04.21 um 11:38 schrieb Andrew Bartlett:
> On Tue, 2021-04-27 at 10:18 +0200, Stefan Metzmacher via cifs-protocol
> wrote:
>>
>>
>> I uploaded the captures here:
>> https://nam06.safelinks.protection.outlook.com/?url=https:%2F%2Fwww.s
>> amba.org%2F~metze%2Fpresentations%2F2020%2FSambaXP%2Fcaptures%2Ffast&
>> amp;data=04%7C01%7Cobaidf%40microsoft.com%7Ca6623bbf76cb4b167c6908d90
>> 9998242%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6375513771888846
>> 39%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2I9uhApvipTNPrNoVlGsHOG6x73
>> 8%2BJUxKZfmdatxZSA%3D&reserved=0
>> / I guess this was the one that finally worked:
>> w2012r2-189-logon-FAST-administrator-w2012r2-l6.base-try-13-client-
>> compound-first-kdc-enabled-compound.pcap.gz
>> wireshark >= 3.3.0 should be able to decrypt and dissect everything 
>> using
>> w2012r2-l6.base.keytab.20200422
>
> Thanks so much metze.
>
> Looking at packets 133 -> 156 I think I find the issue Gary was 
> having, which is that it looks like the Windows KDC doesn't advertise
> PA-FX- FAST in an AS-REQ PREAUTH_REQUIRED error (RFC 6113 5.4.2).
>
> Dochelp,
>
> Is my understanding correct?  Do clients just need to know out-of-band 
> that FAST should be used?  Is there any other easy way to tell that 
> FAST is configured correctly and operating?

I guess the client gets it from encrypted-pa-data of frame 125, as the response to the initial AS-REQ as machine account.
This maybe together with its applied computer GPO's...

But lets see what dochelp finds...

metze

More information about the cifs-protocol mailing list