[cifs-protocol] Windows Server 2025 PKINIT regression
Alexander Bokovoy
ab at samba.org
Thu Dec 19 12:25:50 UTC 2024
Hi Dochelp,
I believe we are seeing a regression in how Windows Server 2025 handles
Kerberos PKINIT, probably due to algorithm agility rewrite.
Sometime ago we have updated MIT Kerberos implementation of PKINIT to
use sha256WithRSAEncryption in supported CMS types and removed
sha1WithRSAEncryption to be able compliant with FIPS 140-3.
The commit https://github.com/krb5/krb5/commit/cbfe46ce20f3e9265baa9c648390148c739ab830
is part of MIT Kerberos 1.20 or later releases.
This change worked well for Windows Server versions prior to Windows
Server 2025 release. With Windows Server 2025, the request is rejected
(packet 8 from ad2025.pcap in attached archive):
Kerberos
Record Mark: 106 bytes
0... .... .... .... .... .... .... .... = Reserved: Not set
.000 0000 0000 0000 0000 0000 0110 1010 = Record Length: 106
krb-error
pvno: 5
msg-type: krb-error (30)
stime: Dec 18, 2024 15:22:36.000000000 CET
susec: 926640
error-code: Unknown (79)
realm: WIN2025-UO83.TEST
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: WIN2025-UO83.TEST
We built a custom version of MIT Kerberos which adds both
sha256WithRSAEncryption and sha1WithRSAEncryption to the list of
supported CMS types and still signed with sha256WithRSAEncryption, it
failed again. The corresponding packet exchange can be seen in
ad2025_sha1.pcap in the attached archive.
Both variants work against Windows Server 2019, so to us this looks like
a regression in Windows Server 2025 implementation.
If this is not a regression and instead it is an intentional change,
could you please make sure MS-PKCA and other corresponding documents get
updated with a proper logic of the changes.
--
/ Alexander Bokovoy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pkinit-win2025.zip
Type: application/zip
Size: 27300 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20241219/1ce5bdfe/pkinit-win2025.zip>
More information about the cifs-protocol
mailing list