[cifs-protocol] Certificate Auto Enrollment (CES) and Windows 2025

[Andreas Schneider]

Hi Dochelp,


I'm trying to get CEP/CES (Certificate Auto Enrollment) with Samba working 
against Windows 2025. The last time [1] I had issues with CEP and we debugged 
it and I was to fix it.

This time I'm struggling with CES trying to request a user certificate. 
Looking at the IIS logs I can see that I successfully talked to CEP, but I'm 
not able to talk to CES.

2025-12-03 15:20:33 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.5 - 401 2 5 149
2025-12-03 15:20:33 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
service.svc/CEP - 443 MARS\alice 192.168.56.247 python-requests/2.32.5 - 200 0 
0 186
2025-12-03 15:20:33 192.168.56.193 POST /MARS-ROOT-CA_CES_Kerberos/
service.svc/CES - 443 - 192.168.56.247 python-requests/2.32.5 - 401 2 5 135
2025-12-03 15:20:33 192.168.56.193 POST /MARS-ROOT-CA_CES_Kerberos/
service.svc/CES - 443 - 192.168.56.247 python-requests/2.32.5 - 401 1 
2148074254 5
2025-12-03 15:20:33 192.168.56.193 POST /MARS-ROOT-CA_CES_Kerberos/
service.svc/CES - 443 - 192.168.56.247 python-requests/2.32.5 - 401 1 
2148074254 0


Sadly I don't see why exactly it gives Unauthorized. I'm happy to create a 
TTrace to figure out why what exactly fails. That often helps to fix the issue 
:-)

My setup is described here:
https://github.com/openSUSE/cepces/blob/master/doc/TESTING_SETUP.md


Looking forward to hear from you.





Best regards


	Andreas



[1] https://lists.samba.org/archive/cifs-protocol/2025-July/004500.html

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D