[cifs-protocol] [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093

Kristian Smith Kristian.Smith at microsoft.com
Sat Feb 8 00:38:51 UTC 2025 

Hi Metze,

Thanks again for your patience. The engineering team has confirmed that you found a bug. ServerAuthenticateKerberos() should indeed be called here, but there is an issue in the Server 2025 implementation that causes fallback to ServerAuthenticate3 before hitting the wire. They are working on root cause.

Thank you for you work in finding this bug and please let me know if you have any additional concerns on this issue.

Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com

-----Original Message-----
From: Kristian Smith 
Sent: Thursday, February 6, 2025 9:30 AM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093

Hi Metze,

In working with the developers of these Netlogon functions, it appears the use of ServerAuthenticate3() versus ServerAuthenticateKerberos() in trust creation is likely a bug in Server 2025. They are currently investigating and I'll let you know once this is confirmed.

It appears to me that, since MS-NRPC leaves the choice of which authentication function up to the implementer, there aren't any changes needed to the doc in this case. Please let me know if you disagree.

Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com

-----Original Message-----
From: Stefan Metzmacher <metze at samba.org> 
Sent: Monday, January 27, 2025 10:49 AM
To: Kristian Smith <Kristian.Smith at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093

Hi Kristian,

> Just a quick update on the question about ServerAuthenticateKerberos() between trusted domains. I was able to create a Server 2025 to Server 2025 2-way forest trust and confirmed that it's authenticating with NetrServerAuthenticate3() rather than ServerAuthenticateKerberos(). I'm still, however, discussing this with the PG and I'll continue to send periodic updates until I have a concrete answer as to what doc changes need to be made.

Thanks!
metze

More information about the cifs-protocol mailing list