[cifs-protocol] [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2412180040010640
Kristian Smith
Kristian.Smith at microsoft.com
Fri Jan 3 22:25:00 UTC 2025
Hi Metze,
I hope 2025 is off to a good start for you.
I've reached a point in my research on this ACCESS_DENIED issue that I need some additional information. I can see some changes in the code that could potentially be the culprit, but I can't be sure until I have a server-side LSASS trace. Can you please provide me with a network trace (as you had done before) along with an LSASS trace of the Server 2025 machine that is sending the ACCESS_DENIED response after GetCapabilities?
Here are some instructions to gather an LSASS trace (all commands are for PowerShell):
1. Tracing a local machine: Run all commands in an elevated PowerShell prompt on the machine.
a. Download TTD.zip from the file share link below.
i. Link: https://aka.ms/ttd/download
b. We need to expand the archive before it can be used. You can also manually extract to C:\TTD.
i. Expand-Archive -Path $env:HOMEDRIVE\$env:HOMEPATH\Downloads\TTD.zip -DestinationPath C:\TTD
c. When ready to repro the issue, run the following commands to begin the trace.
i. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
ii. C:\TTD\TTD.exe -Attach ([int](Get-Process -NAME explorer | Format-Wide -Property ID).formatEntryInfo.formatPropertyField.propertyValue) -out C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\Trace_Name.run
iii. When the following small window pops up, the trace has begun and you can now reproduce the issue. To end the trace, simply click “Tracing Off”.
d. Once the trace operation is complete, we need to compress the .run file created by TTD for easy transfer.
i. Compress-Archive -Path C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date -format "dd-MMM-yyyy").zip
ii. Note: If this fails, you may need to restart the traced process to unlock the trace for compression.
1. stop-process -name lsass -force
e. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link below
i. Link: https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjgxMTA4NjE5MTQzMTQ1NTc0QUYxMjI3NjhGMEIzNDkyRkYyNTczNEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiMDdlMzgxYzMtNmI2OS00MjEwLWJhMWQtM2MyOWIzYjAzZTIyIiwic3IiOiIyNDEyMTgwMDQwMDEwNjQwIiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiZWY1NTJlNDEtZDAzMi00NjU4LTk5ZWEtYmVhMjdhMDE2NDhlIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3MzU5NDE0NDIsImV4cCI6MTc0MzcxNzQ0MiwiaWF0IjoxNzM1OTQxNDQyLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.GyR4YzEDaMptCMEHDid7cgmRAjXtjI75BBWYLkekPBgjKNiZ3qonvHpqujT6H16S9PXLO60FCq8-vpY5Bvft03b7i_JYc3r9mbe89XJ3Dj6icDOTQITMnX0TBBTMHdyqqEmtqBSFm-fshwCSsO0Q-y51ciFISs7I6Yblp4QSNSJiSOefDmGN3n-G2VxkAbb89JPMMDJC9TQGlrjNILfTAMSGZtOoLMiOu4hIUtpXkaeEoz7tR5l8KtkofOFysoAPdPrqC4M--Uw8z3sz1HRbCHtyKqWalechvpnioVeGMAzqTZ1_Jl-_bgSt6011vuGss3SPa9-CUavspMc4HIdgWg&wid=07e381c3-6b69-4210-ba1d-3c29b3b03e22
Thanks for your help!
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com
-----Original Message-----
From: Kristian Smith
Sent: Thursday, December 26, 2024 5:25 PM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2412180040010640
Hi Metze,
Your patience is appreciated while I continue to investigate your question regarding ServerAuthenticateKerberos(). I'll share an update as soon as I have one.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com
-----Original Message-----
From: Kristian Smith
Sent: Wednesday, December 18, 2024 10:05 AM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2412180040010640
[Mike to Bcc]
Hi Metze,
Thanks for reaching out with your question. I'll be looking into this issue and will be in touch as soon as I have information to share.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com
-----Original Message-----
From: Michael Bowen <Mike.Bowen at microsoft.com>
Sent: Wednesday, December 18, 2024 9:14 AM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2412180040010640
[DocHelp to bcc]
Hi Stefan,
Thanks for your question about Kerberos authentication. I have created case number 2412180040010640 to track this issue, please leave the number in the subject line when communicating with our team. One of our engineers will contact you soon.
Best regards,
Michael Bowen
Sr. Escalation Engineer - Microsoft® Corporation
-----Original Message-----
From: Stefan Metzmacher <metze at samba.org>
Sent: Wednesday, December 18, 2024 7:00 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] ServerAuthenticateKerberos() not usable for
Hi DocHelp,
while implementing ServerAuthenticateKerberos() in Samba, I found a strange behavior when using it for TrustedDnsDomainSecureChannel.
When I'm using it as a client the following LogonGetCapabilities() gets ACCESS_DENIED.
For all other network visible NETLOGON_SECURE_CHANNEL_TYPE values:
WorkstationSecureChannel, ServerSecureChannel, CdcServerSecureChannel and even TrustedDomainSecureChannel (used for downlevel NT4 trusts) it works as expected.
I'm testing with a Windows 2025 preview build, but I guess there are no related changes compared to the final version...
I also noticed that the Windows DC doesn't try to use ServerAuthenticateKerberos() when connecting to a DC of a trusted domain.
Is this behavior intended?
Is there a flag on the TDO object to allow it to work?
I've attached a network capture that shows the problem.
The problem happens in frames 1528-1531.
All others are just there to show it's working...
With a nightly build of wireshark you should be able to decrypt all kerberos and netlogon secure channel traffic.
Thanks for any help you can provide!
metze
More information about the cifs-protocol
mailing list