[cifs-protocol] [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2412180040010640
Kristian Smith
Kristian.Smith at microsoft.com
Wed Jan 8 00:53:07 UTC 2025
Hi Metze,
The lastest code changes in this area were released in the first servicing/security update for the mainstream version of Server 2025, so you'd need the first update. That said, I can't guarantee this update fixed the issue you were seeing without traces at the time of the error. This is my best guess with the network trace you provided and my own code research.
As far as client-side fixes, if you're referring to this code change, it does not look like the client was modified.
If you have any further questions, please let me know.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com
-----Original Message-----
From: Stefan Metzmacher <metze at samba.org>
Sent: Tuesday, January 7, 2025 9:29 AM
To: Kristian Smith <Kristian.Smith at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2412180040010640
Hi Kristian,
> I've reached a point in my research on this ACCESS_DENIED issue that I need some additional information.
> I can see some changes in the code that could potentially be the
> culprit, but I can't be sure until I have a server-side LSASS trace. >
> Can you please provide me with a network trace (as you had done
> before) along with an LSASS trace of the Server 2025 machine that is
> sending the ACCESS_DENIED response
after GetCapabilities?
I've installed all updates and it's now fixed!
Was the fix included in the first (non-preview) version of Server 2025 or only in the December update?
Are there also client side fixes, so that windows uses AuthenticateKerberos also for trusts?
Thanks!
metze
More information about the cifs-protocol
mailing list