[cifs-protocol] [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093
Kristian Smith
Kristian.Smith at microsoft.com
Mon Jan 27 18:47:36 UTC 2025
Hi Metze,
Just a quick update on the question about ServerAuthenticateKerberos() between trusted domains. I was able to create a Server 2025 to Server 2025 2-way forest trust and confirmed that it's authenticating with NetrServerAuthenticate3() rather than ServerAuthenticateKerberos(). I'm still, however, discussing this with the PG and I'll continue to send periodic updates until I have a concrete answer as to what doc changes need to be made.
Thanks for your patience.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com
-----Original Message-----
From: Kristian Smith
Sent: Friday, January 17, 2025 7:57 AM
To: 'Stefan Metzmacher' <metze at samba.org>
Cc: 'cifs-protocol at lists.samba.org' <cifs-protocol at lists.samba.org>; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093
Hi Metze,
I just wanted to let you know that I'm still working to get a confirmation from the engineering team whether this is expected behavior. I'll update you as soon as I have information to share.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com
-----Original Message-----
From: Kristian Smith
Sent: Wednesday, January 8, 2025 6:28 PM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093
Hi Metze,
I'm going to reach out to the engineering team to try to get a better understanding of the client behavior in trust environments. I'll let you know what I learn.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com
-----Original Message-----
From: Stefan Metzmacher <metze at samba.org>
Sent: Wednesday, January 8, 2025 3:22 AM
To: Kristian Smith <Kristian.Smith at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2412180040010640
Hi Kristian,
> The lastest code changes in this area were released in the first servicing/security update for the mainstream version of Server 2025, so you'd need the first update.
Ok, thanks!
> That said, I can't guarantee this update fixed the issue you were seeing without traces at the time of the error.
> This is my best guess with the network trace you provided and my own code research.
I re-run the tests and it all works now also for trusts.
> As far as client-side fixes, if you're referring to this code change, it does not look like the client was modified.
> If you have any further questions, please let me know.
I'm just wondering why a Windows 2025 DC does not try ServerAuthenticateKerberos at all against trusted domains.
I was just wondering why the server problem was detected and fixed when there's no software out in the wild triggering that code path.
So I guessed that the client code in Windows has also changed.
Can you find out why Windows doesn't even try it for trusted domains?
Maybe there's a flag on the trustedDomain object to activate it?
It would be good to know.
Thanks!
metze
More information about the cifs-protocol
mailing list