Hi Dochelp, I'm trying to get CEP/CES (Certificate Auto Enrollment) with Samba working against Windows 2025. This was working fine against earlier versions of Windows but I can't get Kerberos authentication working against CEP/CES configured on Windows Server 2025.
I've followed the How-to guides at https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/ to setup the Certificate services. I distilled out a set of reproducible steps using Powershell commands. I set up an AD DC and a domain member for the Certification Authority and its services. You can find them here: https://hackmd.io/@asn/SkHk8rXBz If I try to get the certificate templates on Linux using our cepces client implementation. I'm always getting: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://win-ca01.mars.milkyway.site/ADPolicyProvider_CEP_Kerberos/service.svc/ CEP Looking at the ticket cache, we have the correct ticket: Default principal: FEDORA2$@MARS.MILKYWAY.SITE Valid starting Expires Service principal 07/01/25 09:12:23 07/01/25 19:12:23 krbtgt/ mars.milkyway.s...@mars.milkyway.site renew until 07/08/25 09:12:23 07/01/25 09:12:23 07/01/25 19:12:23 HTTP/win-ca01.mars.milkyway.site@ renew until 07/08/25 09:12:23 Ticket server: HTTP/win-ca01.mars.milkyway.s...@mars.milkyway.site But it looks like the the IIS server doesn't accept the Kerberos ticket, the IIS logs show: #Software: Microsoft Internet Information Services 10.0 #Version: 1.0 #Date: 2025-07-01 07:11:16 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time- taken 2025-07-01 07:11:16 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 243 2025-07-01 07:12:23 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 2 2025-07-01 07:12:23 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 1 2148074310 14 2025-07-01 07:12:23 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 1 2148074310 0 2025-07-01 07:16:18 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 0 2025-07-01 07:17:42 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/ service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 0 I'm not able to figure out why the IIS server doesn't allow to authenticate with the ticket. I didn't find anything that I could enable advanced logging here to figure out why it doesn't want to accept the ticket. Could you help trying to find out what the issue is? I can create a TTrace if that helps! Thank you very much. Best regards Andreas -- Andreas Schneider a...@samba.org Samba Team www.samba.org GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D _______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
