Hi Andreas, In order to best troubleshoot this issue, it does appear that a TT Trace will be the best option. I've created the following steps to gather an lsass trace from our modern OS versions. Please gather a simultaneous network trace, if possible, as well. I have added the text-based instructions below for collecting the TT Trace and attached a formatted version as a docx to the email. These instructions are rather new, so please let me know if you encounter any difficulties.
Lsass Tracing on Windows 11 and Server 2025
1. Download and run the TTD.appinstaller from our website using the
following link. Note: An End-User License Agreement (EULA) will appear in a
command window that you will need to approve.
a. Link: https://aka.ms/ttd/download
2. We need to run lsass.exe as a non-protected process and disable Shadow
Stacks so that we can run the trace. Run the following commands in an
administrator-elevated PowerShell instance, then restart the machine. Warning:
This should not be done on a machine exposed to the Internet.
a. Set-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0
b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 1 /f
3. When ready to repro the issue, run the following commands to create a
destination folder and begin the trace. Run the following commands in an
elevated PowerShell instance.
a. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
b. TTD -Attach ([int](Get-Process -NAME lsass | Format-Wide
-Property ID).formatEntryInfo.formatPropertyField.propertyValue) -out
C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\lsass.run
c. When the following small window pops up, the trace has begun
and you can now reproduce the issue. To end the trace, simply click "Tracing
Off".
i. <image_found_in_attachment>
4. Once the trace operation is complete, we need to compress the .run file
created by TTD for easy transfer. Run the following command in an elevated
PowerShell instance.
a. Compress-Archive -Path C:\Traces_$(Get-Date -format
"dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date -format "dd-MMM-yyyy").zip
5. Now we must undo the security changes made prior to taking the trace.
Run the following commands in an elevated PowerShell instance, then restart the
machine. After reboot, you are safe to reconnect the computer to the Internet.
a. Set-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1
b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 0 /f
6. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link below
a. Link:
https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjUwNjQwRTE0NEREODg5MzE5NzYzRTBFNjM5RjMzNjdFQUNDNzlBRDAiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiZDlhZDdlZjYtNTQ2MS00ZTg0LWE0YzAtNzdhNzQ1N2Y0NDg0Iiwic3IiOiIyNTA3MDEwMDQwMDA2OTY0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiMzhkNzY3ZTMtZmRkYy00NGQwLThjMjQtOWRhNjE0OWMyMTBkIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3NTE5MjAyNjMsImV4cCI6MTc1OTY5NjI2MywiaWF0IjoxNzUxOTIwMjYzLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.IrYHu5Pz3IJW7_XS47LnPyXFyccmZi-7EMM32lg-k2IhxyGnGWWRiQ36aRI5f9XEiTzYtqO_oTgexVKcAOVUFXxdOodrPXytAd4eJnK3y13GvXBY2Y5Z6odJHySMNaK4h5BWLMEB43UYJLMmF9R0Gwtmb0yY99BpXzrhi88VW8YE21FGoWPrCHrn5Hce_2QZRHJxcvc6j2AK6vCRY84upqmwOUvP8GsSO6swyMEoEp4gWZ5NttuUX77KW9Vx7zQfA1FZ_fmaEy30qYw-JSvbckb0os3ZSemU9BPsL5n7h2oQeGkjpHzWOnE5TTlnFCqxsK2CyUxrbs0BhHsJkB4FAA&wid=d9ad7ef6-5461-4e84-a4c0-77a7457f4484
Thanks for your help!
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft(r) Corporation
Email: kristian.sm...@microsoft.com
-----Original Message-----
From: Kristian Smith
Sent: Tuesday, July 1, 2025 8:45 AM
To: Andreas Schneider <a...@samba.org>
Cc: cifs-protocol <cifs-protocol@lists.samba.org>; Microsoft Support
<supportm...@microsoft.com>
Subject: RE: [EXTERNAL] Certificate Auto Enrollment (CEP/CES) and Windows 2025
- TrackingID#2507010040006964
[DocHelp to Bcc]
Hi Andreas,
Thanks for reaching out with your Certificate Auto-enrollment question. I've
created case 2507010040006964 to track the issue. I will research this and be
in touch soon.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft(r) Corporation
Email: kristian.sm...@microsoft.com
-----Original Message-----
From: Andreas Schneider <a...@samba.org>
Sent: Tuesday, July 1, 2025 12:38 AM
To: Interoperability Documentation Help <doch...@microsoft.com>; cifs-protocol
<cifs-protocol@lists.samba.org>
Subject: [EXTERNAL] Certificate Auto Enrollment (CEP/CES) and Windows 2025
Hi Dochelp,
I'm trying to get CEP/CES (Certificate Auto Enrollment) with Samba working
against Windows 2025. This was working fine against earlier versions of Windows
but I can't get Kerberos authentication working against CEP/CES configured on
Windows Server 2025.
I've followed the How-to guides at
https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/
to setup the Certificate services. I distilled out a set of reproducible steps
using Powershell commands. I set up an AD DC and a domain member for the
Certification Authority and its services.
You can find them here:
https://hackmd.io/@asn/SkHk8rXBz
If I try to get the certificate templates on Linux using our cepces client
implementation. I'm always getting:
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url:
https://win-ca01.mars.milkyway.site/ADPolicyProvider_CEP_Kerberos/service.svc/
CEP
Looking at the ticket cache, we have the correct ticket:
Default principal: FEDORA2$@MARS.MILKYWAY.SITE
Valid starting Expires Service principal
07/01/25 09:12:23 07/01/25 19:12:23 krbtgt/
mars.milkyway.s...@mars.milkyway.site
renew until 07/08/25 09:12:23
07/01/25 09:12:23 07/01/25 19:12:23 HTTP/win-ca01.mars.milkyway.site@
renew until 07/08/25 09:12:23
Ticket server: HTTP/win-ca01.mars.milkyway.s...@mars.milkyway.site
But it looks like the the IIS server doesn't accept the Kerberos ticket, the
IIS logs show:
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2025-07-01 07:11:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username
c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-
taken
2025-07-01 07:11:16 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 243
2025-07-01 07:12:23 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 2
2025-07-01 07:12:23 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 1
2148074310 14
2025-07-01 07:12:23 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 1
2148074310 0
2025-07-01 07:16:18 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 0
2025-07-01 07:17:42 192.168.56.193 POST /ADPolicyProvider_CEP_Kerberos/
service.svc/CEP - 443 - 192.168.56.247 python-requests/2.32.3 - 401 2 5 0
I'm not able to figure out why the IIS server doesn't allow to authenticate
with the ticket. I didn't find anything that I could enable advanced logging
here to figure out why it doesn't want to accept the ticket.
Could you help trying to find out what the issue is?
I can create a TTrace if that helps!
Thank you very much.
Best regards
Andreas
--
Andreas Schneider a...@samba.org
Samba Team http://www.samba.org/
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
lsass_TTD_Win11Server25 - 2507010040006964.docx
Description: lsass_TTD_Win11Server25 - 2507010040006964.docx
_______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
