Hi Kristian,
I enabled the two group policies and set all of the algorithms to
‘supported’, but I still get the same
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED error code.
Cheers,
Jennifer (she/her)
On 23/08/25 4:44 am, Kristian Smith wrote:
[Jeff to Bcc]
Hi Jennifer,
From the code, the most likely reason you’re seeing this error is
because Server 2025 is rejecting the chosen hashing algorithm. Please
visit the following link to see the security baseline updates for Server
2025:
Windows Server 2025, security baseline | Microsoft Community Hub
<https://techcommunity.microsoft.com/blog/microsoft-security-baselines/
windows-server-2025-security-baseline/4358733>
If you scroll down to “Configure hash algorithms for certificate logon”,
you’ll see what I think is applicable to this scenario. There are 2
group policies that may help in testing:
Computer Configuration->Administrative Templates->System->KDC->Configure
hash algorithms for certificate logon
Computer Configuration->Administrative Templates->System->Kerberos-
>Configure hash algorithms for certificate logon
These should allow you to explicitly allow certain hashing algorithms.
If this does not work, let me know and I’ll send the instructions to
gather an LSASS trace to look a bit deeper into your scenario.
*Regards,*
*Kristian Smith*
Support Escalation Engineer | Microsoft® Corporation
*Email*: kristian.sm...@microsoft.com <mailto:kristian.sm...@microsoft.com>
*From:*Jeff McCashland (He/him) <je...@microsoft.com>
*Sent:* Friday, August 22, 2025 6:43 AM
*To:* Jennifer Sutton <jsut...@samba.org>; cifs-protocol@lists.samba.org
*Cc:* Microsoft Support <supportm...@microsoft.com>
*Subject:* Re: [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - TrackingID#2508220040003919
Hi Jennifer,
Thank you for your question. We have created SR 2508220040003919 to
track this issue. One of our engineers will respond soon to assist.
Best regards,*
/Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer |
Microsoft Corporation*
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
(UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: _http://support.microsoft.com/
globalenglish <http://support.microsoft.com/globalenglish>_ | Extension
1138300
------------------------------------------------------------------------
*From:* Jennifer Sutton <jsut...@samba.org <mailto:jsut...@samba.org>>
*Sent:* Thursday, August 21, 2025 10:10 PM
*To:* cifs-protocol@lists.samba.org <mailto:cifs-
proto...@lists.samba.org> <cifs-protocol@lists.samba.org <mailto:cifs-
proto...@lists.samba.org>>; Interoperability Documentation Help
<doch...@microsoft.com <mailto:doch...@microsoft.com>>
*Subject:* [EXTERNAL] [MS-KILE] PK‐INIT and
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED
Hi dochelp,
I’m performing tests against Windows Server 2025 and finding that
PK‐INIT requests always receive the response
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. The same requests made to
Windows Server 2019 succeed. Could you help me find out why I’m getting
this error?
Cheers,
Jennifer (she/her)
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
