Hello Jennifer, I'm a maintainer of MIT krb5 for Fedora and CentOS/RHEL. Can I ask about your client side environment? Are you using Heimdal or MIT krb5?
Earlier this year we faced a similar interoperability problem between MIT krb5 and AD 2025. This was caused by the introduction of the new paChecksum2 sequence in MS-PKCA. This was implemented in MIT krb5 (released in version 1.22.1): https://github.com/krb5/krb5/pull/1411 Your problem seems slightly different because the KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED error is returned, while in our case it was KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED. However, I remember the algorithms used to sign CMS data were also mentioned in the discussions we had with DocHelp. There are pointers to these discussions in this pull request. This can help a bit hopefully, Julien Rische On Thu, Aug 28, 2025 at 12:45 AM Kristian Smith via cifs-protocol < cifs-protocol@lists.samba.org> wrote: > Hi Jennifer, > > Thanks for uploading the trace. I wanted to let you know that I'll be out > of the office until the 2nd of September, so I'll inspect it when I return. > If this is an urgently blocking issue, or you have other questions, please > reach out to doch...@microsoft.com during my absence. > > Thanks for your patience. > > Regards, > Kristian Smith > Support Escalation Engineer | Microsoft® Corporation > Email: kristian.sm...@microsoft.com > > -----Original Message----- > From: Jennifer Sutton <jsut...@samba.org> > Sent: Tuesday, August 26, 2025 7:31 PM > To: Kristian Smith <kristian.sm...@microsoft.com> > Cc: Microsoft Support <supportm...@microsoft.com>; > cifs-protocol@lists.samba.org > Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and > KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - TrackingID#2508220040003919 > > Hi Kristian, > > I’ve captured traces and uploaded them to the secure file share. > > Cheers, > Jennifer (she/her) > > On 27/08/25 5:17 am, Kristian Smith wrote: > > Hi Jennifer, > > > > Thanks for giving that a try. Here are the instructions for gathering > and uploading an Lsass trace: > > > > Lsass Tracing > > 1. Download and run the TTD.appinstaller from our website using the > following link. Note: An End-User License Agreement (EULA) will appear in a > command window that you will need to approve. > > a. Link: https://aka.ms/ttd/download > > 2. We need to run lsass.exe as a non-protected process and disable > Shadow Stacks so that we can run the trace. Run the following commands in > an administrator-elevated PowerShell instance, then restart the machine. > Warning: This should not be done on a machine exposed to the Internet. > > a. Set-ItemProperty -Path > "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0 > > b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session > Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 1 /f > > 3. When ready to repro the issue, run the following commands to > create a destination folder and begin the trace. Run the following commands > in an elevated PowerShell instance. > > a. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy") > > b. TTD -Attach ([int](Get-Process -NAME lsass | Format-Wide > -Property ID).formatEntryInfo.formatPropertyField.propertyValue) -out > C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\lsass.run > > c. When the small window pops up, the trace has begun and you > can now reproduce the issue. To end the trace, simply click “Tracing Off”. > > 4. Once the trace operation is complete, we need to compress the .run > file created by TTD for easy transfer. Run the following command in an > elevated PowerShell instance. > > a. Compress-Archive -Path C:\Traces_$(Get-Date -format > "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date -format > "dd-MMM-yyyy").zip > > b. Note: If this fails, you may need to restart the traced > process to unlock the trace for compression. Using the following command, > Lsass will restart automatically. > > 1. stop-process -name lsass -force > > 5. Now we must undo the security changes made prior to taking the > trace. Run the following commands in an elevated PowerShell instance, then > restart the machine. After reboot, you are safe to reconnect the computer > to the Internet. > > a. Set-ItemProperty -Path > "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 > > b. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session > Manager\Kernel" /v "UserShadowStacksForceDisabled" /t REG_DWORD /d 0 /f > > 6. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link > below > > a. Link: > https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjUwNjQwRTE0NEREODg5MzE5NzYzRTBFNjM5RjMzNjdFQUNDNzlBRDAiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiOGQ5OTI3ZGUtNGJhYi00ZGEzLWI0NDgtNWNlNjUyZTdkMGNkIiwic3IiOiIyNTA4MjIwMDQwMDAzOTE5Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiZjc0NmQyNWQtZmY3MS00MjU1LWEyMmUtY2Y4MmE4Y2RmNDJiIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3NTYyMjgxMzUsImV4cCI6MTc2NDAwNDEzNCwiaWF0IjoxNzU2MjI4MTM1LCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.A3gXawCQqeLZ7evd_LpSmkexJY53FfxDjTlKHYk8A7Kan-vQwCGg6UA4KWFXqFx_QNMrX3JtdLVmboAFp_dZiGJ0l0YhVPYGqqyg4Ojb1l115bmPeF0DUaUoHabHnseTMi2opBWtKMsFg4VhLRbuo0aAi0gAP8aT6Rf8XO8KY54B1j5cKuFj98o32y9YGvB9EUUxW3F7JYNWtWtDNoFD_GCg83k41lNqX_23XtmpV_nec74qPa4zZWxxkvnt0j0B9sqX4ImqAIahaN_T8m68LIjijR8i_c4Oc5hcUVf7WVpkiGrzGHy7nMxoW0ZGIPrjPrsbAiRFZvyMjan2GXUwVQ&wid=8d9927de-4bab-4da3-b448-5ce652e7d0cd > > > > Please let me know if you have any questions or issues with the process > outlined above. Thanks for your time. > > > > Regards, > > Kristian Smith > > Support Escalation Engineer | Microsoft® Corporation > > Email: kristian.sm...@microsoft.com > > > > -----Original Message----- > > From: Jennifer Sutton <jsut...@samba.org> > > Sent: Sunday, August 24, 2025 4:34 PM > > To: Kristian Smith <kristian.sm...@microsoft.com> > > Cc: Microsoft Support <supportm...@microsoft.com>; > > cifs-protocol@lists.samba.org > > Subject: Re: [EXTERNAL] [MS-KILE] PK‐INIT and > > KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - > > TrackingID#2508220040003919 > > > > Hi Kristian, > > > > I enabled the two group policies and set all of the algorithms to > ‘supported’, but I still get the same > KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED error code. > > > > Cheers, > > Jennifer (she/her) > > > > On 23/08/25 4:44 am, Kristian Smith wrote: > >> [Jeff to Bcc] > >> > >> Hi Jennifer, > >> > >> From the code, the most likely reason you’re seeing this error is > >> because Server 2025 is rejecting the chosen hashing algorithm. Please > >> visit the following link to see the security baseline updates for > >> Server > >> 2025: > >> > >> Windows Server 2025, security baseline | Microsoft Community Hub > >> <https://te/ > >> c%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfce04779 > >> 6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6389185 > >> 86803864335%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwL > >> jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C > >> %7C&sdata=XOwQuM8Ii8dKdKAbmB2OH%2BUogzTPXd9a1Ay2R57WZHI%3D&reserved=0 > >> hcommunity.microsoft.com%2Fblog%2Fmicrosoft-security-baselines%2F&dat > >> a > >> =05%7C02%7Ckristian.smith%40microsoft.com%7Cdffe00b00b7d45ba347d08dde > >> 3 > >> 66c665%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63891675276512365 > >> 1 > >> %7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIs > >> I > >> lAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Jt > >> 7 > >> TY3EL6hF%2FAiChKPpfLu27s1HQBLSCoFxay8of5HE%3D&reserved=0 > >> windows-server-2025-security-baseline/4358733> > >> > >> If you scroll down to “Configure hash algorithms for certificate > >> logon”, you’ll see what I think is applicable to this scenario. There > >> are 2 group policies that may help in testing: > >> > >> Computer Configuration->Administrative > >> Templates->System->KDC->Configure hash algorithms for certificate > >> logon > >> > >> Computer Configuration->Administrative Templates->System->Kerberos- > >>> Configure hash algorithms for certificate logon > >> > >> These should allow you to explicitly allow certain hashing algorithms. > >> If this does not work, let me know and I’ll send the instructions to > >> gather an LSASS trace to look a bit deeper into your scenario. > >> > >> *Regards,* > >> > >> *Kristian Smith* > >> > >> Support Escalation Engineer | Microsoft® Corporation > >> > >> *Email*: kristian.sm...@microsoft.com > >> <mailto:kristian.sm...@microsoft.com> > >> > >> *From:*Jeff McCashland (He/him) <je...@microsoft.com> > >> *Sent:* Friday, August 22, 2025 6:43 AM > >> *To:* Jennifer Sutton <jsut...@samba.org>; > >> cifs-protocol@lists.samba.org > >> *Cc:* Microsoft Support <supportm...@microsoft.com> > >> *Subject:* Re: [EXTERNAL] [MS-KILE] PK‐INIT and > >> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED - > >> TrackingID#2508220040003919 > >> > >> Hi Jennifer, > >> > >> Thank you for your question. We have created SR 2508220040003919 to > >> track this issue. One of our engineers will respond soon to assist. > >> > >> Best regards,* > >> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer | > >> Microsoft Corporation* > >> > >> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: > >> (UTC-08:00) Pacific Time (US and Canada) > >> > >> Local country phone number found here: > >> _http://sup/ > >> p%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfce04779 > >> 6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6389185 > >> 86803871849%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwL > >> jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C > >> %7C&sdata=czHvPWTX%2BNPTRPbUWUhJafF%2FipmfgZH3BkIQj1U0CAU%3D&reserved > >> =0 > >> ort.microsoft.com%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C > >> d > >> ffe00b00b7d45ba347d08dde366c665%7C72f988bf86f141af91ab2d7cd011db47%7C > >> 1 > >> %7C0%7C638916752765137051%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnR > >> y > >> dWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D > >> % > >> 3D%7C0%7C%7C%7C&sdata=FK7r2TWrlUzjdeiPQ4rDZDAh4CPDSOCJtsl6Z28Hvrk%3D& > >> r > >> eserved=0 globalenglish > >> <http://sup/ > >> p%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7C8c5bb4bbfce04779 > >> 6e7a08dde511cb6a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6389185 > >> 86803879285%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwL > >> jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C > >> %7C&sdata=NYTsg5I7H%2BjZlAS6cXLBLrAwRSFQVcj3osz6Loc1yY4%3D&reserved=0 > >> ort.microsoft.com%2Fglobalenglish&data=05%7C02%7Ckristian.smith%40mic > >> r > >> osoft.com%7Cdffe00b00b7d45ba347d08dde366c665%7C72f988bf86f141af91ab2d > >> 7 > >> cd011db47%7C1%7C0%7C638916752765146291%7CUnknown%7CTWFpbGZsb3d8eyJFbX > >> B > >> 0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIs > >> I > >> ldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Y2BYZ16uGk6ZzUpN4oiZnIEx9n4vgrMZml > >> 6 > >> B26IALaM%3D&reserved=0>_ | Extension > >> 1138300 > >> > >> --------------------------------------------------------------------- > >> - > >> -- > >> > >> *From:* Jennifer Sutton <jsut...@samba.org > >> <mailto:jsut...@samba.org>> > >> *Sent:* Thursday, August 21, 2025 10:10 PM > >> *To:* cifs-protocol@lists.samba.org <mailto:cifs- > >> proto...@lists.samba.org> <cifs-protocol@lists.samba.org > >> <mailto:cifs- proto...@lists.samba.org>>; Interoperability > >> Documentation Help <doch...@microsoft.com > >> <mailto:doch...@microsoft.com>> > >> *Subject:* [EXTERNAL] [MS-KILE] PK‐INIT and > >> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED > >> > >> Hi dochelp, > >> > >> I’m performing tests against Windows Server 2025 and finding that > >> PK‐INIT requests always receive the response > >> KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. The same requests made to > >> Windows Server 2019 succeed. Could you help me find out why I’m > >> getting this error? > >> > >> Cheers, > >> Jennifer (she/her) > >> > > > > _______________________________________________ > cifs-protocol mailing list > cifs-protocol@lists.samba.org > https://lists.samba.org/mailman/listinfo/cifs-protocol >
_______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
