Hi Volker: MS-SPNG also mention negTokenInit2 message that can optionally contain a mech token and in this it relates to first choice which is NEGOEX. This token is a NEGOEX message containing the meta data. In this mech token (negoex), server is advertising the issuers name of the certificate issuer that it expects from the client.
CN = MS-Organization-P2P-Access [2026] I believe the proper place for this is a document that would describe the PKU2U specific meta data. PKINIT RFC4556 does mention TD-TRUSTED-CERTIFIERS. PKU2U uses PKINIT. The client looks for certificate issued by this certification authority in its certificate store for generating AS-REQ Please let me know if this does not answer your question. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft -----Original Message----- From: Tom Jebo <[email protected]> Sent: Monday, April 27, 2026 10:46 AM To: [email protected] Cc: [email protected]; Microsoft Support <[email protected]> Subject: RE: [EXTERNAL] NEGOEX uninitiated MESSAGE_TYPE_ACCEPTOR_NEGO in SMB2 negprot response - TrackingID#2604270040005966 [dochelp to bcc, supportmail to cc] Hi Volker, Thanks for reaching out to the Open Specifications support team about MS-SMB2. One of the team will respond soon to assist you. In the meantime, I've created case 2604270040005966 to track this request. Please leave the case number in the subject when communicating with us on this subject. Best regards, Tom Jebo Microsoft Open Specifications Support -----Original Message----- From: Volker Lendecke <[email protected]> Sent: Monday, April 27, 2026 3:32 AM To: Interoperability Documentation Help <[email protected]> Cc: [email protected] Subject: [EXTERNAL] NEGOEX uninitiated MESSAGE_TYPE_ACCEPTOR_NEGO in SMB2 negprot response Hello dochelp, some research in [MS-SMB2], [MS-SPNG] and [MS-NEGOEX] did not reveal an explanation for frame 3 of the attached network trace. This is a trace of a Windows 11 client connecting to another Windows 11 client, both Entra-Joined, over SMB. I can only find in the above documents that it's the initiator (i.e. the SMB client) who generates the first blob via init_sec_context. I can understand that the server needs to advertise NEGOEX via a mechType OID, but I did not find a hint in the docs that would explain the server to generate the mechToken (I believe it's a MESSAGE_TYPE_ACCEPTOR_NEGO according to [MS-SPNG] 2.2.6.1) Can you give me a hint where in the documentation I can find this? Thanks, Volker Lendecke _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
