Hi Volker: We already cover negTokenInit2 in MS‑SPNG and note that it can include a mech token. The metadata message format is also documented in MS‑NEGOEX. We don’t have a standalone PKU2U spec, but I’ve included the relevant details from the RFCs and drafts in previous email. From my perspective, this gives reasonable coverage. If you think there’s a better place to document this or a gap we should address, I’d be interested in your suggestions.
Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft -----Original Message----- From: Volker Lendecke <[email protected]> Sent: Monday, May 11, 2026 1:51 PM To: Obaid Farooqi <[email protected]> Cc: [email protected]; Microsoft Support <[email protected]> Subject: Re: [EXTERNAL] NEGOEX uninitiated MESSAGE_TYPE_ACCEPTOR_NEGO in SMB2 negprot response - TrackingID#2604270040005966 Hi Obaid, Am Fri, May 08, 2026 at 11:31:36PM +0000 schrieb Obaid Farooqi: > MS-SPNG also mention negTokenInit2 message that can optionally contain > a mech token and in this it relates to first choice which is NEGOEX. > This token is a NEGOEX message containing the meta data. > In this mech token (negoex), server is advertising the issuers name of > the certificate issuer that it expects from the client. > > CN = MS-Organization-P2P-Access [2026] > > I believe the proper place for this is a document that would describe > the PKU2U specific meta data. > > PKINIT RFC4556 does mention TD-TRUSTED-CERTIFIERS. PKU2U uses PKINIT. > > The client looks for certificate issued by this certification > authority in its certificate store for generating AS-REQ > > Please let me know if this does not answer your question. I would have expected this to be documented somewhere and not just in this mail. Windows 11 does it, so I would have thought I can find it somewhere in the protocol specs. Is there anything we can do to get this properly documented? Thanks, Volker _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
