Kacper
2025-Sep-04 12:34 UTC
[Samba] Smart card (PKINIT) logon under Windows 11 with Credential Guard
Hello, I?m testing smart card (PKINIT) logon under Windows 11 with Credential Guard enabled. - When the client talks to a *Windows Server AD*, logon succeeds. - When the client talks to a *Samba AD (Heimdal)*, logon fails immediately with the error: *"A null reference pointer was passed to the stub"* shown on the Windows logon screen.>From Wireshark traces:- The failure seems to occur at the *AS-REP* step of the Kerberos exchange. - With Samba, Windows aborts immediately after receiving the AS-REP. - With Windows Server AD, the exchange completes normally. My suspicion is that Windows is rejecting something in the AS-REP that Samba/Heimdal produces. To confirm, I?d like to compare the AS-REPs from both setups. *The snag:* most of the AS-REP fields are encrypted with a key derived from the Diffie?Hellman exchange, so I can?t decrypt them in Wireshark. *Questions:* 1. Is there a practical way to decrypt or dump the DH-protected AS-REP fields? 2. Has anyone seen PKINIT + Credential Guard fail against Samba AD specifically with this Windows error? Any hints, references, or tools would be greatly appreciated. Tested with latest samba 4.23.0rc3 and Windows 11 24H2. Thanks, Kacper