Rob J
2025-Sep-06 21:11 UTC
[Samba] Smart card (PKINIT) logon under Windows 11 with Credential Guard
> I?m testing smart card (PKINIT) logon under Windows 11 with Credential > Guard enabled. > > - When the client talks to a *Windows Server AD*, logon succeeds. > - When the client talks to a *Samba AD (Heimdal)*, logon fails immediately > with the error: > > *"A null reference pointer was passed to the stub"* > shown on the Windows logon screen.Yes, I?m seeing exactly this behavior, and I know of at least one other org that is as well. I?m running vanilla Samba 4.22.1 and I remember seeing this with an older version too, so it?s not a recent change. Would love to find a solution, other than disabling Credential Guard. _Rob
Kacper
2025-Nov-10 17:23 UTC
[Samba] Smart card (PKINIT) logon under Windows 11 with Credential Guard
I contacted Microsoft dochelp and they were most helpful. Been a bit busy as of late but finally got time to get back to this issue. So, according to Microsoft dochelp, Windows always includes dhKeyExpiration and serverDHNonce in PKINIT AS-REP, even though it does not reuse DH keys. These fields are required for logon to succeed when using Credential Guard. I have a proof-of-concept patch and hope to have it cleaned up and ready for review in the coming weeks. https://bugzilla.samba.org/show_bug.cgi?id=15944 On Sat, 6 Sept 2025 at 23:33, Rob J via samba <samba at lists.samba.org> wrote:> > I?m testing smart card (PKINIT) logon under Windows 11 with Credential > > Guard enabled. > > > > - When the client talks to a *Windows Server AD*, logon succeeds. > > - When the client talks to a *Samba AD (Heimdal)*, logon fails > immediately > > with the error: > > > > *"A null reference pointer was passed to the stub"* > > shown on the Windows logon screen. > > Yes, I?m seeing exactly this behavior, and I know of at least one other > org that is as well. I?m running vanilla Samba 4.22.1 and I remember > seeing this with an older version too, so it?s not a recent change. Would > love to find a solution, other than disabling Credential Guard. > > _Rob > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >