15944 – PKINIT logon fails under Windows 11 with Credential Guard

Bug 15944 - PKINIT logon fails under Windows 11 with Credential Guard

Summary: PKINIT logon fails under Windows 11 with Credential Guard

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.23.3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:	https://github.com/heimdal/heimdal/is...
Keywords:

Depends on:
Blocks:

Reported:	2025-11-10 17:11 UTC by Kacper
Modified:	2025-11-13 23:09 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kacper 2025-11-10 17:11:59 UTC

When a Windows 11 client attempts a PKINIT (smart card) logon to a Samba Active Directory domain, that uses Heimdal, the logon fails immediately. The Windows logon screen displays the error: "A null reference pointer was passed to the stub". This occurs even though the smart card is correctly configured and works when Credential Guard is disabled.

According to Microsoft dochelp, Windows always includes dhKeyExpiration and serverDHNonce in PKINIT AS-REP, even though it does not reuse DH keys. I have been told that an updated MS-PKCA specification will explain this behavior. These fields are required for logon to succeed when using Credential Guard.

This bug report was created primarily to track the upstream Heimdal issue, and once a suitable solution is found, to follow the update for lorikeet-heimdal.

Comment 1 Douglas Bagnall 2025-11-13 23:09:32 UTC

Thanks for looking into these things Kacper.

BTW, a habit we cultivate is to CC cifs-protocol@lists.samba.org into discussions with dochelp, so that they end up archived at https://lists.samba.org/archive/cifs-protocol/ -- of course only if there are no secrets.