SMBUtil.writeInt4(this.originalMessageSize, aad, index);
        index += 4;

        // Reserved
        SMBUtil.writeInt2(0, aad, index);
        index += 2;

        // Flags
        SMBUtil.writeInt2(this.flags, aad, index);
        index += 2;

        // Session ID (8 bytes)
        SMBUtil.writeInt8(this.sessionId, aad, index);

        return aad;
    }

func (c *kesConn) GenerateKey(ctx context.Context, req *GenerateKeyRequest) (DEK, error) {
	aad, err := req.AssociatedData.MarshalText()
	if err != nil {
		return DEK{}, err
	}

	name := req.Name
	if name == "" {
		name = c.defaultKeyID
	}

	dek, err := c.client.GenerateKey(ctx, name, aad)
	if err != nil {
		if errors.Is(err, kes.ErrKeyNotFound) {
			return DEK{}, ErrKeyNotFound
		}

        // When
        byte[] aad = transformHeader.getAssociatedData();

        // Then
        assertEquals(52, aad.length); // AAD should be same size as transform header

        // Verify protocol ID (first 4 bytes) - 0xFD534D42 in little-endian
        assertEquals((byte) 0x42, aad[0]);
        assertEquals((byte) 0x4D, aad[1]);
        assertEquals((byte) 0x53, aad[2]);
        assertEquals((byte) 0xFD, aad[3]);

	aad, err := req.AssociatedData.MarshalText()
	if err != nil {
		return DEK{}, err
	}

	name := req.Name
	if name == "" {
		name = c.defaultKey
	}

	resp, err := c.client.GenerateKey(ctx, c.enclave, &kms.GenerateKeyRequest{
		Name:           name,
		AssociatedData: aad,
		Length:         32,
	})
	if err != nil {

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.microsoft.aad.msal4j.AuthorizationCodeParameters;
import com.microsoft.aad.msal4j.ConfidentialClientApplication;
import com.microsoft.aad.msal4j.IAuthenticationResult;
import com.microsoft.aad.msal4j.RefreshTokenParameters;
import com.microsoft.aad.msal4j.SilentParameters;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;

import org.codelibs.fess.sso.entraid.EntraIdAuthenticator;
import org.codelibs.fess.util.ComponentUtil;
import org.lastaflute.web.login.credential.LoginCredential;

import com.microsoft.aad.msal4j.IAccount;
import com.microsoft.aad.msal4j.IAuthenticationResult;

/**
 * Microsoft Entra ID credential implementation for Fess authentication.
 * Provides login credential functionality using Entra ID authentication results.
 */

     */
    protected SsoAuthenticator getAuthenticator() {
        String ssoType = getSsoType();
        // Backward compatibility: map legacy "aad" (Azure AD) to "entraid" (Entra ID)
        if ("aad".equals(ssoType)) {
            ssoType = "entraid";
        }
        final String name = ssoType + "Authenticator";
        if (ComponentUtil.hasComponent(name)) {

     * Uses new entraid.permission.fields key with fallback to legacy aad.permission.fields.
     * @return Array of permission field names.
     */
    default String[] getEntraIdPermissionFields() {
        String value = getSystemProperty("entraid.permission.fields", null);
        if (StringUtil.isBlank(value)) {
            value = getSystemProperty("aad.permission.fields", "mail");
        }

        final AEADBlockCipher cipher = createCCMCipher(true, nonce, associatedData.length, message.length);

        // Process AAD (not included in output)
        cipher.processAADBytes(associatedData, 0, associatedData.length);

        // Process message (will be encrypted)
        final byte[] output = new byte[cipher.getOutputSize(message.length)];

* fix: azure disk could not mounted on Standard_DC4s/DC2s instances ([#86612](https://github.com/kubernetes/kubernetes/pull/86612), [@andyzhangx](https://github.com/andyzhangx))
* Fixes issue where AAD token obtained by kubectl is incompatible with on-behalf-of flow and oidc. ([#86412](https://github.com/kubernetes/kubernetes/pull/86412), [@weinong](https://github.com/weinong))