[cifs-protocol] [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
Jeff McCashland (He/him)
jeffm at microsoft.com
Fri Dec 1 22:40:44 UTC 2023
Hi Joseph,
It appears that when the passwords are accessed, the interval is checked and the passwords are then regenerated if they have expired.
Please let me know if this does not answer your question.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Joseph Sutton <jsutton at samba.org>
Sent: Wednesday, November 29, 2023 1:52 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Re: [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
Hi,
Thank you for those links. So much of the format of these attributes I had inferred from reading [MS-GKDI]: what I cannot find in either article are details on how the attributes' values are first set and then periodically updated.
If I were to create a Group Managed Service Account right now and examined its msDS-ManagedPasswordId attribute, I might see a key index of (362, 0, 27). Say the interval after which the managed password was to be automatically changed was set to one day. If I were to examine the same attribute tomorrow, I might then see the key index had changed to (362, 0, 29). Furthermore, I might see that the msDS-ManagedPasswordPreviousId attribute (which had previously been
empty) had been assigned the previous day's key index (362, 0, 27).
Evidently the values of these attributes must periodically be updated by some method in order for the managed password protocol to work. My question is: by what procedure should this be done?
Regards,
Joseph
On 30/11/23 7:34 am, Jeff McCashland (He/him) wrote:
> Hi Joseph,
>
> I found a couple of online resources that appear to describe how to
> generate the msDS-ManagedPasswordId attribute:
>
> Introducing the Golden GMSA Attack
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecu
> rityboulevard.com%2F2022%2F03%2Fintroducing-the-golden-gmsa-attack%2F&
> data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df
> 4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588042290%7CUn
> known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
> wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LelSmrZuPGbzFBjMPsU87KSIynavAF7
> ViQQy%2BYpgRjM%3D&reserved=0
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsec
> urityboulevard.com%2F2022%2F03%2Fintroducing-the-golden-gmsa-attack%2F
> &data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257d
> f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588051293%7CU
> nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
> WwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pvoqNwoVEgry05Bry2zat0O9bU0q1D
> XX2gepx9mPq5s%3D&reserved=0>
>
> How to recover from a Golden gMSA attack
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flear
> n.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fwindows-secu
> rity%2Frecover-from-golden-gmsa-attack&data=05%7C01%7Cjeffm%40microsof
> t.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd01
> 1db47%7C1%7C0%7C638368915588057505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7
> C&sdata=EuZEsNrVHjjxjlVUWTu5sVgTT%2B1pxit6PEoLNZ%2FimQ0%3D&reserved=0
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flea
> rn.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fwindows-sec
> urity%2Frecover-from-golden-gmsa-attack&data=05%7C01%7Cjeffm%40microso
> ft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd0
> 11db47%7C1%7C0%7C638368915588063990%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
> 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%
> 7C&sdata=U%2BvJ0ARvX3KPmwFSTKu01Os0ZYDnJTcJHNtZ%2B5Q60Z4%3D&reserved=0
> >
>
> Please let me know if these help any.
>
> Best regards,*
> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/ |
> Microsoft/****Protocol Open Specifications Team*
>
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> (UTC-08:00) Pacific Time (US and Canada)
>
> Local country phone number found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638368915588070730%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=XJrBgpkrtwDdro9AT80LIeu6BoPipaYnQHhSlVuVD3g%3D&reserved=0
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
> ort.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
> %7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47
> %7C1%7C0%7C638368915588074945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
> ta=LWTGmIq753PjwViRiluqkK80fD7FGK%2F017N6uIODCoc%3D&reserved=0> |
> Extension 1138300
>
> *From:*Jeff McCashland (He/him)
> *Sent:* Tuesday, November 28, 2023 8:28 AM
> *To:* Joseph Sutton <jsutton at samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>;
> cifs-protocol at lists.samba.org
> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>
> [try again- Kristian to BCC
>
> *From:*Jeff McCashland (He/him)
> *Sent:* Tuesday, November 28, 2023 8:27 AM
> *To:* Kristian Smith <Kristian.Smith at microsoft.com
> <mailto:Kristian.Smith at microsoft.com>>; Joseph Sutton
> <jsutton at samba.org <mailto:jsutton at samba.org>>;
> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com
> <mailto:supportmail at microsoft.com>>
> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>
> [Kristian to BCC]
>
> Hi Joseph,
>
> I will look into your question and let you know what I find.
>
> Best regards,*
> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/ |
> Microsoft/****Protocol Open Specifications Team*
>
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> (UTC-08:00) Pacific Time (US and Canada)
>
> Local country phone number found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638368915588078943%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=tkxE0x8I%2B04b8YNTpQSyEY12gn7j84cNLaeDAc1ocwE%3D&reserved=0
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
> ort.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
> %7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47
> %7C1%7C0%7C638368915588082884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
> ta=ZsqOTIBuuVFdcqTuia8meW%2BrE9Fgx4tkLT2G3le%2BUdA%3D&reserved=0> |
> Extension 1138300
>
> *From:*Kristian Smith <Kristian.Smith at microsoft.com
> <mailto:Kristian.Smith at microsoft.com>>
> *Sent:* Monday, November 27, 2023 6:39 PM
> *To:* Joseph Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>;
> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com
> <mailto:supportmail at microsoft.com>>
> *Subject:* Re: [EXTERNAL] [MS-ADTS] Procedure for setting
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>
> [DocHelp to Bcc]
>
> [Case mail to Cc]
>
> Hi Joseph,
>
> Thank you for your request. The case number 2311280040000920 has been
> created for this inquiry. One of our team members will follow up with
> you soon.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Azure DevOps, Windows Protocols |
> Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>
>
> *Working hours*: 8:00 am - 5:00 pm PST, Monday - Friday
>
> *Team Manager*: Gary Ranne garyra at microsoft.com
> <mailto:garyra at microsoft.com>
>
> *ServiceHub*:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fserv
> iceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C01%7Cjeffm
> %40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af
> 91ab2d7cd011db47%7C1%7C0%7C638368915588086793%7CUnknown%7CTWFpbGZsb3d8
> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3
> 000%7C%7C%7C&sdata=dEauc2KQK4aFU651P9jTIflUtc%2FNo2xOEbtxm0ptVA0%3D&re
> served=0
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fser
> viceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C01%7Cjeff
> m%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141a
> f91ab2d7cd011db47%7C1%7C0%7C638368915588090768%7CUnknown%7CTWFpbGZsb3d
> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
> 3000%7C%7C%7C&sdata=J8RQLZPBTRSaUz96apjc%2FVAdm68kGw%2FwYLjeW0dPGXI%3D
> &reserved=0>
>
> /In case you don't hear from me, please call your regional number here:
> //https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu
> pport.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-num
> bers&data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1
> 257df4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588094707
> %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
> k1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0zHR9%2B93B63JnnnOu49ldUcm
> xH85vxpdd4fWB0mledo%3D&reserved=0.
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsup
> port.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-numb
> ers&data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf12
> 57df4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588099387%
> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
> 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SCTt0XWCAtZTwsZSQuREvqzU5TW
> 6a5MQLrCSGC1r3f8%3D&reserved=0.>///
>
> /If you need assistance outside my normal working hours, please reach
> out to //devbu at microsoft.com <mailto:devbu at microsoft.com>//. One of my
> colleagues will gladly continue working on this
> issue.//devbu at microsoft.com <mailto:devbu at microsoft.com>//. One of my
> colleagues will gladly continue working on this issue./
>
> ----------------------------------------------------------------------
> --
>
> *From:*Joseph Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
> *Sent:* Monday, November 27, 2023 2:53 PM
> *To:* cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org>>; Interoperability
> Documentation Help <dochelp at microsoft.com
> <mailto:dochelp at microsoft.com>>
> *Subject:* [EXTERNAL] [MS-ADTS] Procedure for setting
> msDS-ManagedPasswordId attribute
>
> Hi dochelp,
>
> The calculation of the msDS-ManagedPassword attribute depends upon the
> values of two other important attributes, namely
> msDS-ManagedPasswordId and msDS-ManagedPasswordPreviousId. I can't
> find any documentation on how these two attributes are to be set
> initially (on the creation of a Group Managed Service Account), nor on
> how and when they are subsequently to be updated.
>
> Are you able to give me any information on the procedure by which
> these attributes are assigned values? - Are they supposed to be
> updated periodically?
>
> Regards,
> Joseph
>
More information about the cifs-protocol
mailing list