[cifs-protocol] [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920

Mon Dec 4 04:12:24 UTC 2023

Thank you. For clarification, does regenerating the passwords here 
involve updating the account’s msDS-ManagedPasswordId attribute? and 
msDS-ManagedPasswordPreviousId, too?

Regards,
Joseph

On 2/12/23 11:40 am, Jeff McCashland (He/him) wrote:
> Hi Joseph,
> 
> It appears that when the passwords are accessed, the interval is checked and the passwords are then regenerated if they have expired.
> 
> Please let me know if this does not answer your question.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
> 
> -----Original Message-----
> From: Joseph Sutton <jsutton at samba.org>
> Sent: Wednesday, November 29, 2023 1:52 PM
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
> Subject: Re: [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
> 
> Hi,
> 
> Thank you for those links. So much of the format of these attributes I had inferred from reading [MS-GKDI]: what I cannot find in either article are details on how the attributes' values are first set and then periodically updated.
> 
> If I were to create a Group Managed Service Account right now and examined its msDS-ManagedPasswordId attribute, I might see a key index of (362, 0, 27). Say the interval after which the managed password was to be automatically changed was set to one day. If I were to examine the same attribute tomorrow, I might then see the key index had changed to (362, 0, 29). Furthermore, I might see that the msDS-ManagedPasswordPreviousId attribute (which had previously been
> empty) had been assigned the previous day's key index (362, 0, 27).
> 
> Evidently the values of these attributes must periodically be updated by some method in order for the managed password protocol to work. My question is: by what procedure should this be done?
> 
> Regards,
> Joseph
> 
> On 30/11/23 7:34 am, Jeff McCashland (He/him) wrote:
>> Hi Joseph,
>>
>> I found a couple of online resources that appear to describe how to
>> generate the msDS-ManagedPasswordId attribute:
>>
>> Introducing the Golden GMSA Attack
>>
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecu
>> rityboulevard.com%2F2022%2F03%2Fintroducing-the-golden-gmsa-attack%2F&
>> data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df
>> 4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588042290%7CUn
>> known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
>> wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LelSmrZuPGbzFBjMPsU87KSIynavAF7
>> ViQQy%2BYpgRjM%3D&reserved=0
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsec
>> urityboulevard.com%2F2022%2F03%2Fintroducing-the-golden-gmsa-attack%2F
>> &data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257d
>> f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588051293%7CU
>> nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
>> WwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pvoqNwoVEgry05Bry2zat0O9bU0q1D
>> XX2gepx9mPq5s%3D&reserved=0>
>>
>> How to recover from a Golden gMSA attack
>>
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flear
>> n.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fwindows-secu
>> rity%2Frecover-from-golden-gmsa-attack&data=05%7C01%7Cjeffm%40microsof
>> t.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd01
>> 1db47%7C1%7C0%7C638368915588057505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
>> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7
>> C&sdata=EuZEsNrVHjjxjlVUWTu5sVgTT%2B1pxit6PEoLNZ%2FimQ0%3D&reserved=0
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flea
>> rn.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fwindows-sec
>> urity%2Frecover-from-golden-gmsa-attack&data=05%7C01%7Cjeffm%40microso
>> ft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd0
>> 11db47%7C1%7C0%7C638368915588063990%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
>> 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%
>> 7C&sdata=U%2BvJ0ARvX3KPmwFSTKu01Os0ZYDnJTcJHNtZ%2B5Q60Z4%3D&reserved=0
>>>
>>
>> Please let me know if these help any.
>>
>> Best regards,*
>> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/ |
>> Microsoft/****Protocol Open Specifications Team*
>>
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>> (UTC-08:00) Pacific Time (US and Canada)
>>
>> Local country phone number found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
>> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
>> 7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47%
>> 7C1%7C0%7C638368915588070730%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
>> a=XJrBgpkrtwDdro9AT80LIeu6BoPipaYnQHhSlVuVD3g%3D&reserved=0
>> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> ort.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
>> %7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47
>> %7C1%7C0%7C638368915588074945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
>> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
>> ta=LWTGmIq753PjwViRiluqkK80fD7FGK%2F017N6uIODCoc%3D&reserved=0> |
>> Extension 1138300
>>
>> *From:*Jeff McCashland (He/him)
>> *Sent:* Tuesday, November 28, 2023 8:28 AM
>> *To:* Joseph Sutton <jsutton at samba.org>
>> *Cc:* Microsoft Support <supportmail at microsoft.com>;
>> cifs-protocol at lists.samba.org
>> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting
>> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>>
>> [try again- Kristian to BCC
>>
>> *From:*Jeff McCashland (He/him)
>> *Sent:* Tuesday, November 28, 2023 8:27 AM
>> *To:* Kristian Smith <Kristian.Smith at microsoft.com
>> <mailto:Kristian.Smith at microsoft.com>>; Joseph Sutton
>> <jsutton at samba.org <mailto:jsutton at samba.org>>;
>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>> *Cc:* Microsoft Support <supportmail at microsoft.com
>> <mailto:supportmail at microsoft.com>>
>> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting
>> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>>
>> [Kristian to BCC]
>>
>> Hi Joseph,
>>
>> I will look into your question and let you know what I find.
>>
>> Best regards,*
>> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/ |
>> Microsoft/****Protocol Open Specifications Team*
>>
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>> (UTC-08:00) Pacific Time (US and Canada)
>>
>> Local country phone number found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
>> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
>> 7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47%
>> 7C1%7C0%7C638368915588078943%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
>> a=tkxE0x8I%2B04b8YNTpQSyEY12gn7j84cNLaeDAc1ocwE%3D&reserved=0
>> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> ort.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
>> %7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47
>> %7C1%7C0%7C638368915588082884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
>> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
>> ta=ZsqOTIBuuVFdcqTuia8meW%2BrE9Fgx4tkLT2G3le%2BUdA%3D&reserved=0> |
>> Extension 1138300
>>
>> *From:*Kristian Smith <Kristian.Smith at microsoft.com
>> <mailto:Kristian.Smith at microsoft.com>>
>> *Sent:* Monday, November 27, 2023 6:39 PM
>> *To:* Joseph Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>;
>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>> *Cc:* Microsoft Support <supportmail at microsoft.com
>> <mailto:supportmail at microsoft.com>>
>> *Subject:* Re: [EXTERNAL] [MS-ADTS] Procedure for setting
>> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>>
>> [DocHelp to Bcc]
>>
>> [Case mail to Cc]
>>
>> Hi Joseph,
>>
>> Thank you for your request. The case number 2311280040000920 has been
>> created for this inquiry. One of our team members will follow up with
>> you soon.
>>
>> *Regards,*
>>
>> *Kristian Smith*
>>
>> Support Escalation Engineer | Azure DevOps, Windows Protocols |
>> Microsoft® Corporation
>>
>> *Office phone*: +1 425-421-4442
>>
>> *Email*: kristian.smith at microsoft.com
>> <mailto:kristian.smith at microsoft.com>
>>
>> *Working hours*: 8:00 am - 5:00 pm PST, Monday - Friday
>>
>> *Team Manager*: Gary Ranne garyra at microsoft.com
>> <mailto:garyra at microsoft.com>
>>
>> *ServiceHub*:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fserv
>> iceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C01%7Cjeffm
>> %40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af
>> 91ab2d7cd011db47%7C1%7C0%7C638368915588086793%7CUnknown%7CTWFpbGZsb3d8
>> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3
>> 000%7C%7C%7C&sdata=dEauc2KQK4aFU651P9jTIflUtc%2FNo2xOEbtxm0ptVA0%3D&re
>> served=0
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fser
>> viceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C01%7Cjeff
>> m%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141a
>> f91ab2d7cd011db47%7C1%7C0%7C638368915588090768%7CUnknown%7CTWFpbGZsb3d
>> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
>> 3000%7C%7C%7C&sdata=J8RQLZPBTRSaUz96apjc%2FVAdm68kGw%2FwYLjeW0dPGXI%3D
>> &reserved=0>
>>
>> /In case you don't hear from me, please call your regional number here:
>> //https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu
>> pport.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-num
>> bers&data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1
>> 257df4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588094707
>> %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
>> k1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0zHR9%2B93B63JnnnOu49ldUcm
>> xH85vxpdd4fWB0mledo%3D&reserved=0.
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsup
>> port.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-numb
>> ers&data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf12
>> 57df4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588099387%
>> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
>> 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SCTt0XWCAtZTwsZSQuREvqzU5TW
>> 6a5MQLrCSGC1r3f8%3D&reserved=0.>///
>>
>> /If you need assistance outside my normal working hours, please reach
>> out to //devbu at microsoft.com <mailto:devbu at microsoft.com>//. One of my
>> colleagues will gladly continue working on this
>> issue.//devbu at microsoft.com <mailto:devbu at microsoft.com>//. One of my
>> colleagues will gladly continue working on this issue./
>>
>> ----------------------------------------------------------------------
>> --
>>
>> *From:*Joseph Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>> *Sent:* Monday, November 27, 2023 2:53 PM
>> *To:* cifs-protocol at lists.samba.org
>> <mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org
>> <mailto:cifs-protocol at lists.samba.org>>; Interoperability
>> Documentation Help <dochelp at microsoft.com
>> <mailto:dochelp at microsoft.com>>
>> *Subject:* [EXTERNAL] [MS-ADTS] Procedure for setting
>> msDS-ManagedPasswordId attribute
>>
>> Hi dochelp,
>>
>> The calculation of the msDS-ManagedPassword attribute depends upon the
>> values of two other important attributes, namely
>> msDS-ManagedPasswordId and msDS-ManagedPasswordPreviousId. I can't
>> find any documentation on how these two attributes are to be set
>> initially (on the creation of a Group Managed Service Account), nor on
>> how and when they are subsequently to be updated.
>>
>> Are you able to give me any information on the procedure by which
>> these attributes are assigned values? - Are they supposed to be
>> updated periodically?
>>
>> Regards,
>> Joseph
>>