[cifs-protocol] [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920

Wed Nov 29 21:52:22 UTC 2023

Hi,

Thank you for those links. So much of the format of these attributes I 
had inferred from reading [MS-GKDI]: what I cannot find in either 
article are details on how the attributes’ values are first set and then 
periodically updated.

If I were to create a Group Managed Service Account right now and 
examined its msDS-ManagedPasswordId attribute, I might see a key index 
of (362, 0, 27). Say the interval after which the managed password was 
to be automatically changed was set to one day. If I were to examine the 
same attribute tomorrow, I might then see the key index had changed to 
(362, 0, 29). Furthermore, I might see that the 
msDS-ManagedPasswordPreviousId attribute (which had previously been 
empty) had been assigned the previous day’s key index (362, 0, 27).

Evidently the values of these attributes must periodically be updated by 
some method in order for the managed password protocol to work. My 
question is: by what procedure should this be done?

Regards,
Joseph

On 30/11/23 7:34 am, Jeff McCashland (He/him) wrote:
> Hi Joseph,
> 
> I found a couple of online resources that appear to describe how to 
> generate the msDS-ManagedPasswordId attribute:
> 
> Introducing the Golden GMSA Attack
> 
> https://securityboulevard.com/2022/03/introducing-the-golden-gmsa-attack/ <https://securityboulevard.com/2022/03/introducing-the-golden-gmsa-attack/>
> 
> How to recover from a Golden gMSA attack
> 
> https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/recover-from-golden-gmsa-attack <https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/recover-from-golden-gmsa-attack>
> 
> Please let me know if these help any.
> 
> Best regards,*
> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/ | 
> Microsoft/****Protocol Open Specifications Team*
> 
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada)
> 
> Local country phone number found here: 
> http://support.microsoft.com/globalenglish 
> <http://support.microsoft.com/globalenglish> | Extension 1138300
> 
> *From:*Jeff McCashland (He/him)
> *Sent:* Tuesday, November 28, 2023 8:28 AM
> *To:* Joseph Sutton <jsutton at samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>; 
> cifs-protocol at lists.samba.org
> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
> 
> [try again- Kristian to BCC
> 
> *From:*Jeff McCashland (He/him)
> *Sent:* Tuesday, November 28, 2023 8:27 AM
> *To:* Kristian Smith <Kristian.Smith at microsoft.com 
> <mailto:Kristian.Smith at microsoft.com>>; Joseph Sutton <jsutton at samba.org 
> <mailto:jsutton at samba.org>>; cifs-protocol at lists.samba.org 
> <mailto:cifs-protocol at lists.samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com 
> <mailto:supportmail at microsoft.com>>
> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
> 
> [Kristian to BCC]
> 
> Hi Joseph,
> 
> I will look into your question and let you know what I find.
> 
> Best regards,*
> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/ | 
> Microsoft/****Protocol Open Specifications Team*
> 
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada)
> 
> Local country phone number found here: 
> http://support.microsoft.com/globalenglish 
> <http://support.microsoft.com/globalenglish> | Extension 1138300
> 
> *From:*Kristian Smith <Kristian.Smith at microsoft.com 
> <mailto:Kristian.Smith at microsoft.com>>
> *Sent:* Monday, November 27, 2023 6:39 PM
> *To:* Joseph Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>; 
> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com 
> <mailto:supportmail at microsoft.com>>
> *Subject:* Re: [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
> 
> [DocHelp to Bcc]
> 
> [Case mail to Cc]
> 
> Hi Joseph,
> 
> Thank you for your request. The case number 2311280040000920 has been 
> created for this inquiry. One of our team members will follow up with 
> you soon.
> 
> *Regards,*
> 
> *Kristian Smith*
> 
> Support Escalation Engineer | Azure DevOps, Windows Protocols | 
> Microsoft® Corporation
> 
> *Office phone*: +1 425-421-4442
> 
> *Email*: kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
> 
> *Working hours*: 8:00 am - 5:00 pm PST, Monday – Friday
> 
> *Team Manager*: Gary Ranne garyra at microsoft.com 
> <mailto:garyra at microsoft.com>
> 
> *ServiceHub*: https://serviceshub.microsoft.com/support/contactsupport_ 
> <https://serviceshub.microsoft.com/support/contactsupport_>
> 
> /In case you don't hear from me, please call your regional number here: 
> //https://support.microsoft.com/help/13948/global-customer-service-phone-numbers. <https://support.microsoft.com/help/13948/global-customer-service-phone-numbers.>///
> 
> /If you need assistance outside my normal working hours, please reach 
> out to //devbu at microsoft.com <mailto:devbu at microsoft.com>//. One of my 
> colleagues will gladly continue working on this 
> issue.//devbu at microsoft.com <mailto:devbu at microsoft.com>//. One of my 
> colleagues will gladly continue working on this issue./
> 
> ------------------------------------------------------------------------
> 
> *From:*Joseph Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
> *Sent:* Monday, November 27, 2023 2:53 PM
> *To:* cifs-protocol at lists.samba.org 
> <mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org 
> <mailto:cifs-protocol at lists.samba.org>>; Interoperability Documentation 
> Help <dochelp at microsoft.com <mailto:dochelp at microsoft.com>>
> *Subject:* [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute
> 
> Hi dochelp,
> 
> The calculation of the msDS-ManagedPassword attribute depends upon the
> values of two other important attributes, namely msDS-ManagedPasswordId
> and msDS-ManagedPasswordPreviousId. I can’t find any documentation on
> how these two attributes are to be set initially (on the creation of a
> Group Managed Service Account), nor on how and when they are
> subsequently to be updated.
> 
> Are you able to give me any information on the procedure by which these
> attributes are assigned values? — Are they supposed to be updated
> periodically?
> 
> Regards,
> Joseph
> 