<div data-wrapper="true" dir="ltr" style="font-size:9pt;font-family:'Segoe UI','Helvetica Neue',sans-serif;"><div style="direction:ltr"><div>Hi Jo,</div>
<div> </div>
<div>I hope your week is off to a good start. I'm reaching out to see if you've had the opportunity to capture an LSASS trace for the behavior you're experiencing. If so, I'll be happy to debug and analyze what you have.</div>
<div> </div>
<div>If I don't hear back from you by Wednesday, I'll archive the case for the time being and you can reach back out at your convenience.</div>
<div> </div>
<div>Looking forward to hearing from you! <br> </div>
<div id="signature" style="display:block"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div><div data-wrapper="true" dir="ltr" style="font-family:'Segoe UI','Helvetica Neue',sans-serif; font-size:9pt"><div><div data-wrapper="true" dir="ltr" style="font-family:'Segoe UI','Helvetica Neue',sans-serif; font-size:9pt"><div><div data-wrapper="true" dir="ltr" style="font-family:'Segoe UI','Helvetica Neue',sans-serif; font-size:9pt"><div><span style="font-size:9.0pt"><span segoe="" ui=""><span style="color:#2f2f2f"><span style="background-color:white"><strong style="font-weight:bold">Regards,</strong></span></span></span></span><br><span style="font-size:9.0pt"><span segoe="" ui=""><span style="color:#2f2f2f"><span style="background-color:white"><strong style="font-weight:bold">Kristian Smith</strong></span></span></span></span><br><span style="font-size:9.0pt"><span segoe="" ui=""><span style="color:#2f2f2f"><span style="background-color:white">Support Escalation Engineer | Azure DevOps, Windows Protocols | Microsoft® Corporation</span></span></span></span><br><span style="font-size:9.0pt"><span segoe="" ui=""><span style="color:#2f2f2f"><span style="background-color:white"><strong style="font-weight:bold">Office phone</strong></span><span style="background-color:white">: +1 425-421-4442</span></span></span></span><br><span style="font-size:9.0pt"><span segoe="" ui=""><span style="background-color:white"><strong style="font-weight:bold"><span style="color:#2f2f2f">Email</span></strong></span><span style="background-color:white"><span style="color:#2f2f2f">: </span></span><a href="mailto:kristian.smith@microsoft.com"><span style="background-color:white">kristian.smith@microsoft.com</span></a></span></span><br><span style="font-size:9.0pt"><span segoe="" ui=""><span style="color:#2f2f2f"><span style="background-color:white"><strong style="font-weight:bold">Working hours</strong></span><span style="background-color:white">: 8:00 am - 5:00 pm PST, Monday – Friday</span></span></span></span><br><span style="font-size:9.0pt"><span segoe="" ui=""><span style="background-color:white"><strong style="font-weight:bold"><span style="color:#2f2f2f">Team Manager</span></strong></span><span style="background-color:white"><span style="color:#2f2f2f">: Gary Ranne </span></span><a href="mailto:garyra@microsoft.com"><span style="background-color:white">garyra@microsoft.com</span></a></span></span><br><span style="font-size:9.0pt"><span segoe="" ui=""><span style="background-color:white"><strong style="font-weight:bold"><span style="color:#2f2f2f">ServiceHub</span></strong></span><span style="background-color:white"><span style="color:#2f2f2f">: </span></span><a href="https://serviceshub.microsoft.com/support/contactsupport_"><span style="background-color:white">https://serviceshub.microsoft.com/support/contactsupport_</span></a> </span></span><br><span style="font-size:9.0pt"><span segoe="" ui=""><span style="background-color:white"><em style="font-style:italic"><span style="color:#2f2f2f">In case you don't hear from me, please call your regional number here: </span></em></span><a href="https://support.microsoft.com/help/13948/global-customer-service-phone-numbers."><span style="background-color:white"><em style="font-style:italic">https://support.microsoft.com/help/13948/global-customer-service-phone-numbers.</em></span></a> </span></span><br><span style="font-size:9.0pt"><span segoe="" ui=""><span style="background-color:white"><em style="font-style:italic"><span style="color:#2f2f2f">If you need assistance outside my normal working hours, please reach out to </span></em></span><a href="mailto:devbu@microsoft.com"><span style="background-color:white"><em style="font-style:italic">devbu@microsoft.com</em></span></a><span style="background-color:white"><em style="font-style:italic"><span style="color:#2f2f2f">. One of my colleagues will gladly continue working on this issue.</span></em></span></span></span></div>
<div> </div></div></div></div></div></div></div></div>
<div dir="ltr" id="replyfwdmessage"><span style="font-family:Tahoma,Verdana,Arial; font-size:small">------------------- Original Message -------------------<br><strong>From:</strong> Kristian.Smith@microsoft.com;<br><strong>Received:</strong> Tue May 28 2024 16:42:17 GMT-0700 (Pacific Daylight Time)<br><strong>To:</strong> jsutton@samba.org;<br><strong>Cc:</strong> supportmail@microsoft.com; cifs-protocol@lists.samba.org;<br><strong>Subject:</strong> RE: [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844</span><br><br><meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta content="Microsoft Word 15 (filtered medium)"><style type="text/css"><!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
@font-face
{font-family:Aptos}
@font-face
{font-family:"Segoe UI"}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
span.EmailStyle20
{font-family:"Aptos",sans-serif;
color:windowtext}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
ol
{margin-bottom:0in}
ul
{margin-bottom:0in}
--></style><div dir="ltr"><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt">Hi Jo,</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Please let me know if you have any trouble gathering the Lsass trace. I’m happy to help if you encounter any issues.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span></p>
<div><p class="MsoNormal"><strong><span style="background-color:white">Regards,</span></strong></p>
<p class="MsoNormal" style="margin-top:4.0pt"><strong><span style="background-color:white">Kristian Smith</span></strong></p>
<p class="MsoNormal" style="margin-top:4.0pt"><span style="background-color:white">Support Escalation Engineer | Microsoft® Corporation</span></p>
<p class="MsoNormal" style="margin-top:4.0pt"><strong><span style="background-color:white">Office phone</span></strong><span style="background-color:white">: +1 425-421-4442</span></p></div>
<p class="MsoNormal"><strong><span style="background-color:white">Email</span></strong><span style="background-color:white">: </span><span style="background-color:white"><a href="mailto:kristian.smith@microsoft.com">kristian.smith@microsoft.com</a></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span></p>
<div><div style="border-top:solid #e1e1e1 1.0pt; border:none; padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><strong><span style="font-family:"Calibri",sans-serif; font-size:11.0pt">From:</span></strong><span style="font-family:"Calibri",sans-serif; font-size:11.0pt"> Kristian Smith <Kristian.Smith@microsoft.com><br><strong>Sent:</strong> Wednesday, May 22, 2024 10:00 AM<br><strong>To:</strong> Jo Sutton <jsutton@samba.org><br><strong>Cc:</strong> Microsoft Support <supportmail@microsoft.com>; cifs-protocol@lists.samba.org<br><strong>Subject:</strong> Re: [EXTERNAL] [MS-ADTS] gMSA previous password - time interval & post rollover - TrackingID#2405210040011844</span></p></div></div>
<p class="MsoNormal"> </p>
<div><p class="MsoNormal"><span style="color:black; font-size:11.0pt">Hi Jo,</span></p></div>
<div><p class="MsoNormal"><span style="color:black; font-size:11.0pt"> </span></p></div>
<div><p class="MsoNormal"><span style="color:black; font-size:11.0pt">Thanks for letting me know that you're not able to reproduce this behavior. The best way for me to troubleshoot would be to have an LSASS trace and a network trace. Can you please repro the issue <strong><em>when trying to use a previous password with Kerberos</em></strong>?</span></p></div>
<div><p class="MsoNormal"><span style="color:black; font-size:11.0pt"> </span></p></div>
<div><p class="MsoNormal"><span style="color:black; font-size:11.0pt">Here are the tracing instructions for LSASS:</span></p></div>
<div><p class="MsoNormal"><span style="color:black; font-size:11.0pt"> </span></p></div>
<ol start="1" style="list-style-type:decimal; margin-top:0in" type="1"><li class="MsoNormal" style="color:black; margin-bottom:8.0pt; line-height:11.75pt"><strong><span style="font-size:11.0pt">Tracing Lsass with TTD:</span></strong><span style="font-size:11.0pt"> This should be conducted on the DC where we are logging in. Note: Run all commands in an elevated PowerShell prompt on the machine.</span>
<ol start="1" style="list-style-type:lower-alpha; margin-top:0in" type="a"><li class="MsoNormal" style="color:black; margin-bottom:8.0pt; line-height:11.75pt"><span style="font-size:11.0pt">Download and install TTD on the DC we're logging into.</span>
<ol start="1" style="list-style-type:lower-roman; margin-top:0in" type="i"><li class="MsoNormal" style="color:black; line-height:11.75pt"><span style="font-size:11.0pt">Direct link to download TTD app installer: <a href="https://aka.ms/ttd/download" originalsrc="https://aka.ms/ttd/download" shash="qdb3NcHldJdo3TO/QOcJeriA9F7D5PeS/y8djLweIathUyT9m1qJjXyxlf322mHqPAdy57KsrBox42VRfPnOKMwQPQuPFm0AQqG1g7YzXEOwqTJOaR7nUVm+kPTJh3G/IfiPvvB7K5teCv9U1Ogu2leD0mX1AvR2tOCbxR6z5XM="> https://aka.ms/ttd/download</a></span></li><li class="MsoNormal" style="color:black; line-height:11.75pt"><span style="font-size:11.0pt">Alternatively, use offline install instructions: <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method" originalsrc="https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method" shash="YMzlZ1Vgol9JRnVwKANYHv0QbblxGgS7dUxJG5RFyPYCgbqXn/Bn4S3tWsb9sjiQDVf9wtH4SsYQumbp4V4LP6yzQBhID0ZlWD+0WX26Lyejim1gCfZnTiBaemMmt+PjbiSvgXI7Olygp0qv72RZMiNNLJ/x5yItlk63T/G3aVo="> https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method</a></span></li></ol></li><li class="MsoNormal" style="color:black; margin-bottom:8.0pt; line-height:11.75pt"><span style="font-size:11.0pt">When ready to repro the issue, run the following commands to begin the trace.</span></li></ol></li></ol>
<ol start="1" style="list-style-type:decimal; margin-top:0in" type="1"><li><ol start="2" style="list-style-type:lower-alpha; margin-top:0in" type="a"><li><ol start="1" style="list-style-type:lower-roman; margin-top:0in" type="i"><li class="MsoNormal" style="color:black; margin-bottom:8.0pt; line-height:11.75pt"><span style="font-size:11.0pt">mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")</span></li><li class="MsoNormal" style="color:black; margin-bottom:8.0pt; line-height:11.75pt"><span style="font-size:11.0pt">TTD.exe -Attach ([int](Get-Process -NAME LSASS | Format-Wide -Property ID).formatEntryInfo.formatPropertyField.propertyValue) -out C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\LSASS_Kerb_Server.run</span></li><li class="MsoNormal" style="color:black; margin-bottom:8.0pt; line-height:11.75pt"><span style="font-size:11.0pt">When the following small window pops up, the trace has begun and <strong>you can now reproduce the issue</strong>. To end the trace, simply click “Tracing Off”.</span><ol start="1" style="list-style-type:decimal; margin-top:0in" type="1"><li class="MsoNormal" style="color:black; margin-bottom:8.0pt; line-height:11.75pt"><span style="font-size:11.0pt"><img border="0" data-attachment-id="32c03278-9b88-4b7b-a111-76c0e2c63764" id="image_0" src="cid:f1c3ebfc-3b7f-4550-8079-0eb79e6fc2bd" style="height:1.0555in; width:1.1458in"></span></li></ol></li></ol></li></ol></li></ol>
<ol start="1" style="list-style-type:decimal; margin-top:0in" type="1"><li><ol start="3" style="list-style-type:lower-alpha; margin-top:0in" type="a"><li class="MsoNormal" style="color:black; margin-bottom:8.0pt; line-height:11.75pt"><span style="font-size:11.0pt">Once the trace operation is complete, we need to compress the .run file created by TTD for easy transfer.</span></li></ol></li></ol>
<ol start="1" style="list-style-type:decimal; margin-top:0in" type="1"><li><ol start="3" style="list-style-type:lower-alpha; margin-top:0in" type="a"><li><ol start="1" style="list-style-type:lower-roman; margin-top:0in" type="i"><li class="MsoNormal" style="color:black; margin-bottom:8.0pt; line-height:11.75pt"><span style="font-size:11.0pt">Compress-Archive -Path C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date -format "dd-MMM-yyyy").zip</span></li></ol></li></ol></li></ol>
<div><ol start="1" style="list-style-type:decimal; margin-top:0in" type="1"><li><ol start="4" style="list-style-type:lower-alpha; margin-top:0in" type="a"><li class="MsoNormal" style="color:black; margin-bottom:8.0pt; line-height:11.75pt"><span style="font-size:11.0pt">Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link below</span></li></ol></li></ol></div>
<div style="margin-bottom:11.25pt; margin-top:7.5pt"><p class="MsoNormal" style="margin-left:1.5in; text-indent:-1.5in"><span style="color:#1570a6; font-size:11.0pt"><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman""> </span>i.</span></span><span style="color:#1570a6; font-size:11.0pt"><a href="https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwIiwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7LMBa_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5EzY5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-PhzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTzQmp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QMoU2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ&wid=6ad02fe8-3357-427d-9925-d8f6f81ec400" originalsrc="https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwIiwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7LMBa_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5EzY5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-PhzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTzQmp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QMoU2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ&wid=6ad02fe8-3357-427d-9925-d8f6f81ec400" shash="Ds/Jtqgm+wXruLUXWcbbsqLkIjfZjxocILDjWwgLP5ZuNgWyxkH1MWz0/ThMJCc+fX87nkXFQVPC9fI4hbIQQD/7OIXKNb0FQE0oYWvYh0ycR/rqoTpZcQhsUIzjNYbddAOHDW474SvLrIXCh4GebB69qKI0uxLTzbFiSWKpOg0=" title="https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwIiwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTct">https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwIiwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7LMBa_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5EzY5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-PhzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTzQmp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QMoU2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ&wid=6ad02fe8-3357-427d-9925-d8f6f81ec400</a></span></p></div>
<div style="margin-bottom:8.0pt"><p class="MsoNormal" style="line-height:11.75pt"><span style="color:black; font-size:11.0pt"> </span></p></div>
<div style="margin-bottom:8.0pt"><p class="MsoNormal" style="line-height:11.75pt"><span style="color:black; font-size:11.0pt">If you are able to include a network/WireShark trace with a keytab file to decrypt, that would be helpful, but may not be entirely necessary. I will be in training for the remainder of the week but will debug the trace next week. Thanks for your patience.</span></p></div>
<div><p class="MsoNormal"><span style="color:black; font-size:11.0pt"> </span></p></div>
<div id="Signature"><p><strong><span style="background-color:white">Regards,</span></strong></p>
<p style="margin-top:4.0pt"><strong><span style="background-color:white">Kristian Smith</span></strong></p>
<p style="margin-top:4.0pt"><span style="background-color:white">Support Escalation Engineer | Microsoft® Corporation</span></p>
<p style="margin-top:4.0pt"><strong><span style="background-color:white">Office phone</span></strong><span style="background-color:white">: +1 425-421-4442</span></p>
<p><strong><span style="background-color:white">Email</span></strong><span style="background-color:white">: </span><span style="background-color:white"><a href="mailto:kristian.smith@microsoft.com">kristian.smith@microsoft.com</a></span></p></div>
<div align="center" class="MsoNormal" style="text-align:center"><hr align="center" size="2" width="98%"></div>
<div id="divRplyFwdMsg"><p class="MsoNormal"><strong><span style="color:black; font-family:"Calibri",sans-serif; font-size:11.0pt">From:</span></strong><span style="color:black; font-family:"Calibri",sans-serif; font-size:11.0pt"> Jo Sutton <<a href="mailto:jsutton@samba.org">jsutton@samba.org</a>><br><strong>Sent:</strong> Monday, May 20, 2024 9:19 PM<br><strong>To:</strong> Kristian Smith <<a href="mailto:Kristian.Smith@microsoft.com">Kristian.Smith@microsoft.com</a>><br><strong>Cc:</strong> Microsoft Support <<a href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>>; <a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a> <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>><br><strong>Subject:</strong> Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588</span></p>
<div><p class="MsoNormal"> </p></div></div>
<div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt">Thank you, Kristian.<br><br>I’ve had some difficulty trying to replicate these results. After<br>manually changing the password of a Group Managed Service Account, there<br>is a five minute interval during which I can use the previous password<br>to log in via NTLM. However, I have not managed to get a previous<br>password to work — with NTLM or with Kerberos — following the natural<br>rollover of a gMSA’s password.<br><br>Cheers,<br>Jo (she/her)<br><br>On 17/05/24 11:51 am, Kristian Smith wrote:<br>> Hi Jo,<br>><br>> I conducted research on these questions you posed and wanted to share my<br>> findings with you.<br>><br>> In the context of gMSA authentication, we accept only the current and<br>> most recent previous password for both NTLM and Kerberos. Also, I was<br>> unable to locate any time limitations for the use of the previous password.<br>><br>> Let me know if this answers your questions or if there is further<br>> clarification I can provide.<br>><br>> *Regards,*<br>><br>> *Kristian Smith*<br>><br>> Support Escalation Engineer | Microsoft® Corporation<br>><br>> *Office phone*: +1 425-421-4442<br>><br>> *Email*: <a href="mailto:kristian.smith@microsoft.com">kristian.smith@microsoft.com</a> <<a href="mailto:kristian.smith@microsoft.com">mailto:kristian.smith@microsoft.com</a>><br>><br>><br>> ------------------------------------------------------------------------<br>> *From:* Kristian Smith <<a href="mailto:Kristian.Smith@microsoft.com">Kristian.Smith@microsoft.com</a>><br>> *Sent:* Tuesday, May 14, 2024 8:39 AM<br>> *To:* Jo Sutton <<a href="mailto:jsutton@samba.org">jsutton@samba.org</a>><br>> *Cc:* Microsoft Support <<a href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>>;<br>> <a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a> <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>><br>> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account<br>> authenticating with a previous password - TrackingID#2405140040001588<br>> [Tom to Bcc]<br>><br>> Hi Jo,<br>><br>> Thanks for reaching out with your [MS-ADTS] question. I'll be your point<br>> of contact moving forward for this case. I will research this and get<br>> back to you with my findings.<br>><br>> *Regards,*<br>><br>> *Kristian Smith*<br>><br>> Support Escalation Engineer | Microsoft® Corporation<br>><br>> *Office phone*: +1 425-421-4442<br>><br>> *Email*: <a href="mailto:kristian.smith@microsoft.com">kristian.smith@microsoft.com</a> <<a href="mailto:kristian.smith@microsoft.com">mailto:kristian.smith@microsoft.com</a>><br>><br>> ------------------------------------------------------------------------<br>> *From:* Tom Jebo <<a href="mailto:tomjebo@microsoft.com">tomjebo@microsoft.com</a>><br>> *Sent:* Monday, May 13, 2024 10:32 PM<br>> *To:* Jo Sutton <<a href="mailto:jsutton@samba.org">jsutton@samba.org</a>>; <a href="mailto:cifs-protocol@lists.samba.org"> cifs-protocol@lists.samba.org</a><br>> <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>><br>> *Cc:* Microsoft Support <<a href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>><br>> *Subject:* RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account<br>> authenticating with a previous password - TrackingID#2405140040001588<br>> [dochelp to bcc]<br>> [support mail to cc]<br>><br>> Hey Jo,<br>><br>> Thanks for your request regarding MS-ADTS. One of the Open<br>> Specifications team members will respond to assist you. In the meantime,<br>> we’ve created case 2405140040001588 to track this request. Please leave<br>> the case number in the subject when communicating with our team about<br>> this request.<br>><br>> Best regards,<br>> Tom Jebo<br>> Microsoft Open Specifications Support<br>><br>> -----Original Message-----<br>> From: Jo Sutton <<a href="mailto:jsutton@samba.org">jsutton@samba.org</a>><br>> Sent: Monday, May 13, 2024 9:59 PM<br>> To: <a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>; Interoperability Documentation Help<br>> <<a href="mailto:dochelp@microsoft.com">dochelp@microsoft.com</a>><br>> Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account<br>> authenticating with a previous password<br>><br>> [Some people who received this message don't often get email from<br>> <a href="mailto:jsutton@samba.org">jsutton@samba.org</a>. Learn why this is important at<br>> <a href="https://aka.ms/LearnAboutSenderIdentification">https://aka.ms/LearnAboutSenderIdentification</a><br>> <<a href="https://aka.ms/LearnAboutSenderIdentification%3E%C2%A0">https://aka.ms/LearnAboutSenderIdentification> </a>]<br>><br>> Hi dochelp,<br>><br>> I can’t find any mention in Microsoft’s documentation of what should<br>> happen when a Group Managed Service Account authenticates with a<br>> previous password — i.e. via NTLM with an NT hash from ntPwdHistory, or<br>> via Kerberos with a key from the OldCredentials part of a<br>> Primary:Kerberos-Newer-Keys blob.<br>><br>> Should the previous password be accepted for NTLM logons? For Kerberos<br>> logons? Should only the immediately previous password be accepted, or<br>> should earlier passwords be accepted too? And during what period should<br>> the previous password(s) be accepted — for example, the five minutes<br>> immediately following the time specified by pwdLastSet?<br>><br>> Any information you can provide to shine light on these questions would<br>> be welcome.<br>><br>> Cheers,<br>> Jo (she/her)</span></p></div></div></div></div></div></div></div>