[cifs-protocol] [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920

Jeff McCashland (He/him) jeffm at microsoft.com
Wed Dec 6 18:26:12 UTC 2023


Hi Joseph,

Thank you for letting us know about this. 

I have filed a request to clarify the documentation, and will follow up. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Jeff McCashland (He/him) 
Sent: Tuesday, December 5, 2023 3:15 PM
To: Joseph Sutton <jsutton at samba.org>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: RE: [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920

I will see what we can do to make this more clear. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Joseph Sutton <jsutton at samba.org>
Sent: Tuesday, December 5, 2023 1:50 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Re: [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - TrackingID#2311280040000920

Oh, so when step 5.4 says, "let NewKeyID be the returned KeyID", that NewKeyID value is to become the new value of msDS-ManagedPasswordId? And the implied following step is "set TO!msDS-ManagedPasswordId to the value of NewKeyID"?

That makes sense, but I admit I would not have realized that from reading the documentation. Perhaps the documentation would be clearer if it stated how the variables NewKeyID and OldKeyID were to be used? It offers hints such as "do not return OldKeyID" (implying that the KeyIDs are to be "returned" in other cases) but nothing more plain than that.

Regards,
Joseph

On 6/12/23 8:48 am, Jeff McCashland (He/him) wrote:
> Hi Joseph,
> 
> In studying [MS-ADTS], I believe that initialization and updating of msDS-ManagedPasswordId is already documented in section 3.1.1.4.5.39 msDS-ManagedPassword, where this algorithm is described:
> 
> Define function GetgMSAPasswordBlob(TO: OBJECT), which returns an msDS-ManagedPassword BLOB structure (section 2.2.19) as follows using integer arithmetic where divisions are rounded down without a remainder.
> 
> The initialization occurs in step 5 where a new password and key id is created if msDS-ManagedPasswordId does not previously exist (or if the password interval is expired):
> 5.	If TO!msDS-ManagedPasswordId does not exist or CurrentKeyExpirationTime is less than the current time, then:
> 
> Steps 5.7, 6.5, and 7.5 all describe creating new keys and returning the old password/key as the Previous values:
> 
> 	5.	Call MarshalPassword() where:
> 		§	Current_Password contains NewPassword.
> 		§	Previous_Password contains OldPassword.
> 
> Do you disagree? Is this clear enough?
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> 7Cc2e0a39196fc435b47fa08dbf5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638374098235487693%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=1PgMDgS60M5ZYmmNr%2FojT69vp%2B05r%2BwMtI7JrLWzvQ8%3D&reserved=0 | 
> Extension 1138300
> 
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Monday, December 4, 2023 9:52 AM
> To: Joseph Sutton <jsutton at samba.org>
> Cc: Microsoft Support <supportmail at microsoft.com>; 
> cifs-protocol at lists.samba.org
> Subject: RE: [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
> 
> Hi Joseph,
> 
> That is my understanding, yes.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> 7Cc2e0a39196fc435b47fa08dbf5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638374098235495401%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=Lm7nQrfBCq9PIARZ7mbaTsHL4ysuGK53NmHY0%2FzT%2BJI%3D&reserved=0 | 
> Extension 1138300
> 
> -----Original Message-----
> From: Joseph Sutton <jsutton at samba.org>
> Sent: Sunday, December 3, 2023 8:12 PM
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> Cc: Microsoft Support <supportmail at microsoft.com>; 
> cifs-protocol at lists.samba.org
> Subject: Re: [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
> 
> Thank you. For clarification, does regenerating the passwords here involve updating the account's msDS-ManagedPasswordId attribute? and msDS-ManagedPasswordPreviousId, too?
> 
> Regards,
> Joseph
> 
> On 2/12/23 11:40 am, Jeff McCashland (He/him) wrote:
>> Hi Joseph,
>>
>> It appears that when the passwords are accessed, the interval is checked and the passwords are then regenerated if they have expired.
>>
>> Please let me know if this does not answer your question.
>>
>> Best regards,
>> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
>> Protocol Open Specifications Team
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
>> found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> o%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08dbf
>> 5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383740982355007
>> 52%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qSgSwtx1EstguEGjfaMccV
>> hmrMkSIZnQTjY7Q%2B70iUE%3D&reserved=0
>> rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com
>> %
>> 7C37acc21f856446162c7908dbf47f3e15%7C72f988bf86f141af91ab2d7cd011db47
>> %
>> 7C1%7C0%7C638372599591299741%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
>> M
>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
>> t
>> a=5vcRpgLQ5O2lxfVzej2q7BNNmoPyS%2FExhf0Tb83xDn8%3D&reserved=0 | 
>> Extension 1138300
>>
>> -----Original Message-----
>> From: Joseph Sutton <jsutton at samba.org>
>> Sent: Wednesday, November 29, 2023 1:52 PM
>> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
>> Cc: Microsoft Support <supportmail at microsoft.com>; 
>> cifs-protocol at lists.samba.org
>> Subject: Re: [EXTERNAL] [MS-ADTS] Procedure for setting 
>> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>>
>> Hi,
>>
>> Thank you for those links. So much of the format of these attributes I had inferred from reading [MS-GKDI]: what I cannot find in either article are details on how the attributes' values are first set and then periodically updated.
>>
>> If I were to create a Group Managed Service Account right now and 
>> examined its msDS-ManagedPasswordId attribute, I might see a key 
>> index of (362, 0, 27). Say the interval after which the managed 
>> password was to be automatically changed was set to one day. If I 
>> were to examine the same attribute tomorrow, I might then see the key 
>> index had changed to (362, 0, 29). Furthermore, I might see that the 
>> msDS-ManagedPasswordPreviousId attribute (which had previously been
>> empty) had been assigned the previous day's key index (362, 0, 27).
>>
>> Evidently the values of these attributes must periodically be updated by some method in order for the managed password protocol to work. My question is: by what procedure should this be done?
>>
>> Regards,
>> Joseph
>>
>> On 30/11/23 7:34 am, Jeff McCashland (He/him) wrote:
>>> Hi Joseph,
>>>
>>> I found a couple of online resources that appear to describe how to 
>>> generate the msDS-ManagedPasswordId attribute:
>>>
>>> Introducing the Golden GMSA Attack
>>>
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fse
>>> c%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823550
>>> 4967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WegjiamElO89lqmBe1
>>> E7xNxtt%2FqeFtd3C8IuodqkUiY%3D&reserved=0
>>> u%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591307
>>> 1
>>> 21%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nRxPdRWhU%2F9ynyy1FSQ
>>> %
>>> 2FuS19gQnQApcCvl%2FdiTTiTls%3D&reserved=0
>>> rityboulevard.com%2F2022%2F03%2Fintroducing-the-golden-gmsa-attack%2
>>> F
>>> &
>>> data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257
>>> d
>>> f
>>> 4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588042290%7C
>>> U
>>> n
>>> known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h
>>> a
>>> W
>>> wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LelSmrZuPGbzFBjMPsU87KSIynavA
>>> F
>>> 7
>>> ViQQy%2BYpgRjM%3D&reserved=0
>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs
>>> e%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823550
>>> 9019%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wmSCPq6TqaQbn%2BMu
>>> i5QXXn7NUMcWuMIJdcvo9BYAxnQ%3D&reserved=0
>>> c%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591312
>>> 2
>>> 46%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9%2BOwMqPOo12Wu2SBVJ%
>>> 2
>>> BVQQC76SYnzFuIXmBH8QKdDaw%3D&reserved=0
>>> urityboulevard.com%2F2022%2F03%2Fintroducing-the-golden-gmsa-attack%
>>> 2
>>> F
>>> &data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf125
>>> 7
>>> d
>>> f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588051293%7
>>> C
>>> U
>>> nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
>>> h
>>> a
>>> WwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pvoqNwoVEgry05Bry2zat0O9bU0q
>>> 1
>>> D
>>> XX2gepx9mPq5s%3D&reserved=0>
>>>
>>> How to recover from a Golden gMSA attack
>>>
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fle
>>> a%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823551
>>> 2908%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6ldubOagJWQqgya9vn
>>> ZlTJScwe3YvbQExddw9td07kw%3D&reserved=0
>>> r%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591316
>>> 1
>>> 71%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k87u0MoTufLMFECk29jmQ
>>> W
>>> U9Rd%2FeXZHIJKLBH9T9GTg%3D&reserved=0
>>> n.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fwindows-se
>>> c
>>> u
>>> rity%2Frecover-from-golden-gmsa-attack&data=05%7C01%7Cjeffm%40micros
>>> o
>>> f
>>> t.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd
>>> 0
>>> 1
>>> 1db47%7C1%7C0%7C638368915588057505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
>>> C
>>> 4
>>> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C
>>> %
>>> 7
>>> C&sdata=EuZEsNrVHjjxjlVUWTu5sVgTT%2B1pxit6PEoLNZ%2FimQ0%3D&reserved=
>>> 0
>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fl
>>> e%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823551
>>> 6743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OKdF%2F3Y38WibDJcs
>>> 51eo3S4ICLGDO5lIjHec6AIXp9A%3D&reserved=0
>>> a%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591319
>>> 9
>>> 44%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=injsryUSGV4%2FzA%2BPH
>>> 9
>>> QDr3GW7QDAfbqXxForHbYPmg8%3D&reserved=0
>>> rn.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fwindows-s
>>> e
>>> c
>>> urity%2Frecover-from-golden-gmsa-attack&data=05%7C01%7Cjeffm%40micro
>>> s
>>> o
>>> ft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7c
>>> d
>>> 0
>>> 11db47%7C1%7C0%7C638368915588063990%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
>>> M
>>> C
>>> 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7
>>> C
>>> %
>>> 7C&sdata=U%2BvJ0ARvX3KPmwFSTKu01Os0ZYDnJTcJHNtZ%2B5Q60Z4%3D&reserved
>>> =
>>> 0
>>>>
>>>
>>> Please let me know if these help any.
>>>
>>> Best regards,*
>>> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/
>>> | Microsoft/****Protocol Open Specifications Team*
>>>
>>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>>> (UTC-08:00) Pacific Time (US and Canada)
>>>
>>> Local country phone number found here:
>>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsup
>>> p%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823552
>>> 0552%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VIEtD4nhgfHHxasvqX
>>> KUsgLMvoaX9tA7Mcp2BNePCEk%3D&reserved=0
>>> o%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591323
>>> 6
>>> 78%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FAn5x%2Bz7nwtW5csx0tx
>>> d
>>> glqSv2syrVrB9GCNY%2BkB6Dc%3D&reserved=0
>>> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.co
>>> m
>>> %
>>> 7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db4
>>> 7
>>> %
>>> 7C1%7C0%7C638368915588070730%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
>>> w
>>> M
>>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
>>> a
>>> t
>>> a=XJrBgpkrtwDdro9AT80LIeu6BoPipaYnQHhSlVuVD3g%3D&reserved=0
>>> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsu
>>> p%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823552
>>> 4480%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7tJsJHf%2FQPctkUjl
>>> 5FzVOFKK%2FdobVjtb7YRHdJ3mklg%3D&reserved=0
>>> p%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591327
>>> 4
>>> 62%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=83ZmAa2HUHwhl%2F5nSdM
>>> M
>>> qF7dbiMJjiQGENM6QHgVIlQ%3D&reserved=0
>>> ort.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.c
>>> o
>>> m
>>> %7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db
>>> 4
>>> 7
>>> %7C1%7C0%7C638368915588074945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
>>> A
>>> w
>>> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s
>>> d a ta=LWTGmIq753PjwViRiluqkK80fD7FGK%2F017N6uIODCoc%3D&reserved=0>
>>> | Extension 1138300
>>>
>>> *From:*Jeff McCashland (He/him)
>>> *Sent:* Tuesday, November 28, 2023 8:28 AM
>>> *To:* Joseph Sutton <jsutton at samba.org>
>>> *Cc:* Microsoft Support <supportmail at microsoft.com>; 
>>> cifs-protocol at lists.samba.org
>>> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting 
>>> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>>>
>>> [try again- Kristian to BCC
>>>
>>> *From:*Jeff McCashland (He/him)
>>> *Sent:* Tuesday, November 28, 2023 8:27 AM
>>> *To:* Kristian Smith <Kristian.Smith at microsoft.com 
>>> <mailto:Kristian.Smith at microsoft.com>>; Joseph Sutton 
>>> <jsutton at samba.org <mailto:jsutton at samba.org>>; 
>>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>>> *Cc:* Microsoft Support <supportmail at microsoft.com 
>>> <mailto:supportmail at microsoft.com>>
>>> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting 
>>> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>>>
>>> [Kristian to BCC]
>>>
>>> Hi Joseph,
>>>
>>> I will look into your question and let you know what I find.
>>>
>>> Best regards,*
>>> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/
>>> | Microsoft/****Protocol Open Specifications Team*
>>>
>>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>>> (UTC-08:00) Pacific Time (US and Canada)
>>>
>>> Local country phone number found here:
>>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsup
>>> p%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823552
>>> 8300%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2B0O6KBSH4kP4SI6V
>>> o3bN%2F3W478I0mNiwA3O8N8XDvjA%3D&reserved=0
>>> o%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591331
>>> 1
>>> 97%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BIINIqVtLHi3Boe5B8t
>>> 3
>>> N0Fd%2FBO8T7pgsq0%2FCaQHrGc%3D&reserved=0
>>> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.co
>>> m
>>> %
>>> 7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db4
>>> 7
>>> %
>>> 7C1%7C0%7C638368915588078943%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
>>> w
>>> M
>>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
>>> a
>>> t
>>> a=tkxE0x8I%2B04b8YNTpQSyEY12gn7j84cNLaeDAc1ocwE%3D&reserved=0
>>> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsu
>>> p%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823553
>>> 2057%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wjwbeNpHHMhBh2fVke
>>> xRYr69MMh93oDzbbWezihsqoY%3D&reserved=0
>>> p%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591334
>>> 9
>>> 40%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=kkcEkaeOqS3Jq0VOp2QYK
>>> O
>>> s9v4ITW5FTGyzCy6P6qIw%3D&reserved=0
>>> ort.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.c
>>> o
>>> m
>>> %7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db
>>> 4
>>> 7
>>> %7C1%7C0%7C638368915588082884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
>>> A
>>> w
>>> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s
>>> d a
>>> ta=ZsqOTIBuuVFdcqTuia8meW%2BrE9Fgx4tkLT2G3le%2BUdA%3D&reserved=0> | 
>>> Extension 1138300
>>>
>>> *From:*Kristian Smith <Kristian.Smith at microsoft.com 
>>> <mailto:Kristian.Smith at microsoft.com>>
>>> *Sent:* Monday, November 27, 2023 6:39 PM
>>> *To:* Joseph Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>; 
>>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>>> *Cc:* Microsoft Support <supportmail at microsoft.com 
>>> <mailto:supportmail at microsoft.com>>
>>> *Subject:* Re: [EXTERNAL] [MS-ADTS] Procedure for setting 
>>> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
>>>
>>> [DocHelp to Bcc]
>>>
>>> [Case mail to Cc]
>>>
>>> Hi Joseph,
>>>
>>> Thank you for your request. The case number 2311280040000920 has 
>>> been created for this inquiry. One of our team members will follow 
>>> up with you soon.
>>>
>>> *Regards,*
>>>
>>> *Kristian Smith*
>>>
>>> Support Escalation Engineer | Azure DevOps, Windows Protocols | 
>>> Microsoft® Corporation
>>>
>>> *Office phone*: +1 425-421-4442
>>>
>>> *Email*: kristian.smith at microsoft.com 
>>> <mailto:kristian.smith at microsoft.com>
>>>
>>> *Working hours*: 8:00 am - 5:00 pm PST, Monday - Friday
>>>
>>> *Team Manager*: Gary Ranne garyra at microsoft.com 
>>> <mailto:garyra at microsoft.com>
>>>
>>> *ServiceHub*:
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fse
>>> r%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823553
>>> 5788%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7j4AKpVR1hn1klsWXP
>>> 2R7QosVLL3GhalBEiNFtuFWE4%3D&reserved=0
>>> v%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591338
>>> 6
>>> 72%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gxKesolna5%2FUxxvV2Dp
>>> e
>>> uDX16CM9ouRDBwgTM7Tvfrc%3D&reserved=0
>>> iceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C01%7Cjef
>>> f
>>> m
>>> %40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141
>>> a
>>> f
>>> 91ab2d7cd011db47%7C1%7C0%7C638368915588086793%7CUnknown%7CTWFpbGZsb3
>>> d
>>> 8
>>> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
>>> C
>>> 3
>>> 000%7C%7C%7C&sdata=dEauc2KQK4aFU651P9jTIflUtc%2FNo2xOEbtxm0ptVA0%3D&
>>> r
>>> e
>>> served=0
>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs
>>> e%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823553
>>> 9507%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0WYra6Lx06ebYtLNty
>>> smOWfahLWnw4MCl8cfdjHwmmI%3D&reserved=0
>>> r%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591342
>>> 5
>>> 14%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=unPGfUeLwQfQjVcfKA3Gm
>>> J
>>> 7FlPDtIqTnCgauok6%2Fi%2Fg%3D&reserved=0
>>> viceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C01%7Cje
>>> f
>>> f
>>> m%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f14
>>> 1
>>> a
>>> f91ab2d7cd011db47%7C1%7C0%7C638368915588090768%7CUnknown%7CTWFpbGZsb
>>> 3
>>> d
>>> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
>>> 7
>>> C
>>> 3000%7C%7C%7C&sdata=J8RQLZPBTRSaUz96apjc%2FVAdm68kGw%2FwYLjeW0dPGXI%
>>> 3
>>> D
>>> &reserved=0>
>>>
>>> /In case you don't hear from me, please call your regional number here:
>>> //https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F
>>> s%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823554
>>> 3243%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ka3V89uG%2BMscBwkU
>>> 91SrBcC4XHfbgYUufKGfnrO0%2BTE%3D&reserved=0
>>> u%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591346
>>> 2
>>> 11%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eDfbZcxA%2FZiDj8eGAmX
>>> 5
>>> RN4PBWOfLxeadzb6JMoWYKI%3D&reserved=0
>>> pport.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-n
>>> u
>>> m
>>> bers&data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208db
>>> f
>>> 1
>>> 257df4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383689155880947
>>> 0
>>> 7
>>> %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI
>>> 6
>>> I
>>> k1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0zHR9%2B93B63JnnnOu49ldU
>>> c
>>> m
>>> xH85vxpdd4fWB0mledo%3D&reserved=0.
>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs
>>> u%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cc2e0a39196fc435b47fa08db
>>> f5dc2c6d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837409823554
>>> 6938%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8Y7KhrWQj3fxe5eQdR
>>> Eo%2FkFa2GWEFhcXKlTAo8ugKTI%3D&reserved=0
>>> p%2F&data=05%7C02%7Cjeffm%40microsoft.com%7C37acc21f856446162c7908db
>>> f
>>> 47f3e15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638372599591349
>>> 9
>>> 03%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
>>> i
>>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=d%2FNirKerr2gNFw3K7wh
>>> W
>>> lZ8QOD6gwS8nDyZcFKlPNJs%3D&reserved=0
>>> port.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-nu
>>> m
>>> b
>>> ers&data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf
>>> 1
>>> 2
>>> 57df4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63836891558809938
>>> 7
>>> %
>>> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6
>>> I
>>> k
>>> 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SCTt0XWCAtZTwsZSQuREvqzU5
>>> T
>>> W
>>> 6a5MQLrCSGC1r3f8%3D&reserved=0.>///
>>>
>>> /If you need assistance outside my normal working hours, please 
>>> reach out to //devbu at microsoft.com <mailto:devbu at microsoft.com>//.
>>> One of my colleagues will gladly continue working on this 
>>> issue.//devbu at microsoft.com <mailto:devbu at microsoft.com>//. One of 
>>> my colleagues will gladly continue working on this issue./
>>>
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> --
>>>
>>> *From:*Joseph Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>>> *Sent:* Monday, November 27, 2023 2:53 PM
>>> *To:* cifs-protocol at lists.samba.org
>>> <mailto:cifs-protocol at lists.samba.org>
>>> <cifs-protocol at lists.samba.org
>>> <mailto:cifs-protocol at lists.samba.org>>; Interoperability 
>>> Documentation Help <dochelp at microsoft.com 
>>> <mailto:dochelp at microsoft.com>>
>>> *Subject:* [EXTERNAL] [MS-ADTS] Procedure for setting 
>>> msDS-ManagedPasswordId attribute
>>>
>>> Hi dochelp,
>>>
>>> The calculation of the msDS-ManagedPassword attribute depends upon 
>>> the values of two other important attributes, namely 
>>> msDS-ManagedPasswordId and msDS-ManagedPasswordPreviousId. I can't 
>>> find any documentation on how these two attributes are to be set 
>>> initially (on the creation of a Group Managed Service Account), nor 
>>> on how and when they are subsequently to be updated.
>>>
>>> Are you able to give me any information on the procedure by which 
>>> these attributes are assigned values? - Are they supposed to be 
>>> updated periodically?
>>>
>>> Regards,
>>> Joseph
>>>



More information about the cifs-protocol mailing list