[cifs-protocol] [EXTERNAL] Re: [MS-APDS] NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
Jo Sutton
jsutton at samba.org
Tue Aug 6 05:06:18 UTC 2024
Hi Sreekanth,
Thank you. I couldn’t find IDL for NETLOGON_TICKET_LOGON_INFO, only a
diagram in [MS-APDS] 2.2.2.1, so I could well be using wrong IDL. If
it’s possible, it would be helpful to know which array couldn’t be
unmarshalled and for what reason.
Cheers,
Jo (she/her)
On 6/08/24 4:30 pm, Sreekanth Nadendla wrote:
> Hello Jo, the error occurred during unmarshalling the data sent from
> client. Specifically with Conformant Varying Array
> (https://learn.microsoft.com/en-us/windows/win32/rpc/arrays-tfs
> <https://learn.microsoft.com/en-us/windows/win32/rpc/arrays-tfs>)
>
> Perhaps the client and server stubs don't match and that is why server
> is unable to unmarshall the structure? While I debug this further, can
> you double check if your build used correct stubs generated from the
> updated idl file?
>
> Regards,
>
> Sreekanth Nadendla
>
> Microsoft Windows Open Specifications
>
>
> ------------------------------------------------------------------------
> *From:* Jo Sutton <jsutton at samba.org>
> *Sent:* Wednesday, July 31, 2024 10:41 PM
> *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>
> *Subject:* Re: [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
> Hi Sreekanth,
>
> Yes, I think I used the updated IDL. I’ve uploaded
> netlogon_ticket_logon_info_2.zip, which contains a trace of Windows
> Server 2022 sending RPC_NT_BAD_STUB_DATA in response to my
> NetlogonTicketLogonInformation message.
>
> Cheers,
> Jo (she/her)
>
> On 20/07/24 2:32 am, Sreekanth Nadendla wrote:
>> Hello Jo, Have you used the new IDL file from the updated MS-NRPC
>> specification? Please feel free to collect the data and upload it to the
>> workspace shared with you.
>>
>> Regards,
>>
>> Sreekanth Nadendla
>>
>> Microsoft Windows Open Specifications
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Jo Sutton <jsutton at samba.org>
>> *Sent:* Friday, July 19, 2024 12:31 AM
>> *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
>> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
>> *Cc:* Microsoft Support <supportmail at microsoft.com>
>> *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
>> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
>> Hi Sreekanth,
>>
>> Thank you for your helpful response! It seems I still haven’t got it
>> quite right, as Windows responds with RPC_NT_BAD_STUB_DATA when I send
>> the NetlogonTicketLogonInformation message. May I upload more traces
>> next week so I can find out where I’ve gone wrong?
>>
>> Cheers,
>> Jo (she/her)
>>
>> On 19/07/24 6:40 am, Sreekanth Nadendla wrote:
>>> Hello Jo, please review the latest copy of [MS-NRPC]. It has the
>>> updated IDL definitions as well. As of now, [MS-APDS] is still being
>>> updated. The following information should be helpful in the meantime.
>>>
>>> MS-APDS Section 3.2.5.1 shows messagetype field should be set to
>>> 0x00000026. The actual design did not introduce such message type. We
>>> are using a new logonlevel i.e. NETLOGON_LEVEL of
>>> NetlogonTicketLogonInformation and a new validationLevel i.e.
>>> NETLOGON_VALIDATION of NetlogonValidationTicketLogon.
>>>
>>> 1.
>>> From MS-APDS Section 3.2.5.1, we see the
>>> NETLOGON_TICKET_LOGON_INFO is layered on top of generic pass
>>> through structure however MS-NRPC section 2.2.1.4.6 defines
>>> TicketLogon as a new NETLOGON_LEVEL struct which refers
>>> to NETLOGON_TICKET_LOGON_INFO.
>>> The NETLOGON_TICKET_LOGON_INFO message does not utilize
>>> Generic Passthrough as described in MS-APDS 3.2.5.1. Instead, you
>>> will be using /LogonLevel/ parameter 8
>>> (_NetlogonTicketLogonInformation
>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-nrpc%2F8c7808e5-4e5c-420e-9c90-47286da2218f&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327344092%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Nm%2FgJN3xJLwKqsqzMtyawzVSC7p5kB8pUdytxNsL0IA%3D&reserved=0 <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/8c7808e5-4e5c-420e-9c90-47286da2218f>>_ <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-nrpc%2F8c7808e5-4e5c-420e-9c90-47286da2218f&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327355025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bfFedk7NsQ2Sjz7qXgE8svk2wn%2FpiDb7NVgrhZdygtM%3D&reserved=0 <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/8c7808e5-4e5c-420e-9c90-47286da2218f>>)
>>> 1.
>>>
>>> 2.
>>> Generic Passthrough returns
>>> NETLOGON_VALIDATION_GENERIC_INFO2. But the new TicketLogon will
>>> return NETLOGON_VALIDATION_TICKET_LOGON.
>>> 1.
>>> As NETLOGON_TICKET_LOGON_INFO message does not actually utilize
>>> Generic Passthrough, you will use /ValidationLevel/ parameter is
>>> 7 (_NetLogonValidationTicketLogon
>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-nrpc%2F95154ae4-d305-43e5-82e4-d5353e0f117c&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327358674%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Qz67z7x650eKr%2FoBUryu%2B5IUUAE0DCrmxwZIe5ST82k%3D&reserved=0 <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/95154ae4-d305-43e5-82e4-d5353e0f117c>>_ <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-nrpc%2F95154ae4-d305-43e5-82e4-d5353e0f117c&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327361691%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=5RHPYtY6QcTuxgy6xz3JIEc6oi1sskor0BfDwy1Pwvw%3D&reserved=0 <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/95154ae4-d305-43e5-82e4-d5353e0f117c>>),
>>> 1.
>>>
>>> 2.
>>>
>>> You can find a list of applicable Windows OS versions that have this
>>> security update from the following link (click the “More…” link below
>>> the title)
>>>
>>> 3.
>>> _https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fkb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327364718%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VVzvoJun5vKBMruHjeP0SvcYpzmv4a33w9C6DdE9rxA%3D&reserved=0
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fkb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327368688%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=pZVRoogzqmI6vwZx%2B%2BDREYOkZ9z3CEI0AqdMqknkJiY%3D&reserved=0
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fkb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327372714%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=7hM4iTXDtlFYE8RQYdMStT5w%2B2tA3E6QE8l2rIC%2FPy8%3D&reserved=0 <https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1>>>_
>>>
>>> This list does not include Server 2025, but it also contains this
>>> update.
>>>
>>>
>>> Please let me know if you have additional questions.
>>>
>>> Regards,
>>>
>>> Sreekanth Nadendla
>>>
>>> Microsoft Windows Open Specifications
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Jo Sutton <jsutton at samba.org>
>>> *Sent:* Tuesday, July 16, 2024 12:33 AM
>>> *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
>>> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
>>> *Cc:* Microsoft Support <supportmail at microsoft.com>
>>> *Subject:* Re: [cifs-protocol] [EXTERNAL] Re: [MS-APDS]
>>> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
>>> For completeness’ sake, I ran the same procedure against a Windows
>>> Server 2022 host, and got exactly the same STATUS_INVALID_PARAMETER
>>> error. For MessageType I tried both 0x00000003 and 0x00000026 (and many
>>> other values, for good measure).
>>>
>>> Cheers,
>>> Jo (she/her)
>>>
>>> On 10/07/24 2:08 pm, Jo Sutton via cifs-protocol wrote:
>>> > Hi Sreekanth,
>>> >
>>> > I’m afraid that using 0x03 for the message type still gets me
>>> > STATUS_INVALID_PARAMETER codes.
>>> >
>>> > 0x03 is the message type corresponding to KERB_VERIFY_PAC_REQUEST, which
>>> > is used for the older method of PAC verification. But the message I’m
>>> > attempting to send is NETLOGON_TICKET_LOGON_INFO ([MS-APDS] 2.2.2.1),
>>> > which includes the entire Kerberos ticket and is used in the newer
>>> > method of PAC verification.
>>> >
>>> > What do I need to do to get Windows Server 2019 to accept a
>>> > NETLOGON_TICKET_LOGON_INFO message? I don’t see any information
>>> > indicating that Windows Server 2019 doesn’t support such messages.
>>> >
>>> > Cheers,
>>> > Jo (she/her)
>>> >
>>> > On 10/07/24 7:12 am, Sreekanth Nadendla wrote:
>>> >> Hello Jo, can you change the message type from 0x00000026 ( byte
>>> >> sequence seen as 26 00 00 00 below) to 0x00000003 (to indicate
>>> >> message type of KerbVerifyPacMessage) and try this again ?
>>> >>
>>> >> 0:002> db ProtocolSubmitBuffer L0x5e0
>>> >>
>>> >> 00000218`69819c80 26 00 00 00 00 00 11 00-21 00 31 00 c0 05 00 00
>>> >> &.......!.1.....
>>> >> 00000218`69819c90 00 00 02 00 00 00 00 00-00 00 00 00 c0 05 00 00
>>> >> ................
>>> >> 00000218`69819ca0 61 82 05 bc 30 82 05 b8-a0 03 02 01 05 a1 0d 1b
>>> >> a...0...........
>>> >> .. ..... .. ..... .. .....
>>> >> .. ..... .. ..... .. .....
>>> >> .. ..... .. ..... .. .....
>>> >> 00000218`6981a250 85 1d 35 87 38 7d b1 5b-52 c0 c3 e4 30 c8 77 7d
>>> >> ..5.8}.[R...0.w}
>>> >>
>>> >> Regards,
>>> >>
>>> >> Sreekanth Nadendla
>>> >>
>>> >> Microsoft Windows Open Specifications
>>> >>
>>> >>
>>> >> ------------------------------------------------------------------------
>>> >> *From:* Jo Sutton <jsutton at samba.org>
>>> >> *Sent:* Tuesday, July 2, 2024 6:23 PM
>>> >> *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
>>> >> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
>>> >> *Cc:* Microsoft Support <supportmail at microsoft.com>
>>> >> *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
>>> >> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
>>> >> Thank you, Sreekanth. I’ve uploaded a trace and network capture of a
>>> >> call to NetrLogonSamLogonEx() attempting to validate a service ticket.
>>> >>
>>> >> Cheers,
>>> >> Jo (she/her)
>>> >>
>>> >> On 3/07/24 2:02 am, Sreekanth Nadendla wrote:
>>> >> > Hello Jo, you may have gotten an invitation to upload files by now.
>>> >> > Please check your e-mail folders and let me know otherwise.
>>> >> >
>>> >> > Regards,
>>> >> >
>>> >> > Sreekanth Nadendla
>>> >> >
>>> >> > Microsoft Windows Open Specifications
>>> >> >
>>> >> >
>>> >> ------------------------------------------------------------------------
>>> >> > *From:* Jo Sutton <jsutton at samba.org>
>>> >> > *Sent:* Monday, July 1, 2024 10:01 PM
>>> >> > *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
>>> >> > cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
>>> >> > *Cc:* Microsoft Support <supportmail at microsoft.com>
>>> >> > *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
>>> >> > NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
>>> >> > On second thoughts, I’d rather not send traces via unencrypted email.
>>> >> > Can you provide somewhere for me to upload them?
>>> >> >
>>> >> > Cheers,
>>> >> > Jo (she/her)
>>> >> >
>>> >> > On 2/07/24 1:57 pm, Jo Sutton via cifs-protocol wrote:
>>> >> >> [moving back to cifs-protocol]
>>> >> >>
>>> >> >> Hi Sreekanth,
>>> >> >>
>>> >> >> Call me Jo :)
>>> >> >>
>>> >> >> As I can’t seem to upload the traces via the link you sent me,
>>> >> I’ll try
>>> >> >> to email them to you directly.
>>> >> >>
>>> >> >> The reason for asking about NETLOGON_TICKET_LOGON_INFO is that we’re
>>> >> >> looking to address
>>> >>
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327375786%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=6N2KbmKTYun%2BZ1xmECBrJvs4p8rmavhx8QfUGuuH2YY%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327378909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=fn6luE9dNX125IDJhDLVzFFtxHUqVF5YED4vBJPMW7E%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327381834%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=q54fkaHzvBl%2Fx5HbawzKysIu9zTWlkQmI%2FJ6P%2BOOeLU%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327384751%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=UFEI%2Bc0BaEDNOQPXvV9e9vYbWtWCabB2TLWNOu8y%2FbE%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327387630%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oWILqwdii1Sk59PJccG%2FBm2Nr%2BLrWR8W5zftukwQZWc%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327390442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=M0GJWUVvzBCgJ2vT%2F6VTmZMLK8s7%2BmNYqdQPV8AYLmE%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327393209%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2BzNH0leTGD6lDWqe1T%2FrguImAjPXaRAu8QWA1PbTr1Q%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249>>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327396011%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=k2MoKF3DBuj61QqHuuMculXK%2B6eEjCuXUVjcUEetZI4%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327398785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=APARqEUDRPsWov5r8nR1hSKOiVsSA6j9%2FRy%2FhR2ha88%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327401601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zp4%2BHhtMme%2FBVgCCGXFY%2BPe9hGK7vOjXfhAHYyMmcuc%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327404327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=kuTVAK77lt5FatGY14kYtjeDIQsWBG7nt9Q2TWSPJnE%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249>>>>>.
>>> >> >>
>>> >> >> Cheers,
>>> >> >> Jo (she/her)
>>> >> >>
>>> >> >> On 14/06/24 3:39 am, Sreekanth Nadendla wrote:
>>> >> >>> Hello Joseph, I've sent you instructions to download time travel
>>> >> trace
>>> >> >>> tool to collect traces for lass process earlier. But we were
>>> >> informed
>>> >> >>> by Andrew Bartlet that the reason why you've raised the login issue
>>> >> >>> with [MS-APDS] NETLOGON_TICKET_LOGON_INFO is that you are
>>> looking to
>>> >> >>> resolve a privilege escalation problem via enforcement of PAC
>>> >> >>> verification. I could not see how these two issues are connected
>>> >> >>> hence I'm unable to continue the investigation on my own (while you
>>> >> >>> are away dealing with a personal issue).
>>> >> >>> Please let us know whenever you are ready and we will gather the
>>> >> >>> details, data to investigate the issue you are experiencing.
>>> >> >>>
>>> >> >>> Regards,
>>> >> >>>
>>> >> >>> Sreekanth Nadendla
>>> >> >>>
>>> >> >>> Microsoft Windows Open Specifications
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> From: Jo Sutton <jsutton at samba.org>
>>> >> >>>
>>> >> >>> Sent: Monday, May 20, 2024 9:49 PM
>>> >> >>> To: cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>;
>>> >> >>> Interoperability Documentation Help <dochelp at microsoft.com>
>>> >> >>> Subject: [EXTERNAL] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message
>>> >> >>> [Some people who received this message don't often get email from
>>> >> >>> jsutton at samba.org. Learn why this is important at
>>> >> >>> https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>
>> <https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>>
>>> <https://aka.ms/LearnAboutSenderIdentification
>> <https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>>>
>>> >> <https://aka.ms/LearnAboutSenderIdentification
>>> <https://aka.ms/LearnAboutSenderIdentification
>> <https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>>>>
>>> >> > <https://aka.ms/LearnAboutSenderIdentification
>>> >> <https://aka.ms/LearnAboutSenderIdentification
>>> <https://aka.ms/LearnAboutSenderIdentification
>> <https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>>>>> ]
>>> >> >>>
>>> >> >>> Hi dochelp,
>>> >> >>>
>>> >> >>> I’m trying to follow [MS-APDS] 2.2.2.1, “NETLOGON_TICKET_LOGON_INFO
>>> >> >>> Message”, in order to create a NETLOGON_TICKET_LOGON_INFO message
>>> >> that
>>> >> >>> will be accepted by Windows Server 2019. However, in my attempts
>>> >> so far,
>>> >> >>> all I’ve got is STATUS_INVALID_PARAMETER codes from
>>> >> NetrLogonSamLogonEx.
>>> >> >>>
>>> >> >>> Although [MS-APDS] doesn’t mention it, I assume
>>> >> >>> NETLOGON_TICKET_LOGON_INFO should contain an unsigned 32‐bit
>>> >> MessageType
>>> >> >>> field, set to 0x00000026, that indicates the message is a
>>> >> >>> NETLOGON_TICKET_LOGON_INFO message. Other than that, I’m not sure
>>> >> what
>>> >> >>> I’m doing wrong. Are the ticket fields arrays, are depicted in the
>>> >> >>> diagram, or pointers, as claimed in the documentation?
>>> >> >>>
>>> >> >>> I can provide traces showing the problem if you would like.
>>> >> >>>
>>> >> >>> Cheers,
>>> >> >>> Jo (she/her)
>>> >> >>
>>> >> >>
>>> >> >> _______________________________________________
>>> >> >> cifs-protocol mailing list
>>> >> >> cifs-protocol at lists.samba.org
>>> >> >>
>>> >>
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327407308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=cXrdstI%2BFjz4GP9lSChtOKS3qCghoRXpxuRfExbKUIU%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327410056%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=9p0NeKkxWLG8D5COLIDonDLscY5RPQTDhtL%2BqiTH2Qg%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327412805%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=MlzPZLPK8e7r%2FWRZd66ROH8oFjUqUOQEmNg3mhcPTOw%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327415542%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=FuE%2FXlmXOoo26%2BNWfaWUKXjtORG5%2FTH2xNmKhco6vkE%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327418313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=SfGhCuoaurN4HyZUXjjxg1C1b09KCcG1n8i80Pq1jd8%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327421050%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=1pVNkKuYH5Lqlr9ajvn2t%2FmVza274WzQKvYkcGoUAS8%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327423828%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Bwj%2BZ5HLYG1vMoEfvxoE6PKnXYSfeaQk4qNPo6ctVOc%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327426546%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=2974BngbXxNIlX3QSm6SjsLgqN6VzY2mVLSuU34EJP8%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327429259%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2FnE1LaWAQ3GeMdb1XQxfUzSlaTHCs7h1WRXo3IpJqUg%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327431954%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Tqev5S01mLnJzpRcW7%2F4t0aJ3ywF1hQUfxM1tibhCHU%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327434706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oZ87Tt0Ln7NY4GRKaVK1NnroDRjiPj3Nr7Qqv4DXqYs%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>>>>>
>>> >
>>> >
>>> > _______________________________________________
>>> > cifs-protocol mailing list
>>> > cifs-protocol at lists.samba.org
>>> >
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327437530%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=T9j4QGbpcJuyek8QYUZdPzTDFD%2FgSS%2BZo4LS9L6iyHE%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327440433%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=dTzyUQECy2SlN3%2FX%2B0Llx9iWB6QwGeN3pV%2B3ZiMjSUQ%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327443210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zmdPupMbuzdcGII9iPKSYD1ZWKwTJx%2FuyslK1IDm1lg%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C486ba47e7fee4a3849ca08dcb1d389cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638580769327445942%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=K0grEmfryE4nuNxPVKdK%2FxaX5LIThTsve5sgHgBwR2c%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>>>
>
More information about the cifs-protocol
mailing list