[cifs-protocol] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397

Tue Jul 2 22:23:14 UTC 2024

Thank you, Sreekanth. I’ve uploaded a trace and network capture of a 
call to NetrLogonSamLogonEx() attempting to validate a service ticket.

Cheers,
Jo (she/her)

On 3/07/24 2:02 am, Sreekanth Nadendla wrote:
> Hello Jo,  you may have gotten an invitation to upload files by now. 
> Please check your e-mail folders and let me know otherwise.
> 
> Regards,
> 
> Sreekanth Nadendla
> 
> Microsoft Windows Open Specifications
> 
> ------------------------------------------------------------------------
> *From:* Jo Sutton <jsutton at samba.org>
> *Sent:* Monday, July 1, 2024 10:01 PM
> *To:* Sreekanth Nadendla <srenaden at microsoft.com>; 
> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>
> *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS] 
> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
> On second thoughts, I’d rather not send traces via unencrypted email.
> Can you provide somewhere for me to upload them?
> 
> Cheers,
> Jo (she/her)
> 
> On 2/07/24 1:57 pm, Jo Sutton via cifs-protocol wrote:
>> [moving back to cifs-protocol]
>> 
>> Hi Sreekanth,
>> 
>> Call me Jo :)
>> 
>> As I can’t seem to upload the traces via the link you sent me, I’ll try 
>> to email them to you directly.
>> 
>> The reason for asking about NETLOGON_TICKET_LOGON_INFO is that we’re 
>> looking to address https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C83670b065fbc4d16899808dc9a3af045%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638554825139640803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=aQFBXTi1EROEIq9H1Nj39tDjsQ6BA9FyVNhfmfwj6MI%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249>.
>> 
>> Cheers,
>> Jo (she/her)
>> 
>> On 14/06/24 3:39 am, Sreekanth Nadendla wrote:
>>> Hello Joseph, I've sent you instructions to download time travel trace 
>>> tool to collect traces for lass process earlier. But we were informed 
>>> by Andrew Bartlet that the reason why you've raised the login issue 
>>> with [MS-APDS] NETLOGON_TICKET_LOGON_INFO is that you are looking to 
>>> resolve a privilege escalation problem via enforcement of PAC 
>>> verification.  I could not see how these two issues are connected 
>>> hence I'm unable to continue the investigation on my own (while you 
>>> are away dealing with a personal issue).
>>> Please let us know whenever you are ready and we will gather the 
>>> details, data to investigate the issue you are experiencing.
>>>
>>> Regards,
>>>
>>> Sreekanth Nadendla
>>>
>>> Microsoft Windows Open Specifications
>>>
>>>
>>>
>>>
>>>
>>>
>>> From: Jo Sutton <jsutton at samba.org>
>>>
>>> Sent: Monday, May 20, 2024 9:49 PM
>>> To: cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>; 
>>> Interoperability Documentation Help <dochelp at microsoft.com>
>>> Subject: [EXTERNAL] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message
>>> [Some people who received this message don't often get email from 
>>> jsutton at samba.org. Learn why this is important at 
>>> https://aka.ms/LearnAboutSenderIdentification 
> <https://aka.ms/LearnAboutSenderIdentification> ]
>>>
>>> Hi dochelp,
>>>
>>> I’m trying to follow [MS-APDS] 2.2.2.1, “NETLOGON_TICKET_LOGON_INFO
>>> Message”, in order to create a NETLOGON_TICKET_LOGON_INFO message that
>>> will be accepted by Windows Server 2019. However, in my attempts so far,
>>> all I’ve got is STATUS_INVALID_PARAMETER codes from NetrLogonSamLogonEx.
>>>
>>> Although [MS-APDS] doesn’t mention it, I assume
>>> NETLOGON_TICKET_LOGON_INFO should contain an unsigned 32‐bit MessageType
>>> field, set to 0x00000026, that indicates the message is a
>>> NETLOGON_TICKET_LOGON_INFO message. Other than that, I’m not sure what
>>> I’m doing wrong. Are the ticket fields arrays, are depicted in the
>>> diagram, or pointers, as claimed in the documentation?
>>>
>>> I can provide traces showing the problem if you would like.
>>>
>>> Cheers,
>>> Jo (she/her)
>> 
>> 
>> _______________________________________________
>> cifs-protocol mailing list
>> cifs-protocol at lists.samba.org
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C83670b065fbc4d16899808dc9a3af045%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638554825139647864%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=d8RdLMIv1vB7GGJzluzMBC%2Fhf5MdBJy%2BGF3wNHCMb0o%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>