[cifs-protocol] [EXTERNAL] Re: [MS-APDS] NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397

Tue Jul 16 04:33:49 UTC 2024

For completeness’ sake, I ran the same procedure against a Windows 
Server 2022 host, and got exactly the same STATUS_INVALID_PARAMETER 
error. For MessageType I tried both 0x00000003 and 0x00000026 (and many 
other values, for good measure).

Cheers,
Jo (she/her)

On 10/07/24 2:08 pm, Jo Sutton via cifs-protocol wrote:
> Hi Sreekanth,
> 
> I’m afraid that using 0x03 for the message type still gets me 
> STATUS_INVALID_PARAMETER codes.
> 
> 0x03 is the message type corresponding to KERB_VERIFY_PAC_REQUEST, which 
> is used for the older method of PAC verification. But the message I’m 
> attempting to send is NETLOGON_TICKET_LOGON_INFO ([MS-APDS] 2.2.2.1), 
> which includes the entire Kerberos ticket and is used in the newer 
> method of PAC verification.
> 
> What do I need to do to get Windows Server 2019 to accept a 
> NETLOGON_TICKET_LOGON_INFO message? I don’t see any information 
> indicating that Windows Server 2019 doesn’t support such messages.
> 
> Cheers,
> Jo (she/her)
> 
> On 10/07/24 7:12 am, Sreekanth Nadendla wrote:
>> Hello Jo, can you change the message type from 0x00000026  ( byte 
>> sequence seen as 26 00 00 00 below)  to 0x00000003 (to indicate 
>> message type of KerbVerifyPacMessage) and try this again ?
>>
>> 0:002> db ProtocolSubmitBuffer L0x5e0
>>
>> 00000218`69819c80  26 00 00 00 00 00 11 00-21 00 31 00 c0 05 00 00 
>>   &.......!.1.....
>> 00000218`69819c90  00 00 02 00 00 00 00 00-00 00 00 00 c0 05 00 00 
>>   ................
>> 00000218`69819ca0  61 82 05 bc 30 82 05 b8-a0 03 02 01 05 a1 0d 1b 
>>   a...0...........
>> .. ..... .. ..... .. .....
>> .. ..... .. ..... .. .....
>> .. ..... .. ..... .. .....
>> 00000218`6981a250  85 1d 35 87 38 7d b1 5b-52 c0 c3 e4 30 c8 77 7d 
>>   ..5.8}.[R...0.w}
>>
>> Regards,
>>
>> Sreekanth Nadendla
>>
>> Microsoft Windows Open Specifications
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Jo Sutton <jsutton at samba.org>
>> *Sent:* Tuesday, July 2, 2024 6:23 PM
>> *To:* Sreekanth Nadendla <srenaden at microsoft.com>; 
>> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
>> *Cc:* Microsoft Support <supportmail at microsoft.com>
>> *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS] 
>> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
>> Thank you, Sreekanth. I’ve uploaded a trace and network capture of a
>> call to NetrLogonSamLogonEx() attempting to validate a service ticket.
>>
>> Cheers,
>> Jo (she/her)
>>
>> On 3/07/24 2:02 am, Sreekanth Nadendla wrote:
>>  > Hello Jo,  you may have gotten an invitation to upload files by now.
>>  > Please check your e-mail folders and let me know otherwise.
>>  >
>>  > Regards,
>>  >
>>  > Sreekanth Nadendla
>>  >
>>  > Microsoft Windows Open Specifications
>>  >
>>  > 
>> ------------------------------------------------------------------------
>>  > *From:* Jo Sutton <jsutton at samba.org>
>>  > *Sent:* Monday, July 1, 2024 10:01 PM
>>  > *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
>>  > cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
>>  > *Cc:* Microsoft Support <supportmail at microsoft.com>
>>  > *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
>>  > NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
>>  > On second thoughts, I’d rather not send traces via unencrypted email.
>>  > Can you provide somewhere for me to upload them?
>>  >
>>  > Cheers,
>>  > Jo (she/her)
>>  >
>>  > On 2/07/24 1:57 pm, Jo Sutton via cifs-protocol wrote:
>>  >> [moving back to cifs-protocol]
>>  >>
>>  >> Hi Sreekanth,
>>  >>
>>  >> Call me Jo :)
>>  >>
>>  >> As I can’t seem to upload the traces via the link you sent me, 
>> I’ll try
>>  >> to email them to you directly.
>>  >>
>>  >> The reason for asking about NETLOGON_TICKET_LOGON_INFO is that we’re
>>  >> looking to address 
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091508750%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=HMGP0yGxJKmnWCLFOEqNFxhu4wmRTFFEkmMglpvvdsk%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091515894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nk4AC9bEfOPKGFmU2TfyeuKEf1%2B10GWmqe82CuXJ9Cg%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249>>.
>>  >>
>>  >> Cheers,
>>  >> Jo (she/her)
>>  >>
>>  >> On 14/06/24 3:39 am, Sreekanth Nadendla wrote:
>>  >>> Hello Joseph, I've sent you instructions to download time travel 
>> trace
>>  >>> tool to collect traces for lass process earlier. But we were 
>> informed
>>  >>> by Andrew Bartlet that the reason why you've raised the login issue
>>  >>> with [MS-APDS] NETLOGON_TICKET_LOGON_INFO is that you are looking to
>>  >>> resolve a privilege escalation problem via enforcement of PAC
>>  >>> verification.  I could not see how these two issues are connected
>>  >>> hence I'm unable to continue the investigation on my own (while you
>>  >>> are away dealing with a personal issue).
>>  >>> Please let us know whenever you are ready and we will gather the
>>  >>> details, data to investigate the issue you are experiencing.
>>  >>>
>>  >>> Regards,
>>  >>>
>>  >>> Sreekanth Nadendla
>>  >>>
>>  >>> Microsoft Windows Open Specifications
>>  >>>
>>  >>>
>>  >>>
>>  >>>
>>  >>>
>>  >>>
>>  >>> From: Jo Sutton <jsutton at samba.org>
>>  >>>
>>  >>> Sent: Monday, May 20, 2024 9:49 PM
>>  >>> To: cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>;
>>  >>> Interoperability Documentation Help <dochelp at microsoft.com>
>>  >>> Subject: [EXTERNAL] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message
>>  >>> [Some people who received this message don't often get email from
>>  >>> jsutton at samba.org. Learn why this is important at
>>  >>> https://aka.ms/LearnAboutSenderIdentification 
>> <https://aka.ms/LearnAboutSenderIdentification>
>>  > <https://aka.ms/LearnAboutSenderIdentification 
>> <https://aka.ms/LearnAboutSenderIdentification>> ]
>>  >>>
>>  >>> Hi dochelp,
>>  >>>
>>  >>> I’m trying to follow [MS-APDS] 2.2.2.1, “NETLOGON_TICKET_LOGON_INFO
>>  >>> Message”, in order to create a NETLOGON_TICKET_LOGON_INFO message 
>> that
>>  >>> will be accepted by Windows Server 2019. However, in my attempts 
>> so far,
>>  >>> all I’ve got is STATUS_INVALID_PARAMETER codes from 
>> NetrLogonSamLogonEx.
>>  >>>
>>  >>> Although [MS-APDS] doesn’t mention it, I assume
>>  >>> NETLOGON_TICKET_LOGON_INFO should contain an unsigned 32‐bit 
>> MessageType
>>  >>> field, set to 0x00000026, that indicates the message is a
>>  >>> NETLOGON_TICKET_LOGON_INFO message. Other than that, I’m not sure 
>> what
>>  >>> I’m doing wrong. Are the ticket fields arrays, are depicted in the
>>  >>> diagram, or pointers, as claimed in the documentation?
>>  >>>
>>  >>> I can provide traces showing the problem if you would like.
>>  >>>
>>  >>> Cheers,
>>  >>> Jo (she/her)
>>  >>
>>  >>
>>  >> _______________________________________________
>>  >> cifs-protocol mailing list
>>  >> cifs-protocol at lists.samba.org
>>  >> 
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091520380%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=tGxKsECefd%2BvJi43VcUG9n3OCpSX0btiR%2F91JNmOBU0%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091524297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=GorMFBW%2BtUUedY7w9Cv1aExzAv%2F0LpAmIqVUJGeq8jE%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>>
> 
> 
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol