[cifs-protocol] [EXTERNAL] Re: [MS-APDS] NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
Jo Sutton
jsutton at samba.org
Tue Jul 16 04:33:49 UTC 2024
For completeness’ sake, I ran the same procedure against a Windows
Server 2022 host, and got exactly the same STATUS_INVALID_PARAMETER
error. For MessageType I tried both 0x00000003 and 0x00000026 (and many
other values, for good measure).
Cheers,
Jo (she/her)
On 10/07/24 2:08 pm, Jo Sutton via cifs-protocol wrote:
> Hi Sreekanth,
>
> I’m afraid that using 0x03 for the message type still gets me
> STATUS_INVALID_PARAMETER codes.
>
> 0x03 is the message type corresponding to KERB_VERIFY_PAC_REQUEST, which
> is used for the older method of PAC verification. But the message I’m
> attempting to send is NETLOGON_TICKET_LOGON_INFO ([MS-APDS] 2.2.2.1),
> which includes the entire Kerberos ticket and is used in the newer
> method of PAC verification.
>
> What do I need to do to get Windows Server 2019 to accept a
> NETLOGON_TICKET_LOGON_INFO message? I don’t see any information
> indicating that Windows Server 2019 doesn’t support such messages.
>
> Cheers,
> Jo (she/her)
>
> On 10/07/24 7:12 am, Sreekanth Nadendla wrote:
>> Hello Jo, can you change the message type from 0x00000026 ( byte
>> sequence seen as 26 00 00 00 below) to 0x00000003 (to indicate
>> message type of KerbVerifyPacMessage) and try this again ?
>>
>> 0:002> db ProtocolSubmitBuffer L0x5e0
>>
>> 00000218`69819c80 26 00 00 00 00 00 11 00-21 00 31 00 c0 05 00 00
>> &.......!.1.....
>> 00000218`69819c90 00 00 02 00 00 00 00 00-00 00 00 00 c0 05 00 00
>> ................
>> 00000218`69819ca0 61 82 05 bc 30 82 05 b8-a0 03 02 01 05 a1 0d 1b
>> a...0...........
>> .. ..... .. ..... .. .....
>> .. ..... .. ..... .. .....
>> .. ..... .. ..... .. .....
>> 00000218`6981a250 85 1d 35 87 38 7d b1 5b-52 c0 c3 e4 30 c8 77 7d
>> ..5.8}.[R...0.w}
>>
>> Regards,
>>
>> Sreekanth Nadendla
>>
>> Microsoft Windows Open Specifications
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Jo Sutton <jsutton at samba.org>
>> *Sent:* Tuesday, July 2, 2024 6:23 PM
>> *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
>> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
>> *Cc:* Microsoft Support <supportmail at microsoft.com>
>> *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
>> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
>> Thank you, Sreekanth. I’ve uploaded a trace and network capture of a
>> call to NetrLogonSamLogonEx() attempting to validate a service ticket.
>>
>> Cheers,
>> Jo (she/her)
>>
>> On 3/07/24 2:02 am, Sreekanth Nadendla wrote:
>> > Hello Jo, you may have gotten an invitation to upload files by now.
>> > Please check your e-mail folders and let me know otherwise.
>> >
>> > Regards,
>> >
>> > Sreekanth Nadendla
>> >
>> > Microsoft Windows Open Specifications
>> >
>> >
>> ------------------------------------------------------------------------
>> > *From:* Jo Sutton <jsutton at samba.org>
>> > *Sent:* Monday, July 1, 2024 10:01 PM
>> > *To:* Sreekanth Nadendla <srenaden at microsoft.com>;
>> > cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
>> > *Cc:* Microsoft Support <supportmail at microsoft.com>
>> > *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
>> > NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
>> > On second thoughts, I’d rather not send traces via unencrypted email.
>> > Can you provide somewhere for me to upload them?
>> >
>> > Cheers,
>> > Jo (she/her)
>> >
>> > On 2/07/24 1:57 pm, Jo Sutton via cifs-protocol wrote:
>> >> [moving back to cifs-protocol]
>> >>
>> >> Hi Sreekanth,
>> >>
>> >> Call me Jo :)
>> >>
>> >> As I can’t seem to upload the traces via the link you sent me,
>> I’ll try
>> >> to email them to you directly.
>> >>
>> >> The reason for asking about NETLOGON_TICKET_LOGON_INFO is that we’re
>> >> looking to address
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091508750%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=HMGP0yGxJKmnWCLFOEqNFxhu4wmRTFFEkmMglpvvdsk%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091515894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nk4AC9bEfOPKGFmU2TfyeuKEf1%2B10GWmqe82CuXJ9Cg%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249>>.
>> >>
>> >> Cheers,
>> >> Jo (she/her)
>> >>
>> >> On 14/06/24 3:39 am, Sreekanth Nadendla wrote:
>> >>> Hello Joseph, I've sent you instructions to download time travel
>> trace
>> >>> tool to collect traces for lass process earlier. But we were
>> informed
>> >>> by Andrew Bartlet that the reason why you've raised the login issue
>> >>> with [MS-APDS] NETLOGON_TICKET_LOGON_INFO is that you are looking to
>> >>> resolve a privilege escalation problem via enforcement of PAC
>> >>> verification. I could not see how these two issues are connected
>> >>> hence I'm unable to continue the investigation on my own (while you
>> >>> are away dealing with a personal issue).
>> >>> Please let us know whenever you are ready and we will gather the
>> >>> details, data to investigate the issue you are experiencing.
>> >>>
>> >>> Regards,
>> >>>
>> >>> Sreekanth Nadendla
>> >>>
>> >>> Microsoft Windows Open Specifications
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> From: Jo Sutton <jsutton at samba.org>
>> >>>
>> >>> Sent: Monday, May 20, 2024 9:49 PM
>> >>> To: cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>;
>> >>> Interoperability Documentation Help <dochelp at microsoft.com>
>> >>> Subject: [EXTERNAL] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message
>> >>> [Some people who received this message don't often get email from
>> >>> jsutton at samba.org. Learn why this is important at
>> >>> https://aka.ms/LearnAboutSenderIdentification
>> <https://aka.ms/LearnAboutSenderIdentification>
>> > <https://aka.ms/LearnAboutSenderIdentification
>> <https://aka.ms/LearnAboutSenderIdentification>> ]
>> >>>
>> >>> Hi dochelp,
>> >>>
>> >>> I’m trying to follow [MS-APDS] 2.2.2.1, “NETLOGON_TICKET_LOGON_INFO
>> >>> Message”, in order to create a NETLOGON_TICKET_LOGON_INFO message
>> that
>> >>> will be accepted by Windows Server 2019. However, in my attempts
>> so far,
>> >>> all I’ve got is STATUS_INVALID_PARAMETER codes from
>> NetrLogonSamLogonEx.
>> >>>
>> >>> Although [MS-APDS] doesn’t mention it, I assume
>> >>> NETLOGON_TICKET_LOGON_INFO should contain an unsigned 32‐bit
>> MessageType
>> >>> field, set to 0x00000026, that indicates the message is a
>> >>> NETLOGON_TICKET_LOGON_INFO message. Other than that, I’m not sure
>> what
>> >>> I’m doing wrong. Are the ticket fields arrays, are depicted in the
>> >>> diagram, or pointers, as claimed in the documentation?
>> >>>
>> >>> I can provide traces showing the problem if you would like.
>> >>>
>> >>> Cheers,
>> >>> Jo (she/her)
>> >>
>> >>
>> >> _______________________________________________
>> >> cifs-protocol mailing list
>> >> cifs-protocol at lists.samba.org
>> >>
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091520380%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=tGxKsECefd%2BvJi43VcUG9n3OCpSX0btiR%2F91JNmOBU0%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091524297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=GorMFBW%2BtUUedY7w9Cv1aExzAv%2F0LpAmIqVUJGeq8jE%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>>
>
>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
More information about the cifs-protocol
mailing list