[cifs-protocol] [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844
Jo Sutton
jsutton at samba.org
Mon Jun 3 23:21:30 UTC 2024
Hi Kristian,
I haven’t been able to capture a trace yet as I’ve been unwell. I’ll try
to get one for you this week.
Cheers,
Jo (she/her)
On 4/06/24 3:51 am, Kristian S wrote:
> Hi Jo,
> I hope your week is off to a good start. I'm reaching out to see if
> you've had the opportunity to capture an LSASS trace for the behavior
> you're experiencing. If so, I'll be happy to debug and analyze what you
> have.
> If I don't hear back from you by Wednesday, I'll archive the case for
> the time being and you can reach back out at your convenience.
> Looking forward to hearing from you!
> *Regards,*
> *Kristian Smith*
> Support Escalation Engineer | Azure DevOps, Windows Protocols |
> Microsoft® Corporation
> *Office phone*: +1 425-421-4442
> *Email*: kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
> *Working hours*: 8:00 am - 5:00 pm PST, Monday – Friday
> *Team Manager*: Gary Ranne garyra at microsoft.com
> <mailto:garyra at microsoft.com>
> *ServiceHub*: https://serviceshub.microsoft.com/support/contactsupport_
> <https://serviceshub.microsoft.com/support/contactsupport_>
> /In case you don't hear from me, please call your regional number here:
> //https://support.microsoft.com/help/13948/global-customer-service-phone-numbers./ <https://support.microsoft.com/help/13948/global-customer-service-phone-numbers.>
> /If you need assistance outside my normal working hours, please reach
> out to //devbu at microsoft.com/ <mailto:devbu at microsoft.com>/. One of my
> colleagues will gladly continue working on this issue./
> ------------------- Original Message -------------------
> *From:* Kristian.Smith at microsoft.com;
> *Received:* Tue May 28 2024 16:42:17 GMT-0700 (Pacific Daylight Time)
> *To:* jsutton at samba.org;
> *Cc:* supportmail at microsoft.com; cifs-protocol at lists.samba.org;
> *Subject:* RE: [EXTERNAL] [MS-ADTS] gMSA previous password... -
> TrackingID#2405210040011844
>
> Hi Jo,
>
> Please let me know if you have any trouble gathering the Lsass trace.
> I’m happy to help if you encounter any issues.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
>
> *From:*Kristian Smith <Kristian.Smith at microsoft.com>
> *Sent:* Wednesday, May 22, 2024 10:00 AM
> *To:* Jo Sutton <jsutton at samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>;
> cifs-protocol at lists.samba.org
> *Subject:* Re: [EXTERNAL] [MS-ADTS] gMSA previous password - time
> interval & post rollover - TrackingID#2405210040011844
>
> Hi Jo,
>
> Thanks for letting me know that you're not able to reproduce this
> behavior. The best way for me to troubleshoot would be to have an LSASS
> trace and a network trace. Can you please repro the issue */when trying
> to use a previous password with Kerberos/*?
>
> Here are the tracing instructions for LSASS:
>
> 1. *Tracing Lsass with TTD:* This should be conducted on the DC where
> we are logging in. Note: Run all commands in an elevated PowerShell
> prompt on the machine.
> 1. Download and install TTD on the DC we're logging into.
> 1. Direct link to download TTD app installer:
> https://aka.ms/ttd/download <https://aka.ms/ttd/download>
> 2. Alternatively, use offline install instructions:
> https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method <https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method>
> 2. When ready to repro the issue, run the following commands to
> begin the trace.
>
> 1.
> 2.
> 1. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
> 2. TTD.exe -Attach ([int](Get-Process -NAME LSASS | Format-Wide
> -Property
> ID).formatEntryInfo.formatPropertyField.propertyValue) -out
> C:\Traces_$(Get-Date -format
> "dd-MMM-yyyy")\LSASS_Kerb_Server.run
> 3. When the following small window pops up, the trace has begun
> and *you can now reproduce the issue*. To end the trace,
> simply click “Tracing Off”.
> 1.
>
> 1.
> 3. Once the trace operation is complete, we need to compress the
> .run file created by TTD for easy transfer.
>
> 1.
> 3.
> 1. Compress-Archive -Path C:\Traces_$(Get-Date -format
> "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date
> -format "dd-MMM-yyyy").zip
>
> 1.
> 4. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link below
>
> i.https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwIiwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7LMBa_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5EzY5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-PhzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTzQmp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QMoU2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ&wid=6ad02fe8-3357-427d-9925-d8f6f81ec400 <https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwIiwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7LMBa_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5EzY5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-PhzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTzQmp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QMoU2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ&wid=6ad02fe8-3357-427d-9925-d8f6f81ec400>
>
> If you are able to include a network/WireShark trace with a keytab file
> to decrypt, that would be helpful, but may not be entirely necessary. I
> will be in training for the remainder of the week but will debug the
> trace next week. Thanks for your patience.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
>
> ------------------------------------------------------------------------
>
> *From:*Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
> *Sent:* Monday, May 20, 2024 9:19 PM
> *To:* Kristian Smith <Kristian.Smith at microsoft.com
> <mailto:Kristian.Smith at microsoft.com>>
> *Cc:* Microsoft Support <supportmail at microsoft.com
> <mailto:supportmail at microsoft.com>>; cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org>>
> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
> authenticating with a previous password - TrackingID#2405140040001588
>
> Thank you, Kristian.
>
> I’ve had some difficulty trying to replicate these results. After
> manually changing the password of a Group Managed Service Account, there
> is a five minute interval during which I can use the previous password
> to log in via NTLM. However, I have not managed to get a previous
> password to work — with NTLM or with Kerberos — following the natural
> rollover of a gMSA’s password.
>
> Cheers,
> Jo (she/her)
>
> On 17/05/24 11:51 am, Kristian Smith wrote:
>> Hi Jo,
>>
>> I conducted research on these questions you posed and wanted to share my
>> findings with you.
>>
>> In the context of gMSA authentication, we accept only the current and
>> most recent previous password for both NTLM and Kerberos. Also, I was
>> unable to locate any time limitations for the use of the previous password.
>>
>> Let me know if this answers your questions or if there is further
>> clarification I can provide.
>>
>> *Regards,*
>>
>> *Kristian Smith*
>>
>> Support Escalation Engineer | Microsoft® Corporation
>>
>> *Office phone*: +1 425-421-4442
>>
>> *Email*: kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
> <mailto:kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Kristian Smith <Kristian.Smith at microsoft.com <mailto:Kristian.Smith at microsoft.com>>
>> *Sent:* Tuesday, May 14, 2024 8:39 AM
>> *To:* Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>> *Cc:* Microsoft Support <supportmail at microsoft.com <mailto:supportmail at microsoft.com>>;
>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
> <cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>>
>> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>> authenticating with a previous password - TrackingID#2405140040001588
>> [Tom to Bcc]
>>
>> Hi Jo,
>>
>> Thanks for reaching out with your [MS-ADTS] question. I'll be your point
>> of contact moving forward for this case. I will research this and get
>> back to you with my findings.
>>
>> *Regards,*
>>
>> *Kristian Smith*
>>
>> Support Escalation Engineer | Microsoft® Corporation
>>
>> *Office phone*: +1 425-421-4442
>>
>> *Email*: kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
> <mailto:kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>>
>>
>> ------------------------------------------------------------------------
>> *From:* Tom Jebo <tomjebo at microsoft.com <mailto:tomjebo at microsoft.com>>
>> *Sent:* Monday, May 13, 2024 10:32 PM
>> *To:* Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>;
> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>> <cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>>
>> *Cc:* Microsoft Support <supportmail at microsoft.com <mailto:supportmail at microsoft.com>>
>> *Subject:* RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>> authenticating with a previous password - TrackingID#2405140040001588
>> [dochelp to bcc]
>> [support mail to cc]
>>
>> Hey Jo,
>>
>> Thanks for your request regarding MS-ADTS. One of the Open
>> Specifications team members will respond to assist you. In the meantime,
>> we’ve created case 2405140040001588 to track this request. Please leave
>> the case number in the subject when communicating with our team about
>> this request.
>>
>> Best regards,
>> Tom Jebo
>> Microsoft Open Specifications Support
>>
>> -----Original Message-----
>> From: Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>> Sent: Monday, May 13, 2024 9:59 PM
>> To: cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>;
> Interoperability Documentation Help
>> <dochelp at microsoft.com <mailto:dochelp at microsoft.com>>
>> Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>> authenticating with a previous password
>>
>> [Some people who received this message don't often get email from
>> jsutton at samba.org <mailto:jsutton at samba.org>. Learn why this is important at
>> https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>
>> <https://aka.ms/LearnAboutSenderIdentification>
> <https://aka.ms/LearnAboutSenderIdentification%3E%C2%A0>]
>>
>> Hi dochelp,
>>
>> I can’t find any mention in Microsoft’s documentation of what should
>> happen when a Group Managed Service Account authenticates with a
>> previous password — i.e. via NTLM with an NT hash from ntPwdHistory, or
>> via Kerberos with a key from the OldCredentials part of a
>> Primary:Kerberos-Newer-Keys blob.
>>
>> Should the previous password be accepted for NTLM logons? For Kerberos
>> logons? Should only the immediately previous password be accepted, or
>> should earlier passwords be accepted too? And during what period should
>> the previous password(s) be accepted — for example, the five minutes
>> immediately following the time specified by pwdLastSet?
>>
>> Any information you can provide to shine light on these questions would
>> be welcome.
>>
>> Cheers,
>> Jo (she/her)
>
More information about the cifs-protocol
mailing list