[cifs-protocol] [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844
Kristian Smith
Kristian.Smith at microsoft.com
Mon Jun 3 23:23:30 UTC 2024
Sorry you haven't been feeling well, but thanks for the update!
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Office phone: +1 425-421-4442
Email: kristian.smith at microsoft.com
-----Original Message-----
From: Jo Sutton <jsutton at samba.org>
Sent: Monday, June 3, 2024 4:22 PM
To: Microsoft Support <supportmail at microsoft.com>; Kristian Smith <Kristian.Smith at microsoft.com>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Re: [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844
Hi Kristian,
I haven't been able to capture a trace yet as I've been unwell. I'll try to get one for you this week.
Cheers,
Jo (she/her)
On 4/06/24 3:51 am, Kristian S wrote:
> Hi Jo,
> I hope your week is off to a good start. I'm reaching out to see if
> you've had the opportunity to capture an LSASS trace for the behavior
> you're experiencing. If so, I'll be happy to debug and analyze what
> you have.
> If I don't hear back from you by Wednesday, I'll archive the case for
> the time being and you can reach back out at your convenience.
> Looking forward to hearing from you!
> *Regards,*
> *Kristian Smith*
> Support Escalation Engineer | Azure DevOps, Windows Protocols |
> Microsoft® Corporation *Office phone*: +1 425-421-4442
> *Email*: kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>
> *Working hours*: 8:00 am - 5:00 pm PST, Monday - Friday *Team
> Manager*: Gary Ranne garyra at microsoft.com
> <mailto:garyra at microsoft.com>
> *ServiceHub*:
> https://serv/
> iceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C02%7Ckrist
> ian.smith%40microsoft.com%7Cacaa100a8c8646ba729f08dc8423eaa9%7C72f988b
> f86f141af91ab2d7cd011db47%7C1%7C0%7C638530537026563446%7CUnknown%7CTWF
> pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
> n0%3D%7C0%7C%7C%7C&sdata=s6dKW3n%2BLI9%2BvMFRKQRt99CpYk3xvFvXSILcaIkEH
> to%3D&reserved=0
> <https://ser/
> viceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C02%7Ckris
> tian.smith%40microsoft.com%7Cacaa100a8c8646ba729f08dc8423eaa9%7C72f988
> bf86f141af91ab2d7cd011db47%7C1%7C0%7C638530537026574090%7CUnknown%7CTW
> FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> Mn0%3D%7C0%7C%7C%7C&sdata=0JTtY0CNpyQSB0Nj9saUnO9gOU34uiNzO7gypt5HLC0%
> 3D&reserved=0> /In case you don't hear from me, please call your
> regional number here:
> //https://su/
> pport.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-num
> bers.%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c864
> 6ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63853
> 0537026582165%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2lu
> MzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=fgO2qOquv3h82fdJ
> dgVHp0J9WljWgvJJHcPXLwHeRNQ%3D&reserved=0
> <https://sup/
> port.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-numb
> ers&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c8646ba72
> 9f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6385305370
> 26587159%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=i8cgUHqw6Y5mC5TkxXZV5
> P4NRJpC%2F3NacTgDT%2FizYzo%3D&reserved=0.>
> /If you need assistance outside my normal working hours, please reach
> out to //devbu at microsoft.com/ <mailto:devbu at microsoft.com>/. One of
> my colleagues will gladly continue working on this issue./
> ------------------- Original Message -------------------
> *From:* Kristian.Smith at microsoft.com;
> *Received:* Tue May 28 2024 16:42:17 GMT-0700 (Pacific Daylight Time)
> *To:* jsutton at samba.org;
> *Cc:* supportmail at microsoft.com; cifs-protocol at lists.samba.org;
> *Subject:* RE: [EXTERNAL] [MS-ADTS] gMSA previous password... -
> TrackingID#2405210040011844
>
> Hi Jo,
>
> Please let me know if you have any trouble gathering the Lsass trace.
> I'm happy to help if you encounter any issues.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>
>
> *From:*Kristian Smith <Kristian.Smith at microsoft.com>
> *Sent:* Wednesday, May 22, 2024 10:00 AM
> *To:* Jo Sutton <jsutton at samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>;
> cifs-protocol at lists.samba.org
> *Subject:* Re: [EXTERNAL] [MS-ADTS] gMSA previous password - time
> interval & post rollover - TrackingID#2405210040011844
>
> Hi Jo,
>
> Thanks for letting me know that you're not able to reproduce this
> behavior. The best way for me to troubleshoot would be to have an
> LSASS trace and a network trace. Can you please repro the issue */when
> trying to use a previous password with Kerberos/*?
>
> Here are the tracing instructions for LSASS:
>
> 1. *Tracing Lsass with TTD:* This should be conducted on the DC where
> we are logging in. Note: Run all commands in an elevated PowerShell
> prompt on the machine.
> 1. Download and install TTD on the DC we're logging into.
> 1. Direct link to download TTD app installer:
> https://aka.ms/ttd/download <https://aka.ms/ttd/download>
> 2. Alternatively, use offline install instructions:
> https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method <https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method>
> 2. When ready to repro the issue, run the following commands to
> begin the trace.
>
> 1.
> 2.
> 1. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
> 2. TTD.exe -Attach ([int](Get-Process -NAME LSASS | Format-Wide
> -Property
> ID).formatEntryInfo.formatPropertyField.propertyValue) -out
> C:\Traces_$(Get-Date -format
> "dd-MMM-yyyy")\LSASS_Kerb_Server.run
> 3. When the following small window pops up, the trace has begun
> and *you can now reproduce the issue*. To end the trace,
> simply click "Tracing Off".
> 1.
>
> 1.
> 3. Once the trace operation is complete, we need to compress the
> .run file created by TTD for easy transfer.
>
> 1.
> 3.
> 1. Compress-Archive -Path C:\Traces_$(Get-Date -format
> "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date
> -format "dd-MMM-yyyy").zip
>
> 1.
> 4. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link
> below
>
> i.https://su/
> pport.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJS
> UzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwI
> iwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ
> 3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiO
> iI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczo
> vL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJle
> HAiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7L
> MBa_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5Ez
> Y5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-
> PhzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTz
> Qmp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QM
> oU2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ%26wid%3D6ad02fe8-3357-427d-9925-d8
> f6f81ec400&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c8
> 646ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638
> 530537026608518%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
> luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=miQS6sQAmcz4kX
> X38kQE%2BNdVbyNBlzcONUfALks8rmk%3D&reserved=0
> <https://sup/
> port.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSU
> zI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwIi
> wic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3
> dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiOi
> I0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczov
> L2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleH
> AiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7LM
> Ba_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5EzY
> 5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-P
> hzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTzQ
> mp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QMo
> U2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ%26wid%3D6ad02fe8-3357-427d-9925-d8f
> 6f81ec400&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c86
> 46ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6385
> 30537026613833%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ctjtztqCH7EeVdn
> WoHBNf2FNeqTWqacWIyP7Mi77dJo%3D&reserved=0>
>
> If you are able to include a network/WireShark trace with a keytab
> file to decrypt, that would be helpful, but may not be entirely
> necessary. I will be in training for the remainder of the week but
> will debug the trace next week. Thanks for your patience.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>
>
> ----------------------------------------------------------------------
> --
>
> *From:*Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
> *Sent:* Monday, May 20, 2024 9:19 PM
> *To:* Kristian Smith <Kristian.Smith at microsoft.com
> <mailto:Kristian.Smith at microsoft.com>>
> *Cc:* Microsoft Support <supportmail at microsoft.com
> <mailto:supportmail at microsoft.com>>; cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org>>
> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
> authenticating with a previous password - TrackingID#2405140040001588
>
> Thank you, Kristian.
>
> I've had some difficulty trying to replicate these results. After
> manually changing the password of a Group Managed Service Account,
> there is a five minute interval during which I can use the previous
> password to log in via NTLM. However, I have not managed to get a
> previous password to work - with NTLM or with Kerberos - following the
> natural rollover of a gMSA's password.
>
> Cheers,
> Jo (she/her)
>
> On 17/05/24 11:51 am, Kristian Smith wrote:
>> Hi Jo,
>>
>> I conducted research on these questions you posed and wanted to share
>> my findings with you.
>>
>> In the context of gMSA authentication, we accept only the current and
>> most recent previous password for both NTLM and Kerberos. Also, I was
>> unable to locate any time limitations for the use of the previous password.
>>
>> Let me know if this answers your questions or if there is further
>> clarification I can provide.
>>
>> *Regards,*
>>
>> *Kristian Smith*
>>
>> Support Escalation Engineer | Microsoft® Corporation
>>
>> *Office phone*: +1 425-421-4442
>>
>> *Email*: kristian.smith at microsoft.com
>> <mailto:kristian.smith at microsoft.com>
> <mailto:kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>>
>>
>>
>> ---------------------------------------------------------------------
>> ---
>> *From:* Kristian Smith <Kristian.Smith at microsoft.com
>> <mailto:Kristian.Smith at microsoft.com>>
>> *Sent:* Tuesday, May 14, 2024 8:39 AM
>> *To:* Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>> *Cc:* Microsoft Support <supportmail at microsoft.com
>> <mailto:supportmail at microsoft.com>>;
>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
> <cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>>
>> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>> authenticating with a previous password - TrackingID#2405140040001588
>> [Tom to Bcc]
>>
>> Hi Jo,
>>
>> Thanks for reaching out with your [MS-ADTS] question. I'll be your
>> point of contact moving forward for this case. I will research this
>> and get back to you with my findings.
>>
>> *Regards,*
>>
>> *Kristian Smith*
>>
>> Support Escalation Engineer | Microsoft® Corporation
>>
>> *Office phone*: +1 425-421-4442
>>
>> *Email*: kristian.smith at microsoft.com
>> <mailto:kristian.smith at microsoft.com>
> <mailto:kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>>
>>
>> ---------------------------------------------------------------------
>> ---
>> *From:* Tom Jebo <tomjebo at microsoft.com
>> <mailto:tomjebo at microsoft.com>>
>> *Sent:* Monday, May 13, 2024 10:32 PM
>> *To:* Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>;
> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>> <cifs-protocol at lists.samba.org
>> <mailto:cifs-protocol at lists.samba.org>>
>> *Cc:* Microsoft Support <supportmail at microsoft.com
>> <mailto:supportmail at microsoft.com>>
>> *Subject:* RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>> authenticating with a previous password - TrackingID#2405140040001588
>> [dochelp to bcc] [support mail to cc]
>>
>> Hey Jo,
>>
>> Thanks for your request regarding MS-ADTS. One of the Open
>> Specifications team members will respond to assist you. In the
>> meantime, we've created case 2405140040001588 to track this request.
>> Please leave the case number in the subject when communicating with
>> our team about this request.
>>
>> Best regards,
>> Tom Jebo
>> Microsoft Open Specifications Support
>>
>> -----Original Message-----
>> From: Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>> Sent: Monday, May 13, 2024 9:59 PM
>> To: cifs-protocol at lists.samba.org
>> <mailto:cifs-protocol at lists.samba.org>;
> Interoperability Documentation Help
>> <dochelp at microsoft.com <mailto:dochelp at microsoft.com>>
>> Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>> authenticating with a previous password
>>
>> [Some people who received this message don't often get email from
>> jsutton at samba.org <mailto:jsutton at samba.org>. Learn why this is
>> important at https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>
>> <https://aka.ms/LearnAboutSenderIdentification>
> <https://aka.ms/LearnAboutSenderIdentification%3E%C2%A0>]
>>
>> Hi dochelp,
>>
>> I can't find any mention in Microsoft's documentation of what should
>> happen when a Group Managed Service Account authenticates with a
>> previous password - i.e. via NTLM with an NT hash from ntPwdHistory,
>> or via Kerberos with a key from the OldCredentials part of a
>> Primary:Kerberos-Newer-Keys blob.
>>
>> Should the previous password be accepted for NTLM logons? For
>> Kerberos logons? Should only the immediately previous password be
>> accepted, or should earlier passwords be accepted too? And during
>> what period should the previous password(s) be accepted - for
>> example, the five minutes immediately following the time specified by pwdLastSet?
>>
>> Any information you can provide to shine light on these questions
>> would be welcome.
>>
>> Cheers,
>> Jo (she/her)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 24253 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240603/a171be1d/winmail.bin>
More information about the cifs-protocol
mailing list