[cifs-protocol] [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844
Kristian Smith
Kristian.Smith at microsoft.com
Mon Jun 24 20:29:45 UTC 2024
+[@Andrew Bartlett, @Obaid Farooqi, @Sreekanth Nadendla for visibility].
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Office phone: +1 425-421-4442
Email: kristian.smith at microsoft.com
-----Original Message-----
From: Kristian Smith
Sent: Monday, June 24, 2024 9:03 AM
To: Jo Sutton <jsutton at samba.org>; Microsoft Support <supportmail at microsoft.com>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: RE: [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844
Hi Jo,
I hope you're feeling better as of late.
I've been trying to determine how to reproduce your scenario with Windows, but I'm having trouble. You had said that you were able to manually reset the password of a Windows gMSA, but I have found no way to do this from Windows. Can you explain the method you utilized to reset the gMSA to an explicitly set password?
I believe this may not be something that happens in a Windows-Windows environment, but I'd like to confirm that.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation Office phone: +1 425-421-4442
Email: kristian.smith at microsoft.com
-----Original Message-----
From: Jo Sutton <jsutton at samba.org>
Sent: Monday, June 3, 2024 4:22 PM
To: Microsoft Support <supportmail at microsoft.com>; Kristian Smith <Kristian.Smith at microsoft.com>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Re: [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844
Hi Kristian,
I haven't been able to capture a trace yet as I've been unwell. I'll try to get one for you this week.
Cheers,
Jo (she/her)
On 4/06/24 3:51 am, Kristian S wrote:
> Hi Jo,
> I hope your week is off to a good start. I'm reaching out to see if
> you've had the opportunity to capture an LSASS trace for the behavior
> you're experiencing. If so, I'll be happy to debug and analyze what
> you have.
> If I don't hear back from you by Wednesday, I'll archive the case for
> the time being and you can reach back out at your convenience.
> Looking forward to hearing from you!
> *Regards,*
> *Kristian Smith*
> Support Escalation Engineer | Azure DevOps, Windows Protocols |
> Microsoft® Corporation *Office phone*: +1 425-421-4442
> *Email*: kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>
> *Working hours*: 8:00 am - 5:00 pm PST, Monday - Friday *Team
> Manager*: Gary Ranne garyra at microsoft.com
> <mailto:garyra at microsoft.com>
> *ServiceHub*:
> https://serv/
> iceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C02%7Ckrist
> ian.smith%40microsoft.com%7Cacaa100a8c8646ba729f08dc8423eaa9%7C72f988b
> f86f141af91ab2d7cd011db47%7C1%7C0%7C638530537026563446%7CUnknown%7CTWF
> pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
> n0%3D%7C0%7C%7C%7C&sdata=s6dKW3n%2BLI9%2BvMFRKQRt99CpYk3xvFvXSILcaIkEH
> to%3D&reserved=0
> <https://ser/
> viceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C02%7Ckris
> tian.smith%40microsoft.com%7Cacaa100a8c8646ba729f08dc8423eaa9%7C72f988
> bf86f141af91ab2d7cd011db47%7C1%7C0%7C638530537026574090%7CUnknown%7CTW
> FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> Mn0%3D%7C0%7C%7C%7C&sdata=0JTtY0CNpyQSB0Nj9saUnO9gOU34uiNzO7gypt5HLC0%
> 3D&reserved=0> /In case you don't hear from me, please call your
> regional number here:
> //https://su/
> pport.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-num
> bers.%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c864
> 6ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63853
> 0537026582165%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2lu
> MzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=fgO2qOquv3h82fdJ
> dgVHp0J9WljWgvJJHcPXLwHeRNQ%3D&reserved=0
> <https://sup/
> port.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-numb
> ers&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c8646ba72
> 9f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6385305370
> 26587159%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=i8cgUHqw6Y5mC5TkxXZV5
> P4NRJpC%2F3NacTgDT%2FizYzo%3D&reserved=0.>
> /If you need assistance outside my normal working hours, please reach
> out to //devbu at microsoft.com/ <mailto:devbu at microsoft.com>/. One of
> my colleagues will gladly continue working on this issue./
> ------------------- Original Message -------------------
> *From:* Kristian.Smith at microsoft.com;
> *Received:* Tue May 28 2024 16:42:17 GMT-0700 (Pacific Daylight Time)
> *To:* jsutton at samba.org;
> *Cc:* supportmail at microsoft.com; cifs-protocol at lists.samba.org;
> *Subject:* RE: [EXTERNAL] [MS-ADTS] gMSA previous password... -
> TrackingID#2405210040011844
>
> Hi Jo,
>
> Please let me know if you have any trouble gathering the Lsass trace.
> I'm happy to help if you encounter any issues.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>
>
> *From:*Kristian Smith <Kristian.Smith at microsoft.com>
> *Sent:* Wednesday, May 22, 2024 10:00 AM
> *To:* Jo Sutton <jsutton at samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>;
> cifs-protocol at lists.samba.org
> *Subject:* Re: [EXTERNAL] [MS-ADTS] gMSA previous password - time
> interval & post rollover - TrackingID#2405210040011844
>
> Hi Jo,
>
> Thanks for letting me know that you're not able to reproduce this
> behavior. The best way for me to troubleshoot would be to have an
> LSASS trace and a network trace. Can you please repro the issue */when
> trying to use a previous password with Kerberos/*?
>
> Here are the tracing instructions for LSASS:
>
> 1. *Tracing Lsass with TTD:* This should be conducted on the DC where
> we are logging in. Note: Run all commands in an elevated PowerShell
> prompt on the machine.
> 1. Download and install TTD on the DC we're logging into.
> 1. Direct link to download TTD app installer:
> https://aka.ms/ttd/download <https://aka.ms/ttd/download>
> 2. Alternatively, use offline install instructions:
> https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method <https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method>
> 2. When ready to repro the issue, run the following commands to
> begin the trace.
>
> 1.
> 2.
> 1. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
> 2. TTD.exe -Attach ([int](Get-Process -NAME LSASS | Format-Wide
> -Property
> ID).formatEntryInfo.formatPropertyField.propertyValue) -out
> C:\Traces_$(Get-Date -format
> "dd-MMM-yyyy")\LSASS_Kerb_Server.run
> 3. When the following small window pops up, the trace has begun
> and *you can now reproduce the issue*. To end the trace,
> simply click "Tracing Off".
> 1.
>
> 1.
> 3. Once the trace operation is complete, we need to compress the
> .run file created by TTD for easy transfer.
>
> 1.
> 3.
> 1. Compress-Archive -Path C:\Traces_$(Get-Date -format
> "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date
> -format "dd-MMM-yyyy").zip
>
> 1.
> 4. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link
> below
>
> i.https://su/
> pport.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJS
> UzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwI
> iwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ
> 3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiO
> iI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczo
> vL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJle
> HAiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7L
> MBa_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5Ez
> Y5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-
> PhzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTz
> Qmp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QM
> oU2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ%26wid%3D6ad02fe8-3357-427d-9925-d8
> f6f81ec400&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c8
> 646ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638
> 530537026608518%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
> luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=miQS6sQAmcz4kX
> X38kQE%2BNdVbyNBlzcONUfALks8rmk%3D&reserved=0
> <https://sup/
> port.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSU
> zI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwIi
> wic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3
> dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiOi
> I0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczov
> L2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleH
> AiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7LM
> Ba_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5EzY
> 5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-P
> hzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTzQ
> mp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QMo
> U2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ%26wid%3D6ad02fe8-3357-427d-9925-d8f
> 6f81ec400&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c86
> 46ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6385
> 30537026613833%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ctjtztqCH7EeVdn
> WoHBNf2FNeqTWqacWIyP7Mi77dJo%3D&reserved=0>
>
> If you are able to include a network/WireShark trace with a keytab
> file to decrypt, that would be helpful, but may not be entirely
> necessary. I will be in training for the remainder of the week but
> will debug the trace next week. Thanks for your patience.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>
>
> ----------------------------------------------------------------------
> --
>
> *From:*Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
> *Sent:* Monday, May 20, 2024 9:19 PM
> *To:* Kristian Smith <Kristian.Smith at microsoft.com
> <mailto:Kristian.Smith at microsoft.com>>
> *Cc:* Microsoft Support <supportmail at microsoft.com
> <mailto:supportmail at microsoft.com>>; cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org>>
> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
> authenticating with a previous password - TrackingID#2405140040001588
>
> Thank you, Kristian.
>
> I've had some difficulty trying to replicate these results. After
> manually changing the password of a Group Managed Service Account,
> there is a five minute interval during which I can use the previous
> password to log in via NTLM. However, I have not managed to get a
> previous password to work - with NTLM or with Kerberos - following the
> natural rollover of a gMSA's password.
>
> Cheers,
> Jo (she/her)
>
> On 17/05/24 11:51 am, Kristian Smith wrote:
>> Hi Jo,
>>
>> I conducted research on these questions you posed and wanted to share
>> my findings with you.
>>
>> In the context of gMSA authentication, we accept only the current and
>> most recent previous password for both NTLM and Kerberos. Also, I was
>> unable to locate any time limitations for the use of the previous password.
>>
>> Let me know if this answers your questions or if there is further
>> clarification I can provide.
>>
>> *Regards,*
>>
>> *Kristian Smith*
>>
>> Support Escalation Engineer | Microsoft® Corporation
>>
>> *Office phone*: +1 425-421-4442
>>
>> *Email*: kristian.smith at microsoft.com
>> <mailto:kristian.smith at microsoft.com>
> <mailto:kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>>
>>
>>
>> ---------------------------------------------------------------------
>> ---
>> *From:* Kristian Smith <Kristian.Smith at microsoft.com
>> <mailto:Kristian.Smith at microsoft.com>>
>> *Sent:* Tuesday, May 14, 2024 8:39 AM
>> *To:* Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>> *Cc:* Microsoft Support <supportmail at microsoft.com
>> <mailto:supportmail at microsoft.com>>;
>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
> <cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>>
>> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>> authenticating with a previous password - TrackingID#2405140040001588
>> [Tom to Bcc]
>>
>> Hi Jo,
>>
>> Thanks for reaching out with your [MS-ADTS] question. I'll be your
>> point of contact moving forward for this case. I will research this
>> and get back to you with my findings.
>>
>> *Regards,*
>>
>> *Kristian Smith*
>>
>> Support Escalation Engineer | Microsoft® Corporation
>>
>> *Office phone*: +1 425-421-4442
>>
>> *Email*: kristian.smith at microsoft.com
>> <mailto:kristian.smith at microsoft.com>
> <mailto:kristian.smith at microsoft.com
> <mailto:kristian.smith at microsoft.com>>
>>
>> ---------------------------------------------------------------------
>> ---
>> *From:* Tom Jebo <tomjebo at microsoft.com
>> <mailto:tomjebo at microsoft.com>>
>> *Sent:* Monday, May 13, 2024 10:32 PM
>> *To:* Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>;
> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>> <cifs-protocol at lists.samba.org
>> <mailto:cifs-protocol at lists.samba.org>>
>> *Cc:* Microsoft Support <supportmail at microsoft.com
>> <mailto:supportmail at microsoft.com>>
>> *Subject:* RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>> authenticating with a previous password - TrackingID#2405140040001588
>> [dochelp to bcc] [support mail to cc]
>>
>> Hey Jo,
>>
>> Thanks for your request regarding MS-ADTS. One of the Open
>> Specifications team members will respond to assist you. In the
>> meantime, we've created case 2405140040001588 to track this request.
>> Please leave the case number in the subject when communicating with
>> our team about this request.
>>
>> Best regards,
>> Tom Jebo
>> Microsoft Open Specifications Support
>>
>> -----Original Message-----
>> From: Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>> Sent: Monday, May 13, 2024 9:59 PM
>> To: cifs-protocol at lists.samba.org
>> <mailto:cifs-protocol at lists.samba.org>;
> Interoperability Documentation Help
>> <dochelp at microsoft.com <mailto:dochelp at microsoft.com>>
>> Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>> authenticating with a previous password
>>
>> [Some people who received this message don't often get email from
>> jsutton at samba.org <mailto:jsutton at samba.org>. Learn why this is
>> important at https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification>
>> <https://aka.ms/LearnAboutSenderIdentification>
> <https://aka.ms/LearnAboutSenderIdentification%3E%C2%A0>]
>>
>> Hi dochelp,
>>
>> I can't find any mention in Microsoft's documentation of what should
>> happen when a Group Managed Service Account authenticates with a
>> previous password - i.e. via NTLM with an NT hash from ntPwdHistory,
>> or via Kerberos with a key from the OldCredentials part of a
>> Primary:Kerberos-Newer-Keys blob.
>>
>> Should the previous password be accepted for NTLM logons? For
>> Kerberos logons? Should only the immediately previous password be
>> accepted, or should earlier passwords be accepted too? And during
>> what period should the previous password(s) be accepted - for
>> example, the five minutes immediately following the time specified by pwdLastSet?
>>
>> Any information you can provide to shine light on these questions
>> would be welcome.
>>
>> Cheers,
>> Jo (she/her)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 28089 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240624/9dc83a34/winmail.bin>
More information about the cifs-protocol
mailing list