[cifs-protocol] [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844
Jo Sutton
jsutton at samba.org
Wed Jun 26 04:25:28 UTC 2024
Hi Kristian,
I’m feeling a little better. The method I used to set the password of a
gMSA was to make a netlogon connection to the DC (using the gMSA’s
credentials) and then call NetrServerPasswordSet2().
Cheers,
Jo (she/her)
On 25/06/24 8:29 am, Kristian Smith wrote:
> +[@Andrew Bartlett, @Obaid Farooqi, @Sreekanth Nadendla for visibility].
>
> Regards,
> Kristian Smith
> Support Escalation Engineer | Microsoft® Corporation
> Office phone: +1 425-421-4442
> Email: kristian.smith at microsoft.com
>
> -----Original Message-----
> From: Kristian Smith
> Sent: Monday, June 24, 2024 9:03 AM
> To: Jo Sutton <jsutton at samba.org>; Microsoft Support <supportmail at microsoft.com>
> Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
> Subject: RE: [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844
>
> Hi Jo,
>
> I hope you're feeling better as of late.
>
> I've been trying to determine how to reproduce your scenario with Windows, but I'm having trouble. You had said that you were able to manually reset the password of a Windows gMSA, but I have found no way to do this from Windows. Can you explain the method you utilized to reset the gMSA to an explicitly set password?
>
> I believe this may not be something that happens in a Windows-Windows environment, but I'd like to confirm that.
>
> Regards,
> Kristian Smith
> Support Escalation Engineer | Microsoft® Corporation Office phone: +1 425-421-4442
> Email: kristian.smith at microsoft.com
> -----Original Message-----
> From: Jo Sutton <jsutton at samba.org>
> Sent: Monday, June 3, 2024 4:22 PM
> To: Microsoft Support <supportmail at microsoft.com>; Kristian Smith <Kristian.Smith at microsoft.com>
> Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
> Subject: Re: [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844
>
> Hi Kristian,
>
> I haven't been able to capture a trace yet as I've been unwell. I'll try to get one for you this week.
>
> Cheers,
> Jo (she/her)
>
> On 4/06/24 3:51 am, Kristian S wrote:
>> Hi Jo,
>> I hope your week is off to a good start. I'm reaching out to see if
>> you've had the opportunity to capture an LSASS trace for the behavior
>> you're experiencing. If so, I'll be happy to debug and analyze what
>> you have.
>> If I don't hear back from you by Wednesday, I'll archive the case for
>> the time being and you can reach back out at your convenience.
>> Looking forward to hearing from you!
>> *Regards,*
>> *Kristian Smith*
>> Support Escalation Engineer | Azure DevOps, Windows Protocols |
>> Microsoft® Corporation *Office phone*: +1 425-421-4442
>> *Email*: kristian.smith at microsoft.com
>> <mailto:kristian.smith at microsoft.com>
>> *Working hours*: 8:00 am - 5:00 pm PST, Monday - Friday *Team
>> Manager*: Gary Ranne garyra at microsoft.com
>> <mailto:garyra at microsoft.com>
>> *ServiceHub*:
>> https://serv/
>> iceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C02%7Ckrist
>> ian.smith%40microsoft.com%7Cacaa100a8c8646ba729f08dc8423eaa9%7C72f988b
>> f86f141af91ab2d7cd011db47%7C1%7C0%7C638530537026563446%7CUnknown%7CTWF
>> pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
>> n0%3D%7C0%7C%7C%7C&sdata=s6dKW3n%2BLI9%2BvMFRKQRt99CpYk3xvFvXSILcaIkEH
>> to%3D&reserved=0
>> <https://ser/
>> viceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C02%7Ckris
>> tian.smith%40microsoft.com%7Cacaa100a8c8646ba729f08dc8423eaa9%7C72f988
>> bf86f141af91ab2d7cd011db47%7C1%7C0%7C638530537026574090%7CUnknown%7CTW
>> FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
>> Mn0%3D%7C0%7C%7C%7C&sdata=0JTtY0CNpyQSB0Nj9saUnO9gOU34uiNzO7gypt5HLC0%
>> 3D&reserved=0> /In case you don't hear from me, please call your
>> regional number here:
>> //https://su/
>> pport.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-num
>> bers.%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c864
>> 6ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63853
>> 0537026582165%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2lu
>> MzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=fgO2qOquv3h82fdJ
>> dgVHp0J9WljWgvJJHcPXLwHeRNQ%3D&reserved=0
>> <https://sup/
>> port.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-numb
>> ers&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c8646ba72
>> 9f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6385305370
>> 26587159%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
>> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=i8cgUHqw6Y5mC5TkxXZV5
>> P4NRJpC%2F3NacTgDT%2FizYzo%3D&reserved=0.>
>> /If you need assistance outside my normal working hours, please reach
>> out to //devbu at microsoft.com/ <mailto:devbu at microsoft.com>/. One of
>> my colleagues will gladly continue working on this issue./
>> ------------------- Original Message -------------------
>> *From:* Kristian.Smith at microsoft.com;
>> *Received:* Tue May 28 2024 16:42:17 GMT-0700 (Pacific Daylight Time)
>> *To:* jsutton at samba.org;
>> *Cc:* supportmail at microsoft.com; cifs-protocol at lists.samba.org;
>> *Subject:* RE: [EXTERNAL] [MS-ADTS] gMSA previous password... -
>> TrackingID#2405210040011844
>>
>> Hi Jo,
>>
>> Please let me know if you have any trouble gathering the Lsass trace.
>> I'm happy to help if you encounter any issues.
>>
>> *Regards,*
>>
>> *Kristian Smith*
>>
>> Support Escalation Engineer | Microsoft® Corporation
>>
>> *Office phone*: +1 425-421-4442
>>
>> *Email*: kristian.smith at microsoft.com
>> <mailto:kristian.smith at microsoft.com>
>>
>> *From:*Kristian Smith <Kristian.Smith at microsoft.com>
>> *Sent:* Wednesday, May 22, 2024 10:00 AM
>> *To:* Jo Sutton <jsutton at samba.org>
>> *Cc:* Microsoft Support <supportmail at microsoft.com>;
>> cifs-protocol at lists.samba.org
>> *Subject:* Re: [EXTERNAL] [MS-ADTS] gMSA previous password - time
>> interval & post rollover - TrackingID#2405210040011844
>>
>> Hi Jo,
>>
>> Thanks for letting me know that you're not able to reproduce this
>> behavior. The best way for me to troubleshoot would be to have an
>> LSASS trace and a network trace. Can you please repro the issue */when
>> trying to use a previous password with Kerberos/*?
>>
>> Here are the tracing instructions for LSASS:
>>
>> 1. *Tracing Lsass with TTD:* This should be conducted on the DC where
>> we are logging in. Note: Run all commands in an elevated PowerShell
>> prompt on the machine.
>> 1. Download and install TTD on the DC we're logging into.
>> 1. Direct link to download TTD app installer:
>> https://aka.ms/ttd/download <https://aka.ms/ttd/download>
>> 2. Alternatively, use offline install instructions:
>> https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method <https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method>
>> 2. When ready to repro the issue, run the following commands to
>> begin the trace.
>>
>> 1.
>> 2.
>> 1. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
>> 2. TTD.exe -Attach ([int](Get-Process -NAME LSASS | Format-Wide
>> -Property
>> ID).formatEntryInfo.formatPropertyField.propertyValue) -out
>> C:\Traces_$(Get-Date -format
>> "dd-MMM-yyyy")\LSASS_Kerb_Server.run
>> 3. When the following small window pops up, the trace has begun
>> and *you can now reproduce the issue*. To end the trace,
>> simply click "Tracing Off".
>> 1.
>>
>> 1.
>> 3. Once the trace operation is complete, we need to compress the
>> .run file created by TTD for easy transfer.
>>
>> 1.
>> 3.
>> 1. Compress-Archive -Path C:\Traces_$(Get-Date -format
>> "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date
>> -format "dd-MMM-yyyy").zip
>>
>> 1.
>> 4. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link
>> below
>>
>> i.https://su/
>> pport.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJS
>> UzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwI
>> iwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ
>> 3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiO
>> iI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczo
>> vL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJle
>> HAiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7L
>> MBa_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5Ez
>> Y5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-
>> PhzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTz
>> Qmp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QM
>> oU2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ%26wid%3D6ad02fe8-3357-427d-9925-d8
>> f6f81ec400&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c8
>> 646ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638
>> 530537026608518%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
>> luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=miQS6sQAmcz4kX
>> X38kQE%2BNdVbyNBlzcONUfALks8rmk%3D&reserved=0
>> <https://sup/
>> port.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSU
>> zI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwIi
>> wic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3
>> dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiOi
>> I0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczov
>> L2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleH
>> AiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7LM
>> Ba_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5EzY
>> 5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-P
>> hzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTzQ
>> mp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QMo
>> U2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ%26wid%3D6ad02fe8-3357-427d-9925-d8f
>> 6f81ec400&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c86
>> 46ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6385
>> 30537026613833%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
>> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ctjtztqCH7EeVdn
>> WoHBNf2FNeqTWqacWIyP7Mi77dJo%3D&reserved=0>
>>
>> If you are able to include a network/WireShark trace with a keytab
>> file to decrypt, that would be helpful, but may not be entirely
>> necessary. I will be in training for the remainder of the week but
>> will debug the trace next week. Thanks for your patience.
>>
>> *Regards,*
>>
>> *Kristian Smith*
>>
>> Support Escalation Engineer | Microsoft® Corporation
>>
>> *Office phone*: +1 425-421-4442
>>
>> *Email*: kristian.smith at microsoft.com
>> <mailto:kristian.smith at microsoft.com>
>>
>> ----------------------------------------------------------------------
>> --
>>
>> *From:*Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>> *Sent:* Monday, May 20, 2024 9:19 PM
>> *To:* Kristian Smith <Kristian.Smith at microsoft.com
>> <mailto:Kristian.Smith at microsoft.com>>
>> *Cc:* Microsoft Support <supportmail at microsoft.com
>> <mailto:supportmail at microsoft.com>>; cifs-protocol at lists.samba.org
>> <mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org
>> <mailto:cifs-protocol at lists.samba.org>>
>> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>> authenticating with a previous password - TrackingID#2405140040001588
>>
>> Thank you, Kristian.
>>
>> I've had some difficulty trying to replicate these results. After
>> manually changing the password of a Group Managed Service Account,
>> there is a five minute interval during which I can use the previous
>> password to log in via NTLM. However, I have not managed to get a
>> previous password to work - with NTLM or with Kerberos - following the
>> natural rollover of a gMSA's password.
>>
>> Cheers,
>> Jo (she/her)
>>
>> On 17/05/24 11:51 am, Kristian Smith wrote:
>>> Hi Jo,
>>>
>>> I conducted research on these questions you posed and wanted to share
>>> my findings with you.
>>>
>>> In the context of gMSA authentication, we accept only the current and
>>> most recent previous password for both NTLM and Kerberos. Also, I was
>>> unable to locate any time limitations for the use of the previous password.
>>>
>>> Let me know if this answers your questions or if there is further
>>> clarification I can provide.
>>>
>>> *Regards,*
>>>
>>> *Kristian Smith*
>>>
>>> Support Escalation Engineer | Microsoft® Corporation
>>>
>>> *Office phone*: +1 425-421-4442
>>>
>>> *Email*: kristian.smith at microsoft.com
>>> <mailto:kristian.smith at microsoft.com>
>> <mailto:kristian.smith at microsoft.com
>> <mailto:kristian.smith at microsoft.com>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> ---
>>> *From:* Kristian Smith <Kristian.Smith at microsoft.com
>>> <mailto:Kristian.Smith at microsoft.com>>
>>> *Sent:* Tuesday, May 14, 2024 8:39 AM
>>> *To:* Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>>> *Cc:* Microsoft Support <supportmail at microsoft.com
>>> <mailto:supportmail at microsoft.com>>;
>>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>> <cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>>
>>> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>>> authenticating with a previous password - TrackingID#2405140040001588
>>> [Tom to Bcc]
>>>
>>> Hi Jo,
>>>
>>> Thanks for reaching out with your [MS-ADTS] question. I'll be your
>>> point of contact moving forward for this case. I will research this
>>> and get back to you with my findings.
>>>
>>> *Regards,*
>>>
>>> *Kristian Smith*
>>>
>>> Support Escalation Engineer | Microsoft® Corporation
>>>
>>> *Office phone*: +1 425-421-4442
>>>
>>> *Email*: kristian.smith at microsoft.com
>>> <mailto:kristian.smith at microsoft.com>
>> <mailto:kristian.smith at microsoft.com
>> <mailto:kristian.smith at microsoft.com>>
>>>
>>> ---------------------------------------------------------------------
>>> ---
>>> *From:* Tom Jebo <tomjebo at microsoft.com
>>> <mailto:tomjebo at microsoft.com>>
>>> *Sent:* Monday, May 13, 2024 10:32 PM
>>> *To:* Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>;
>> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>
>>> <cifs-protocol at lists.samba.org
>>> <mailto:cifs-protocol at lists.samba.org>>
>>> *Cc:* Microsoft Support <supportmail at microsoft.com
>>> <mailto:supportmail at microsoft.com>>
>>> *Subject:* RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>>> authenticating with a previous password - TrackingID#2405140040001588
>>> [dochelp to bcc] [support mail to cc]
>>>
>>> Hey Jo,
>>>
>>> Thanks for your request regarding MS-ADTS. One of the Open
>>> Specifications team members will respond to assist you. In the
>>> meantime, we've created case 2405140040001588 to track this request.
>>> Please leave the case number in the subject when communicating with
>>> our team about this request.
>>>
>>> Best regards,
>>> Tom Jebo
>>> Microsoft Open Specifications Support
>>>
>>> -----Original Message-----
>>> From: Jo Sutton <jsutton at samba.org <mailto:jsutton at samba.org>>
>>> Sent: Monday, May 13, 2024 9:59 PM
>>> To: cifs-protocol at lists.samba.org
>>> <mailto:cifs-protocol at lists.samba.org>;
>> Interoperability Documentation Help
>>> <dochelp at microsoft.com <mailto:dochelp at microsoft.com>>
>>> Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
>>> authenticating with a previous password
>>>
>>> [Some people who received this message don't often get email from
>>> jsutton at samba.org <mailto:jsutton at samba.org>. Learn why this is
>>> important at https://aka.ms/LearnAboutSenderIdentification
>> <https://aka.ms/LearnAboutSenderIdentification>
>>> <https://aka.ms/LearnAboutSenderIdentification>
>> <https://aka.ms/LearnAboutSenderIdentification%3E%C2%A0>]
>>>
>>> Hi dochelp,
>>>
>>> I can't find any mention in Microsoft's documentation of what should
>>> happen when a Group Managed Service Account authenticates with a
>>> previous password - i.e. via NTLM with an NT hash from ntPwdHistory,
>>> or via Kerberos with a key from the OldCredentials part of a
>>> Primary:Kerberos-Newer-Keys blob.
>>>
>>> Should the previous password be accepted for NTLM logons? For
>>> Kerberos logons? Should only the immediately previous password be
>>> accepted, or should earlier passwords be accepted too? And during
>>> what period should the previous password(s) be accepted - for
>>> example, the five minutes immediately following the time specified by pwdLastSet?
>>>
>>> Any information you can provide to shine light on these questions
>>> would be welcome.
>>>
>>> Cheers,
>>> Jo (she/her)
>>
>
More information about the cifs-protocol
mailing list