[cifs-protocol] msDS-ExpirePasswordsOnSmartCardOnlyAccounts - meta-variable for the calculated password - TrackingID#2404290040010526

[Kristian Smith]

Hi Andrew,

I have confirmed your suspicion regarding the references to "pwdLastSet" in [MS-SAMS] section 3.3.5.7.2. This should be a calculated password expiration time value. I have submitted a request to have the document updated with this change. You should see the changes in an upcoming revision of [MS-SAMS].

As for your question regarding when password rotation occurs (case 2404290040010292), I'm still researching this and will get back in touch as soon as I have an answer.


Regards,

Kristian Smith

Support Escalation Engineer | Microsoft® Corporation

Office phone: +1 425-421-4442

Email: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>

________________________________
From: Kristian Smith <Kristian.Smith at microsoft.com>
Sent: Monday, April 29, 2024 11:57 AM
To: Andrew Bartlett <abartlet at samba.org>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Microsoft Support <supportmail at microsoft.com>
Subject: msDS-ExpirePasswordsOnSmartCardOnlyAccounts - meta-variable for the calculated password - TrackingID#2404290040010526

Hi Andrew,

I've created this case thread for second part of your question:

"Finally, the doc needs some correction, the references to pwdLastSet make not sense (it should always be in the past), I think a meta-variable for the calculated password expiry is what is meant."

I will research this question as well and let you know what I discover.


Regards,

Kristian Smith

Support Escalation Engineer | Microsoft® Corporation

Office phone: +1 425-421-4442

Email: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>

________________________________
From: Andrew Bartlett <abartlet at samba.org>
Sent: Sunday, April 28, 2024 9:14 PM
To: Kristian Smith <Kristian.Smith at microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] Protocol documentation for automatic rollover of expired passwords with UF_SMARTCARD_REQUIRED - TrackingID#2404240040010190

You don't often get email from abartlet at samba.org. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Thanks Kristian, that is must helpful.

Can you clarify which parts of the AD DC calls ResetSmartCardAccountPassword and under what circumstances?  Is it just the KDC during PK-INIT AS-REQ processing?

Is there anything else that rotates these passwords?  The reason I ask is that this being the only case would suggest that where the DC is not the PDC, the PK-INIT AS-REQ processing must wait for the PDC before continuing processing.  (We know the local case does, it gets the new password for return in the PAC).

Finally, the doc needs some correction, the references to pwdLastSet make not sense (it should always be in the past), I think a meta-variable for the calculated password expiry is what is meant.

Thanks!

Andrew Bartlett

On Thu, 2024-04-25 at 21:41 +0000, Kristian Smith wrote:
[Michael to Bcc]

Hi Andrew,

Thanks for reaching out with your question. The password-rolling attribute you're looking for is "msDS-ExpirePasswordsOnSmartCardOnlyAccounts"

It can be found in the following docs:
[MS-SAMS] 3.3.5.7.2 Normative Specification
[MS-ADA2] 2.319 Attribute msDS-ExpirePasswordsOnSmartCardOnlyAccounts

To a lesser extent here as well:
[MS-ADSC] 2.44 Class domainDNS

Let me know if this answers the question, or if there is anything that can be clarified.


Regards,

Kristian Smith

Support Escalation Engineer | Microsoft® Corporation

Office phone: +1 425-421-4442

Email: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>

From: Michael Bowen <Mike.Bowen at microsoft.com>
Sent: Wednesday, April 24, 2024 10:39 AM
To: Andrew Bartlett <abartlet at samba.org>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] Protocol documentation for automatic rollover of expired passwords with UF_SMARTCARD_REQUIRED - TrackingID#2404240040010190

 [Case number in subject]
 [Casemail to cc]
 [Dochelp to bcc]

 Hi Andrew,

Thank you for your request. The case number 2404240040010190 has been created for this inquiry. One of our team members will follow up with you soon.

Best regards,

Mike Bowen
Sr. Escalation Engineer - Microsoft® Corporation



________________________________
From: Andrew Bartlett <abartlet at samba.org>
Sent: Tuesday, April 23, 2024 5:52 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
Subject: [EXTERNAL] Protocol documentation for automatic rollover of expired passwords with UF_SMARTCARD_REQUIRED

Kia Ora Dochelp!

I'm looking for any documentation as to the finer details of

DCs can support automatic rolling of the NTLM and other password-based secrets on a user account configured to require PKI authentication. This configuration is also known as "Smart card required for interactive logon"

from

 https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features

I don't see any mention of this in MS-ADPS, but am not sure where next to check.

In particular, while I have reproduced the rollover for 'must change now', I'm wondering when the password otherwise rolls over, is it before the expiry (eg with the 'old password allowed time' grace of 60mins for example, or at the expiry?

Thanks,

Andrew Bartlett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240509/5b416e93/attachment.htm>