[cifs-protocol] [MS-ADTS] A Group Managed Service Account authenticating with a previous password
Jo Sutton
jsutton at samba.org
Tue May 14 04:59:19 UTC 2024
Hi dochelp,
I can’t find any mention in Microsoft’s documentation of what should
happen when a Group Managed Service Account authenticates with a
previous password — i.e. via NTLM with an NT hash from ntPwdHistory, or
via Kerberos with a key from the OldCredentials part of a
Primary:Kerberos-Newer-Keys blob.
Should the previous password be accepted for NTLM logons? For Kerberos
logons? Should only the immediately previous password be accepted, or
should earlier passwords be accepted too? And during what period should
the previous password(s) be accepted — for example, the five minutes
immediately following the time specified by pwdLastSet?
Any information you can provide to shine light on these questions would
be welcome.
Cheers,
Jo (she/her)
More information about the cifs-protocol
mailing list