[cifs-protocol] [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588
Tom Jebo
tomjebo at microsoft.com
Tue May 14 05:32:45 UTC 2024
[dochelp to bcc]
[support mail to cc]
Hey Jo,
Thanks for your request regarding MS-ADTS. One of the Open Specifications team members will respond to assist you. In the meantime, we've created case 2405140040001588 to track this request. Please leave the case number in the subject when communicating with our team about this request.
Best regards,
Tom Jebo
Microsoft Open Specifications Support
-----Original Message-----
From: Jo Sutton <jsutton at samba.org>
Sent: Monday, May 13, 2024 9:59 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password
[Some people who received this message don't often get email from jsutton at samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
Hi dochelp,
I can't find any mention in Microsoft's documentation of what should happen when a Group Managed Service Account authenticates with a previous password - i.e. via NTLM with an NT hash from ntPwdHistory, or via Kerberos with a key from the OldCredentials part of a Primary:Kerberos-Newer-Keys blob.
Should the previous password be accepted for NTLM logons? For Kerberos logons? Should only the immediately previous password be accepted, or should earlier passwords be accepted too? And during what period should the previous password(s) be accepted - for example, the five minutes immediately following the time specified by pwdLastSet?
Any information you can provide to shine light on these questions would be welcome.
Cheers,
Jo (she/her)
More information about the cifs-protocol
mailing list