[cifs-protocol] [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588

Kristian Smith Kristian.Smith at microsoft.com
Tue May 14 15:39:58 UTC 2024 

[Tom to Bcc]

Hi Jo,

Thanks for reaching out with your [MS-ADTS] question. I'll be your point of contact moving forward for this case. I will research this and get back to you with my findings.


Regards,

Kristian Smith

Support Escalation Engineer | Microsoft® Corporation

Office phone: +1 425-421-4442

Email: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>

________________________________
From: Tom Jebo <tomjebo at microsoft.com>
Sent: Monday, May 13, 2024 10:32 PM
To: Jo Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588

[dochelp to bcc]
[support mail to cc]

Hey Jo,

Thanks for your request regarding MS-ADTS. One of the Open Specifications team members will respond to assist you. In the meantime, we’ve created case 2405140040001588 to track this request. Please leave the case number in the subject when communicating with our team about this request.

Best regards,
Tom Jebo
Microsoft Open Specifications Support

-----Original Message-----
From: Jo Sutton <jsutton at samba.org>
Sent: Monday, May 13, 2024 9:59 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password

[Some people who received this message don't often get email from jsutton at samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Hi dochelp,

I can’t find any mention in Microsoft’s documentation of what should happen when a Group Managed Service Account authenticates with a previous password — i.e. via NTLM with an NT hash from ntPwdHistory, or via Kerberos with a key from the OldCredentials part of a Primary:Kerberos-Newer-Keys blob.

Should the previous password be accepted for NTLM logons? For Kerberos logons? Should only the immediately previous password be accepted, or should earlier passwords be accepted too? And during what period should the previous password(s) be accepted — for example, the five minutes immediately following the time specified by pwdLastSet?

Any information you can provide to shine light on these questions would be welcome.

Cheers,
Jo (she/her)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240514/93ead110/attachment.htm>

More information about the cifs-protocol mailing list