[cifs-protocol] msDS-ExpirePasswordsOnSmartCardOnlyAccounts - when are passwords rotated? - TrackingID#2404290040010292
Andrew Bartlett
abartlet at samba.org
Wed May 15 22:58:07 UTC 2024
Thanks. I don't see the password being rolled in the nearing expiry
case. Does that happen before or after the ticket is issued? (I just
see a short-life ticket being issued).
I will extend my tests to see if it is rolled after the issue of the
ticket, but currently when I check pwdLastSet and the returned NT
password hash, neither have changed in the soon-to-expire case, but the
ticket lifetime has shortened so we know it really was soon to expire.
Andrew Bartlett
On Wed, 2024-05-15 at 22:50 +0000, Kristian Smith wrote:
> Hi Andrew,
>
>
>
>
>
> I have completed my research on this case and have some answers for
> you.
>
>
>
>
>
> Your observation about the DC waiting for the PDC to process is
> accurate. Here are the circumstances for non-PDC's:
>
>
>
> A BDC must send the request to a PDC and wait for a response. If the
> request fails to the PDC, then randomize password locally.
>
>
> An RODC must send the request to a PDC, but optionally request a BDC
> if the PDC call fails.
>
>
> We roll the password in the following circumstances at logon:
>
>
>
> The account has been flagged for a password change at next logon.
>
>
> The password is expired.
>
>
> The password is nearing expiration and validity of that ticket would
> surpass the expiration of the password.
>
>
> If you have any additional questions, please let me know.
>
>
>
>
>
> Regards,
> Kristian Smith
> Support Escalation Engineer | Microsoft® Corporation
> Office phone: +1 425-421-4442
> Email:
> kristian.smith at microsoft.com
>
>
>
>
>
>
>
>
> From: Kristian Smith <Kristian.Smith at microsoft.com>
>
> Sent: Monday, April 29, 2024 11:46 AM
>
> To: Andrew Bartlett <abartlet at samba.org>
>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Microsoft Support <supportmail at microsoft.com>
>
> Subject: msDS-ExpirePasswordsOnSmartCardOnlyAccounts - when are
> passwords rotated? - TrackingID#2404290040010292
>
>
>
> Hi Andrew,
>
>
>
>
>
> I'm creating two new cases for your inquiries. This one will be for
> the following component of your question:
>
>
>
>
>
> "Can you clarify which parts of the AD DC calls
> ResetSmartCardAccountPassword and under what circumstances? Is it
> just the KDC during PK-INIT AS-REQ processing?
>
>
>
>
>
> Is there anything else that rotates these passwords? The reason I
> ask is that this being the only case would suggest that where the DC
> is not the PDC, the PK-INIT AS-REQ processing must wait for the PDC
> before continuing processing. (We know the local case
> does, it gets the new password for return in the PAC)."
>
>
>
>
>
> You will see another email from me soon regarding the other case. I
> will send an update once I have conducted an investigation into these
> concerns.
>
>
>
>
>
> Regards,
> Kristian Smith
> Support Escalation Engineer | Microsoft® Corporation
> Office phone: +1 425-421-4442
> Email:
> kristian.smith at microsoft.com
>
>
>
>
>
>
>
>
> From: Andrew Bartlett <abartlet at samba.org>
>
> Sent: Sunday, April 28, 2024 9:14 PM
>
> To: Kristian Smith <Kristian.Smith at microsoft.com>
>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Microsoft Support <supportmail at microsoft.com>
>
> Subject: Re: [EXTERNAL] Protocol documentation for automatic rollover
> of expired passwords with UF_SMARTCARD_REQUIRED -
> TrackingID#2404240040010190
>
>
>
>
>
>
>
>
>
> You don't often get email from abartlet at samba.org.
> Learn why this is important
>
>
>
>
>
>
> Thanks
> Kristian, that is must helpful.
>
>
>
> Can you clarify which parts of the AD DC calls
> ResetSmartCardAccountPassword and under what circumstances? Is it
> just the KDC during PK-INIT AS-REQ processing?
>
>
>
> Is there anything else that rotates these passwords? The reason I
> ask is that this being the only case would suggest that where the DC
> is not the PDC, the PK-INIT AS-REQ processing must wait
> for the PDC before continuing processing. (We know the local case
> does, it gets the new password for return in the PAC).
>
>
>
> Finally, the doc needs some correction, the references to pwdLastSet
> make not sense (it should always be in the past), I think a meta-
> variable for the calculated password expiry is what is
> meant.
>
>
>
> Thanks!
>
>
>
> Andrew Bartlett
>
>
>
> On Thu, 2024-04-25 at 21:41 +0000, Kristian Smith wrote:
> > [Michael to Bcc]
> >
> >
> >
> >
> >
> > Hi Andrew,
> >
> >
> >
> >
> >
> > Thanks for reaching out with your question. The password-rolling
> > attribute you're looking for is "msDS-
> > ExpirePasswordsOnSmartCardOnlyAccounts"
> >
> >
> >
> >
> >
> > It can be found in the following docs:
> >
> > [MS-SAMS] 3.3.5.7.2 Normative Specification
> >
> > [MS-ADA2] 2.319 Attribute msDS-
> > ExpirePasswordsOnSmartCardOnlyAccounts
> >
> >
> >
> >
> >
> > To a lesser extent here as well:
> >
> > [MS-ADSC] 2.44 Class domainDNS
> >
> >
> >
> >
> >
> > Let me know if this answers the question, or if there is anything
> > that can be clarified.
> >
> >
> >
> >
> >
> > Regards,
> > Kristian Smith
> > Support Escalation Engineer | Microsoft® Corporation
> > Office phone: +1 425-421-4442
> > Email:
> > kristian.smith at microsoft.com
> >
> >
> > From: Michael Bowen <Mike.Bowen at microsoft.com>
> >
> > Sent: Wednesday, April 24, 2024 10:39 AM
> >
> > To: Andrew Bartlett <abartlet at samba.org>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > Microsoft Support <supportmail at microsoft.com>
> >
> > Subject: Re: [EXTERNAL] Protocol documentation for automatic
> > rollover of expired passwords with UF_SMARTCARD_REQUIRED -
> > TrackingID#2404240040010190
> >
> >
> >
> > [Case number in subject]
> >
> > [Casemail to cc]
> >
> > [Dochelp to bcc]
> >
> >
> >
> > Hi Andrew,
> >
> >
> >
> >
> >
> > Thank you for your request. The case number 2404240040010190 has
> > been created for this inquiry. One of our team members will follow
> > up with you soon.
> >
> >
> >
> >
> >
> > Best regards,
> >
> > Mike Bowen
> >
> > Sr. Escalation Engineer - Microsoft® Corporation
> >
> >
> >
> >
> >
> > From: Andrew Bartlett <abartlet at samba.org>
> >
> > Sent: Tuesday, April 23, 2024 5:52 PM
> >
> > To: Interoperability Documentation Help <dochelp at microsoft.com>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> >
> > Subject: [EXTERNAL] Protocol documentation for automatic rollover
> > of expired passwords with UF_SMARTCARD_REQUIRED
> >
> >
> > Kia Ora Dochelp!
> >
> >
> >
> > I'm looking for any documentation as to the finer details of
> >
> >
> >
> > > DCs can support automatic rolling of the NTLM and other password-
> > > based secrets on a user account configured to require PKI
> > > authentication. This configuration is also known as "Smart card
> > > required for interactive logon"
> > >
> >
> >
> >
> > from
> >
> >
> >
> >
> > https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features
> >
> >
> >
> > I don't see any mention of this in MS-ADPS, but am not sure where
> > next to check.
> >
> >
> >
> > In particular, while I have reproduced the rollover for 'must
> > change now', I'm wondering when the password otherwise rolls over,
> > is it before the expiry (eg with the 'old password allowed time'
> > grace of 60mins
> > for example, or at the expiry?
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Andrew Bartlett
>
>
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240516/674404bd/attachment.htm>
More information about the cifs-protocol
mailing list