[cifs-protocol] [EXTERNAL] Re: msDS-ExpirePasswordsOnSmartCardOnlyAccounts - when are passwords rotated? - TrackingID#2404290040010292

Andrew Bartlett abartlet at samba.org
Thu May 16 03:52:38 UTC 2024 

Can you send me the trace tools and set up a workspace to confirm what
I'm seeing, because I just don't see soon-to-expire passwords being
rotated.  I just see them rotated once they expire.
Thanks,
Andrew Bartlett
On Wed, 2024-05-15 at 23:39 +0000, Kristian Smith via cifs-protocol
wrote:
> That was a speedy reply! 
> 
> 
> 
> 
> 
> 
> 
> I just confirmed that all three of the conditions, including the
> nearing-expiration case, are checked before sending the ticket.
> 
> 
> 
> 
> 
> 
> 
> Let me know if you have any other questions/concerns.
> 
> 
> 
> 
> 
> 
> 
> Regards,
> Kristian Smith
> Support Escalation Engineer | Microsoft® Corporation
> Office phone: +1 425-421-4442
> Email:
> kristian.smith at microsoft.com
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Andrew Bartlett <abartlet at samba.org>
> 
> Sent: Wednesday, May 15, 2024 3:58 PM
> 
> To: Kristian Smith <Kristian.Smith at microsoft.com>
> 
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Microsoft Support <supportmail at microsoft.com>
> 
> Subject: [EXTERNAL] Re: msDS-ExpirePasswordsOnSmartCardOnlyAccounts -
> when are passwords rotated? - TrackingID#2404290040010292
>  
> 
> 
> Thanks.  I don't see the password being rolled in the nearing expiry
> case.  Does that happen before or after the ticket is issued?  (I
> just see a short-life ticket being issued). 
> 
> 
> 
> 
> 
> I will extend my tests to see if it is rolled after the issue of the
> ticket, but currently when I check pwdLastSet and the returned NT
> password hash, neither have changed in the soon-to-expire case, but
> the ticket
>  lifetime has shortened so we know it really was soon to expire.
> 
> 
> 
> 
> 
> Andrew Bartlett
> 
> 
> 
> 
> 
> On Wed, 2024-05-15 at 22:50 +0000, Kristian Smith wrote:
> 
> > Hi Andrew,
> > 
> > 
> > 
> > 
> > 
> > I have completed my research on this case and have some answers for
> > you.
> > 
> > 
> > 
> > 
> > 
> > Your observation about the DC waiting for the PDC to process is
> > accurate. Here are the circumstances for non-PDC's:
> > 
> > 
> > 
> > A BDC must send the request to a PDC and wait for a response. If
> > the request fails to the PDC, then randomize password locally.
> > 
> > 
> > An RODC must send the request to a PDC, but optionally request a
> > BDC if the PDC call fails.
> > 
> > 
> > We roll the password in the following circumstances at logon:
> > 
> > 
> > 
> > The account has been flagged for a password change at next logon.
> > 
> > 
> > The password is expired.
> > 
> > 
> > The password is nearing expiration and validity of that ticket
> > would surpass the expiration of the password.
> > 
> > 
> > If you have any additional questions, please let me know.
> > 
> > 
> > 
> > 
> > 
> > Regards,
> > Kristian Smith
> > Support Escalation Engineer | Microsoft® Corporation
> > Office phone: +1 425-421-4442
> > Email:
> > kristian.smith at microsoft.com
> > 
> > 
> > 
> > 
> > 
> > 
> > From: Kristian Smith <Kristian.Smith at microsoft.com>
> > 
> > Sent: Monday, April 29, 2024 11:46 AM
> > 
> > To: Andrew Bartlett <abartlet at samba.org>
> > 
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > Microsoft Support <supportmail at microsoft.com>
> > 
> > Subject: msDS-ExpirePasswordsOnSmartCardOnlyAccounts - when are
> > passwords rotated? - TrackingID#2404290040010292
> >  
> > 
> > 
> > Hi Andrew,
> > 
> > 
> > 
> > 
> > 
> > I'm creating two new cases for your inquiries. This one will be for
> > the following component of your question:
> > 
> > 
> > 
> > 
> > 
> > "Can you clarify which parts of the AD DC calls
> > ResetSmartCardAccountPassword and under what circumstances?  Is it
> > just the KDC during PK-INIT AS-REQ processing?
> > 
> > 
> > 
> > 
> > 
> > Is there anything else that rotates these passwords?  The reason I
> > ask is that this being the only case would suggest that where the
> > DC is not the PDC, the PK-INIT AS-REQ processing must wait for the
> > PDC before continuing processing.  (We know the local case
> >  does, it gets the new password for return in the PAC)."
> > 
> > 
> > 
> > 
> > 
> > You will see another email from me soon regarding the other case. I
> > will send an update once I have conducted an investigation into
> > these concerns.
> > 
> > 
> > 
> > 
> > 
> > Regards,
> > Kristian Smith
> > Support Escalation Engineer | Microsoft® Corporation
> > Office phone: +1 425-421-4442
> > Email:
> > kristian.smith at microsoft.com
> > 
> > 
> > 
> > 
> > 
> > 
> > From: Andrew Bartlett <abartlet at samba.org>
> > 
> > Sent: Sunday, April 28, 2024 9:14 PM
> > 
> > To: Kristian Smith <Kristian.Smith at microsoft.com>
> > 
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > Microsoft Support <supportmail at microsoft.com>
> > 
> > Subject: Re: [EXTERNAL] Protocol documentation for automatic
> > rollover of expired passwords with UF_SMARTCARD_REQUIRED -
> > TrackingID#2404240040010190
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > You don't often get email from abartlet at samba.org. 
> > Learn why this is important
> > 
> > 
> > 
> > 
> > 
> > 
> > Thanks 
> > Kristian, that is must helpful. 
> > 
> > 
> > 
> > Can you clarify which parts of the AD DC calls
> > ResetSmartCardAccountPassword and under what circumstances?  Is it
> > just the KDC during PK-INIT AS-REQ processing?
> > 
> > 
> > 
> > Is there anything else that rotates these passwords?  The reason I
> > ask is that this being the only case would suggest that where the
> > DC is not the PDC, the PK-INIT AS-REQ processing must wait
> >  for the PDC before continuing processing.  (We know the local case
> > does, it gets the new password for return in the PAC).
> > 
> > 
> > 
> > Finally, the doc needs some correction, the references to
> > pwdLastSet make not sense (it should always be in the past), I
> > think a meta-variable for the calculated password expiry is what is
> >  meant.
> > 
> > 
> > 
> > Thanks!
> > 
> > 
> > 
> > Andrew Bartlett
> > 
> > 
> > 
> > On Thu, 2024-04-25 at 21:41 +0000, Kristian Smith wrote:
> > > [Michael to Bcc]
> > > 
> > > 
> > > 
> > > 
> > > 
> > > Hi Andrew,
> > > 
> > > 
> > > 
> > > 
> > > 
> > > Thanks for reaching out with your question. The password-rolling
> > > attribute you're looking for is "msDS-
> > > ExpirePasswordsOnSmartCardOnlyAccounts" 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > It can be found in the following docs:
> > > 
> > > [MS-SAMS] 3.3.5.7.2 Normative Specification
> > > 
> > > [MS-ADA2] 2.319 Attribute msDS-
> > > ExpirePasswordsOnSmartCardOnlyAccounts
> > > 
> > > 
> > > 
> > > 
> > > 
> > > To a lesser extent here as well: 
> > > 
> > > [MS-ADSC] 2.44 Class domainDNS
> > > 
> > > 
> > > 
> > > 
> > > 
> > > Let me know if this answers the question, or if there is anything
> > > that can be clarified.
> > > 
> > > 
> > > 
> > > 
> > > 
> > > Regards,
> > > Kristian Smith
> > > Support Escalation Engineer | Microsoft® Corporation
> > > Office phone: +1 425-421-4442
> > > Email:
> > > kristian.smith at microsoft.com
> > > 
> > > 
> > > From: Michael Bowen <Mike.Bowen at microsoft.com>
> > > 
> > > Sent: Wednesday, April 24, 2024 10:39 AM
> > > 
> > > To: Andrew Bartlett <abartlet at samba.org>
> > > 
> > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > > Microsoft Support <supportmail at microsoft.com>
> > > 
> > > Subject: Re: [EXTERNAL] Protocol documentation for automatic
> > > rollover of expired passwords with UF_SMARTCARD_REQUIRED -
> > > TrackingID#2404240040010190
> > >  
> > > 
> > > 
> > >  [Case number in subject]
> > > 
> > >  [Casemail to cc]
> > > 
> > >  [Dochelp to bcc]
> > > 
> > >  
> > > 
> > >  Hi Andrew,
> > > 
> > > 
> > > 
> > > 
> > > 
> > > Thank you for your request. The case number 2404240040010190 has
> > > been created for this inquiry. One of our team members will
> > > follow up with you soon.
> > > 
> > > 
> > > 
> > > 
> > > 
> > > Best regards, 
> > > 
> > > Mike Bowen
> > > 
> > > Sr. Escalation Engineer - Microsoft® Corporation
> > >  
> > > 
> > > 
> > > From: Andrew Bartlett <abartlet at samba.org>
> > > 
> > > Sent: Tuesday, April 23, 2024 5:52 PM
> > > 
> > > To: Interoperability Documentation Help <dochelp at microsoft.com>
> > > 
> > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> > > 
> > > Subject: [EXTERNAL] Protocol documentation for automatic rollover
> > > of expired passwords with UF_SMARTCARD_REQUIRED
> > >  
> > > 
> > > Kia Ora Dochelp!
> > > 
> > > 
> > > 
> > > I'm looking for any documentation as to the finer details of
> > > 
> > > 
> > > 
> > > > DCs can support automatic rolling of the NTLM and other
> > > > password-based secrets on a user account configured to require
> > > > PKI authentication. This configuration is also known as "Smart
> > > > card required for interactive logon"
> > > 
> > > 
> > > 
> > > from
> > > 
> > > 
> > > 
> > >  
> > > https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features
> > > 
> > > 
> > > 
> > > I don't see any mention of this in MS-ADPS, but am not sure where
> > > next to check.
> > > 
> > > 
> > > 
> > > In particular, while I have reproduced the rollover for 'must
> > > change now', I'm wondering when the password otherwise rolls
> > > over, is it before the expiry (eg with the 'old password allowed
> > > time' grace of 60mins
> > >  for example, or at the expiry?
> > > 
> > > 
> > > 
> > > Thanks,
> > > 
> > > 
> > > 
> > > Andrew Bartlett
> 
> -- 
> 
> Andrew Bartlett (he/him)       
> https://samba.org/~abartlet/
> 
> Samba Team Member (since 2001) 
> https://samba.org
> 
> Samba Team Lead                
> https://catalyst.net.nz/services/samba
> 
> Catalyst.Net Ltd
> 
> 
> 
> 
> 
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
> 
> 
> 
> 
> 
> Samba Development and Support: 
> https://catalyst.net.nz/services/samba
> 
> 
> 
> 
> 
> Catalyst IT - Expert Open Source Solutions
> 
> 
> 
> _______________________________________________cifs-protocol mailing 
> listcifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead                https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240516/d00019c3/attachment.htm>

More information about the cifs-protocol mailing list