[cifs-protocol] [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588
Kristian Smith
Kristian.Smith at microsoft.com
Thu May 16 23:51:31 UTC 2024
Hi Jo,
I conducted research on these questions you posed and wanted to share my findings with you.
In the context of gMSA authentication, we accept only the current and most recent previous password for both NTLM and Kerberos. Also, I was unable to locate any time limitations for the use of the previous password.
Let me know if this answers your questions or if there is further clarification I can provide.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Office phone: +1 425-421-4442
Email: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>
________________________________
From: Kristian Smith <Kristian.Smith at microsoft.com>
Sent: Tuesday, May 14, 2024 8:39 AM
To: Jo Sutton <jsutton at samba.org>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
Subject: Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588
[Tom to Bcc]
Hi Jo,
Thanks for reaching out with your [MS-ADTS] question. I'll be your point of contact moving forward for this case. I will research this and get back to you with my findings.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Office phone: +1 425-421-4442
Email: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>
________________________________
From: Tom Jebo <tomjebo at microsoft.com>
Sent: Monday, May 13, 2024 10:32 PM
To: Jo Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588
[dochelp to bcc]
[support mail to cc]
Hey Jo,
Thanks for your request regarding MS-ADTS. One of the Open Specifications team members will respond to assist you. In the meantime, we’ve created case 2405140040001588 to track this request. Please leave the case number in the subject when communicating with our team about this request.
Best regards,
Tom Jebo
Microsoft Open Specifications Support
-----Original Message-----
From: Jo Sutton <jsutton at samba.org>
Sent: Monday, May 13, 2024 9:59 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password
[Some people who received this message don't often get email from jsutton at samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
Hi dochelp,
I can’t find any mention in Microsoft’s documentation of what should happen when a Group Managed Service Account authenticates with a previous password — i.e. via NTLM with an NT hash from ntPwdHistory, or via Kerberos with a key from the OldCredentials part of a Primary:Kerberos-Newer-Keys blob.
Should the previous password be accepted for NTLM logons? For Kerberos logons? Should only the immediately previous password be accepted, or should earlier passwords be accepted too? And during what period should the previous password(s) be accepted — for example, the five minutes immediately following the time specified by pwdLastSet?
Any information you can provide to shine light on these questions would be welcome.
Cheers,
Jo (she/her)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240516/ad594e32/attachment.htm>
More information about the cifs-protocol
mailing list