[cifs-protocol] [EXTERNAL] Re: msDS-ExpirePasswordsOnSmartCardOnlyAccounts - when are passwords rotated? - TrackingID#2405160040012442
Andrew Bartlett
abartlet at samba.org
Fri May 17 00:47:10 UTC 2024
Thanks so much, I really appreciate that additional detail. That was
the information I needed.
It will mean that for smooth operation password lifetime should always
be twice the TGT lifetime, as otherwise we can get into a situation
where the TGT expiry is shortened to the password expiry, even for a
smart-card login. This would leave the password unchanged, if the
password was last changed just before ticket issue.
There isn't much user documentation for this feature, but this should
probably be said said somewhere.
Anyway, I now have tests that demonstrate the described behaviour.
Thanks,
On Thu, 2024-05-16 at 19:46 +0000, Kristian Smith wrote:
> Hi Andrew,
>
>
>
>
>
> I dug in a bit deeper and it turns out that the password will not
> roll in the "nearly-expired" case unless we are at least halfway
> through the password's validity period.
>
>
>
>
>
> Let me know if you are still unable to repro given this condition.
>
>
>
>
>
> Regards,
> Kristian Smith
> Support Escalation Engineer | Microsoft® Corporation
> Office phone: +1 425-421-4442
> Email:
> kristian.smith at microsoft.com
>
>
>
>
>
>
>
>
> From: Andrew Bartlett <abartlet at samba.org>
>
> Sent: Wednesday, May 15, 2024 8:52 PM
>
> To: Kristian Smith <Kristian.Smith at microsoft.com>
>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Microsoft Support <supportmail at microsoft.com>
>
> Subject: Re: [cifs-protocol] [EXTERNAL] Re: msDS-
> ExpirePasswordsOnSmartCardOnlyAccounts - when are passwords rotated?
> - TrackingID#2404290040010292
>
>
> Can you send me the trace tools and set up a workspace to confirm
> what I'm seeing, because I just don't see soon-to-expire passwords
> being rotated. I just see them rotated once they expire.
>
>
>
> Thanks,
>
>
>
> Andrew Bartlett
>
>
>
> On Wed, 2024-05-15 at 23:39 +0000, Kristian Smith via cifs-protocol
> wrote:
> > That was a speedy reply!
> >
> >
> >
> >
> >
> > I just confirmed that all three of the conditions, including the
> > nearing-expiration case, are checked before sending the ticket.
> >
> >
> >
> >
> >
> > Let me know if you have any other questions/concerns.
> >
> >
> >
> >
> >
> > Regards,
> > Kristian Smith
> > Support Escalation Engineer | Microsoft® Corporation
> > Office phone: +1 425-421-4442
> > Email:
> > kristian.smith at microsoft.com
> >
> >
> >
> >
> >
> >
> >
> >
> > From: Andrew Bartlett <abartlet at samba.org>
> >
> > Sent: Wednesday, May 15, 2024 3:58 PM
> >
> > To: Kristian Smith <Kristian.Smith at microsoft.com>
> >
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > Microsoft Support <supportmail at microsoft.com>
> >
> > Subject: [EXTERNAL] Re: msDS-ExpirePasswordsOnSmartCardOnlyAccounts
> > - when are passwords rotated? - TrackingID#2404290040010292
> >
> >
> > Thanks. I don't see the password being rolled in the nearing
> > expiry case. Does that happen before or after the ticket is
> > issued? (I just see a short-life ticket being issued).
> >
> >
> >
> > I will extend my tests to see if it is rolled after the issue of
> > the ticket, but currently when I check pwdLastSet and the returned
> > NT password hash, neither have changed in the soon-to-expire case,
> > but the ticket
> > lifetime has shortened so we know it really was soon to expire.
> >
> >
> >
> > Andrew Bartlett
> >
> >
> >
> > On Wed, 2024-05-15 at 22:50 +0000, Kristian Smith wrote:
> > > Hi Andrew,
> > >
> > >
> > >
> > >
> > >
> > > I have completed my research on this case and have some answers
> > > for you.
> > >
> > >
> > >
> > >
> > >
> > > Your observation about the DC waiting for the PDC to process is
> > > accurate. Here are the circumstances for non-PDC's:
> > >
> > >
> > >
> > > A BDC must send the request to a PDC and wait for a response. If
> > > the request fails to the PDC, then randomize password locally.
> > >
> > >
> > > An RODC must send the request to a PDC, but optionally request a
> > > BDC if the PDC call fails.
> > >
> > >
> > > We roll the password in the following circumstances at logon:
> > >
> > >
> > >
> > > The account has been flagged for a password change at next logon.
> > >
> > >
> > > The password is expired.
> > >
> > >
> > > The password is nearing expiration and validity of that ticket
> > > would surpass the expiration of the password.
> > >
> > >
> > > If you have any additional questions, please let me know.
> > >
> > >
> > >
> > >
> > >
> > > Regards,
> > > Kristian Smith
> > > Support Escalation Engineer | Microsoft® Corporation
> > > Office phone: +1 425-421-4442
> > > Email:
> > > kristian.smith at microsoft.com
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Kristian Smith <Kristian.Smith at microsoft.com>
> > >
> > > Sent: Monday, April 29, 2024 11:46 AM
> > >
> > > To: Andrew Bartlett <abartlet at samba.org>
> > >
> > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > > Microsoft Support <supportmail at microsoft.com>
> > >
> > > Subject: msDS-ExpirePasswordsOnSmartCardOnlyAccounts - when are
> > > passwords rotated? - TrackingID#2404290040010292
> > >
> > >
> > >
> > > Hi Andrew,
> > >
> > >
> > >
> > >
> > >
> > > I'm creating two new cases for your inquiries. This one will be
> > > for the following component of your question:
> > >
> > >
> > >
> > >
> > >
> > > "Can you clarify which parts of the AD DC calls
> > > ResetSmartCardAccountPassword and under what circumstances? Is
> > > it just the KDC during PK-INIT AS-REQ processing?
> > >
> > >
> > >
> > >
> > >
> > > Is there anything else that rotates these passwords? The reason
> > > I ask is that this being the only case would suggest that where
> > > the DC is not the PDC, the PK-INIT AS-REQ processing must wait
> > > for the PDC before continuing processing. (We know the local
> > > case
> > > does, it gets the new password for return in the PAC)."
> > >
> > >
> > >
> > >
> > >
> > > You will see another email from me soon regarding the other case.
> > > I will send an update once I have conducted an investigation into
> > > these concerns.
> > >
> > >
> > >
> > >
> > >
> > > Regards,
> > > Kristian Smith
> > > Support Escalation Engineer | Microsoft® Corporation
> > > Office phone: +1 425-421-4442
> > > Email:
> > > kristian.smith at microsoft.com
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Andrew Bartlett <abartlet at samba.org>
> > >
> > > Sent: Sunday, April 28, 2024 9:14 PM
> > >
> > > To: Kristian Smith <Kristian.Smith at microsoft.com>
> > >
> > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > > Microsoft Support <supportmail at microsoft.com>
> > >
> > > Subject: Re: [EXTERNAL] Protocol documentation for automatic
> > > rollover of expired passwords with UF_SMARTCARD_REQUIRED -
> > > TrackingID#2404240040010190
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > You don't often get email from abartlet at samba.org.
> > > Learn why this is important
> > >
> > >
> > >
> > >
> > >
> > >
> > > Thanks
> > > Kristian, that is must helpful.
> > >
> > >
> > >
> > > Can you clarify which parts of the AD DC calls
> > > ResetSmartCardAccountPassword and under what circumstances? Is
> > > it just the KDC during PK-INIT AS-REQ processing?
> > >
> > >
> > >
> > > Is there anything else that rotates these passwords? The reason
> > > I ask is that this being the only case would suggest that where
> > > the DC is not the PDC, the PK-INIT AS-REQ processing must wait
> > > for the PDC before continuing processing. (We know the local
> > > case does, it gets the new password for return in the PAC).
> > >
> > >
> > >
> > > Finally, the doc needs some correction, the references to
> > > pwdLastSet make not sense (it should always be in the past), I
> > > think a meta-variable for the calculated password expiry is what
> > > is
> > > meant.
> > >
> > >
> > >
> > > Thanks!
> > >
> > >
> > >
> > > Andrew Bartlett
> > >
> > >
> > >
> > > On Thu, 2024-04-25 at 21:41 +0000, Kristian Smith wrote:
> > > > [Michael to Bcc]
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Hi Andrew,
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Thanks for reaching out with your question. The password-
> > > > rolling attribute you're looking for is "msDS-
> > > > ExpirePasswordsOnSmartCardOnlyAccounts"
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > It can be found in the following docs:
> > > >
> > > > [MS-SAMS] 3.3.5.7.2 Normative Specification
> > > >
> > > > [MS-ADA2] 2.319 Attribute msDS-
> > > > ExpirePasswordsOnSmartCardOnlyAccounts
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > To a lesser extent here as well:
> > > >
> > > > [MS-ADSC] 2.44 Class domainDNS
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Let me know if this answers the question, or if there is
> > > > anything that can be clarified.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Regards,
> > > > Kristian Smith
> > > > Support Escalation Engineer | Microsoft® Corporation
> > > > Office phone: +1 425-421-4442
> > > > Email:
> > > > kristian.smith at microsoft.com
> > > >
> > > >
> > > > From: Michael Bowen <Mike.Bowen at microsoft.com>
> > > >
> > > > Sent: Wednesday, April 24, 2024 10:39 AM
> > > >
> > > > To: Andrew Bartlett <abartlet at samba.org>
> > > >
> > > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> > > > Microsoft Support <supportmail at microsoft.com>
> > > >
> > > > Subject: Re: [EXTERNAL] Protocol documentation for automatic
> > > > rollover of expired passwords with UF_SMARTCARD_REQUIRED -
> > > > TrackingID#2404240040010190
> > > >
> > > >
> > > >
> > > > [Case number in subject]
> > > >
> > > > [Casemail to cc]
> > > >
> > > > [Dochelp to bcc]
> > > >
> > > >
> > > >
> > > > Hi Andrew,
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Thank you for your request. The case number 2404240040010190
> > > > has been created for this inquiry. One of our team members will
> > > > follow up with you soon.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Best regards,
> > > >
> > > > Mike Bowen
> > > >
> > > > Sr. Escalation Engineer - Microsoft® Corporation
> > > >
> > > >
> > > >
> > > > From: Andrew Bartlett <abartlet at samba.org>
> > > >
> > > > Sent: Tuesday, April 23, 2024 5:52 PM
> > > >
> > > > To: Interoperability Documentation Help <dochelp at microsoft.com>
> > > >
> > > > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> > > >
> > > > Subject: [EXTERNAL] Protocol documentation for automatic
> > > > rollover of expired passwords with UF_SMARTCARD_REQUIRED
> > > >
> > > >
> > > > Kia Ora Dochelp!
> > > >
> > > >
> > > >
> > > > I'm looking for any documentation as to the finer details of
> > > >
> > > >
> > > >
> > > > > DCs can support automatic rolling of the NTLM and other
> > > > > password-based secrets on a user account configured to
> > > > > require PKI authentication. This configuration is also known
> > > > > as "Smart card required for interactive logon"
> > > >
> > > >
> > > >
> > > > from
> > > >
> > > >
> > > >
> > > >
> > > > https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features
> > > >
> > > >
> > > >
> > > > I don't see any mention of this in MS-ADPS, but am not sure
> > > > where next to check.
> > > >
> > > >
> > > >
> > > > In particular, while I have reproduced the rollover for 'must
> > > > change now', I'm wondering when the password otherwise rolls
> > > > over, is it before the expiry (eg with the 'old password
> > > > allowed time' grace of 60mins
> > > > for example, or at the expiry?
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > >
> > > >
> > > > Andrew Bartlett
> >
> > --
> > Andrew Bartlett (he/him)
> > https://samba.org/~abartlet/
> > Samba Team Member (since 2001)
> > https://samba.org
> > Samba Team Lead
> > https://catalyst.net.nz/services/samba
> > Catalyst.Net Ltd
> >
> >
> >
> > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> > company
> >
> >
> >
> > Samba Development and Support:
> > https://catalyst.net.nz/services/samba
> >
> >
> >
> > Catalyst IT - Expert Open Source Solutions
> > _______________________________________________
> > cifs-protocol mailing list
> > cifs-protocol at lists.samba.org
> >
> >
> > https://lists.samba.org/mailman/listinfo/cifs-protocol
> >
> >
>
> --
> Andrew Bartlett (he/him)
> https://samba.org/~abartlet/
> Samba Team Member (since 2001)
> https://samba.org
> Samba Team Lead
> https://catalyst.net.nz/services/samba
> Catalyst.Net Ltd
>
>
>
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
>
>
>
> Samba Development and Support:
> https://catalyst.net.nz/services/samba
>
>
>
> Catalyst IT - Expert Open Source Solutions
>
>
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240517/3a3ccedc/attachment.htm>
More information about the cifs-protocol
mailing list