[cifs-protocol] [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588

Jo Sutton jsutton at samba.org
Tue May 21 04:19:45 UTC 2024 

Thank you, Kristian.

I’ve had some difficulty trying to replicate these results. After 
manually changing the password of a Group Managed Service Account, there 
is a five minute interval during which I can use the previous password 
to log in via NTLM. However, I have not managed to get a previous 
password to work — with NTLM or with Kerberos — following the natural 
rollover of a gMSA’s password.

Cheers,
Jo (she/her)

On 17/05/24 11:51 am, Kristian Smith wrote:
> Hi Jo,
> 
> I conducted research on these questions you posed and wanted to share my 
> findings with you.
> 
> In the context of gMSA authentication, we accept only the current and 
> most recent previous password for both NTLM and Kerberos. Also, I was 
> unable to locate any time limitations for the use of the previous password.
> 
> Let me know if this answers your questions or if there is further 
> clarification I can provide.
> 
> *Regards,*
> 
> *Kristian Smith*
> 
> Support Escalation Engineer | Microsoft® Corporation
> 
> *Office phone*: +1 425-421-4442
> 
> *Email*: kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
> 
> 
> ------------------------------------------------------------------------
> *From:* Kristian Smith <Kristian.Smith at microsoft.com>
> *Sent:* Tuesday, May 14, 2024 8:39 AM
> *To:* Jo Sutton <jsutton at samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>; 
> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account 
> authenticating with a previous password - TrackingID#2405140040001588
> [Tom to Bcc]
> 
> Hi Jo,
> 
> Thanks for reaching out with your [MS-ADTS] question. I'll be your point 
> of contact moving forward for this case. I will research this and get 
> back to you with my findings.
> 
> *Regards,*
> 
> *Kristian Smith*
> 
> Support Escalation Engineer | Microsoft® Corporation
> 
> *Office phone*: +1 425-421-4442
> 
> *Email*: kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
> 
> ------------------------------------------------------------------------
> *From:* Tom Jebo <tomjebo at microsoft.com>
> *Sent:* Monday, May 13, 2024 10:32 PM
> *To:* Jo Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org 
> <cifs-protocol at lists.samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>
> *Subject:* RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account 
> authenticating with a previous password - TrackingID#2405140040001588
> [dochelp to bcc]
> [support mail to cc]
> 
> Hey Jo,
> 
> Thanks for your request regarding MS-ADTS. One of the Open 
> Specifications team members will respond to assist you. In the meantime, 
> we’ve created case 2405140040001588 to track this request. Please leave 
> the case number in the subject when communicating with our team about 
> this request.
> 
> Best regards,
> Tom Jebo
> Microsoft Open Specifications Support
> 
> -----Original Message-----
> From: Jo Sutton <jsutton at samba.org>
> Sent: Monday, May 13, 2024 9:59 PM
> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help 
> <dochelp at microsoft.com>
> Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account 
> authenticating with a previous password
> 
> [Some people who received this message don't often get email from 
> jsutton at samba.org. Learn why this is important at 
> https://aka.ms/LearnAboutSenderIdentification 
> <https://aka.ms/LearnAboutSenderIdentification> ]
> 
> Hi dochelp,
> 
> I can’t find any mention in Microsoft’s documentation of what should 
> happen when a Group Managed Service Account authenticates with a 
> previous password — i.e. via NTLM with an NT hash from ntPwdHistory, or 
> via Kerberos with a key from the OldCredentials part of a 
> Primary:Kerberos-Newer-Keys blob.
> 
> Should the previous password be accepted for NTLM logons? For Kerberos 
> logons? Should only the immediately previous password be accepted, or 
> should earlier passwords be accepted too? And during what period should 
> the previous password(s) be accepted — for example, the five minutes 
> immediately following the time specified by pwdLastSet?
> 
> Any information you can provide to shine light on these questions would 
> be welcome.
> 
> Cheers,
> Jo (she/her)

More information about the cifs-protocol mailing list