[cifs-protocol] [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588
Jo Sutton
jsutton at samba.org
Tue May 21 04:19:45 UTC 2024
Thank you, Kristian.
I’ve had some difficulty trying to replicate these results. After
manually changing the password of a Group Managed Service Account, there
is a five minute interval during which I can use the previous password
to log in via NTLM. However, I have not managed to get a previous
password to work — with NTLM or with Kerberos — following the natural
rollover of a gMSA’s password.
Cheers,
Jo (she/her)
On 17/05/24 11:51 am, Kristian Smith wrote:
> Hi Jo,
>
> I conducted research on these questions you posed and wanted to share my
> findings with you.
>
> In the context of gMSA authentication, we accept only the current and
> most recent previous password for both NTLM and Kerberos. Also, I was
> unable to locate any time limitations for the use of the previous password.
>
> Let me know if this answers your questions or if there is further
> clarification I can provide.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
>
>
> ------------------------------------------------------------------------
> *From:* Kristian Smith <Kristian.Smith at microsoft.com>
> *Sent:* Tuesday, May 14, 2024 8:39 AM
> *To:* Jo Sutton <jsutton at samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>;
> cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
> authenticating with a previous password - TrackingID#2405140040001588
> [Tom to Bcc]
>
> Hi Jo,
>
> Thanks for reaching out with your [MS-ADTS] question. I'll be your point
> of contact moving forward for this case. I will research this and get
> back to you with my findings.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
>
> ------------------------------------------------------------------------
> *From:* Tom Jebo <tomjebo at microsoft.com>
> *Sent:* Monday, May 13, 2024 10:32 PM
> *To:* Jo Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
> <cifs-protocol at lists.samba.org>
> *Cc:* Microsoft Support <supportmail at microsoft.com>
> *Subject:* RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
> authenticating with a previous password - TrackingID#2405140040001588
> [dochelp to bcc]
> [support mail to cc]
>
> Hey Jo,
>
> Thanks for your request regarding MS-ADTS. One of the Open
> Specifications team members will respond to assist you. In the meantime,
> we’ve created case 2405140040001588 to track this request. Please leave
> the case number in the subject when communicating with our team about
> this request.
>
> Best regards,
> Tom Jebo
> Microsoft Open Specifications Support
>
> -----Original Message-----
> From: Jo Sutton <jsutton at samba.org>
> Sent: Monday, May 13, 2024 9:59 PM
> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help
> <dochelp at microsoft.com>
> Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
> authenticating with a previous password
>
> [Some people who received this message don't often get email from
> jsutton at samba.org. Learn why this is important at
> https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification> ]
>
> Hi dochelp,
>
> I can’t find any mention in Microsoft’s documentation of what should
> happen when a Group Managed Service Account authenticates with a
> previous password — i.e. via NTLM with an NT hash from ntPwdHistory, or
> via Kerberos with a key from the OldCredentials part of a
> Primary:Kerberos-Newer-Keys blob.
>
> Should the previous password be accepted for NTLM logons? For Kerberos
> logons? Should only the immediately previous password be accepted, or
> should earlier passwords be accepted too? And during what period should
> the previous password(s) be accepted — for example, the five minutes
> immediately following the time specified by pwdLastSet?
>
> Any information you can provide to shine light on these questions would
> be welcome.
>
> Cheers,
> Jo (she/her)
More information about the cifs-protocol
mailing list