[cifs-protocol] [EXTERNAL] [MS-ADTS] gMSA previous password - time interval & post rollover - TrackingID#2405210040011844
Kristian Smith
Kristian.Smith at microsoft.com
Tue May 28 23:42:07 UTC 2024
Hi Jo,
Please let me know if you have any trouble gathering the Lsass trace. I'm happy to help if you encounter any issues.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Office phone: +1 425-421-4442
Email: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>
From: Kristian Smith <Kristian.Smith at microsoft.com>
Sent: Wednesday, May 22, 2024 10:00 AM
To: Jo Sutton <jsutton at samba.org>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Re: [EXTERNAL] [MS-ADTS] gMSA previous password - time interval & post rollover - TrackingID#2405210040011844
Hi Jo,
Thanks for letting me know that you're not able to reproduce this behavior. The best way for me to troubleshoot would be to have an LSASS trace and a network trace. Can you please repro the issue when trying to use a previous password with Kerberos?
Here are the tracing instructions for LSASS:
1. Tracing Lsass with TTD: This should be conducted on the DC where we are logging in. Note: Run all commands in an elevated PowerShell prompt on the machine.
* Download and install TTD on the DC we're logging into.
* Direct link to download TTD app installer: https://aka.ms/ttd/download
* Alternatively, use offline install instructions: https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method
* When ready to repro the issue, run the following commands to begin the trace.
* mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy")
* TTD.exe -Attach ([int](Get-Process -NAME LSASS | Format-Wide -Property ID).formatEntryInfo.formatPropertyField.propertyValue) -out C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\LSASS_Kerb_Server.run
* When the following small window pops up, the trace has begun and you can now reproduce the issue. To end the trace, simply click "Tracing Off".
* [cid:image001.png at 01DAB11D.F9D402C0]
* Once the trace operation is complete, we need to compress the .run file created by TTD for easy transfer.
* Compress-Archive -Path C:\Traces_$(Get-Date -format "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date -format "dd-MMM-yyyy").zip
* Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share link below
i.https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwIiwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7LMBa_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5EzY5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv-PhzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTzQmp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QMoU2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ&wid=6ad02fe8-3357-427d-9925-d8f6f81ec400
If you are able to include a network/WireShark trace with a keytab file to decrypt, that would be helpful, but may not be entirely necessary. I will be in training for the remainder of the week but will debug the trace next week. Thanks for your patience.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Office phone: +1 425-421-4442
Email: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>
________________________________
From: Jo Sutton <jsutton at samba.org<mailto:jsutton at samba.org>>
Sent: Monday, May 20, 2024 9:19 PM
To: Kristian Smith <Kristian.Smith at microsoft.com<mailto:Kristian.Smith at microsoft.com>>
Cc: Microsoft Support <supportmail at microsoft.com<mailto:supportmail at microsoft.com>>; cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>
Subject: Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588
Thank you, Kristian.
I've had some difficulty trying to replicate these results. After
manually changing the password of a Group Managed Service Account, there
is a five minute interval during which I can use the previous password
to log in via NTLM. However, I have not managed to get a previous
password to work - with NTLM or with Kerberos - following the natural
rollover of a gMSA's password.
Cheers,
Jo (she/her)
On 17/05/24 11:51 am, Kristian Smith wrote:
> Hi Jo,
>
> I conducted research on these questions you posed and wanted to share my
> findings with you.
>
> In the context of gMSA authentication, we accept only the current and
> most recent previous password for both NTLM and Kerberos. Also, I was
> unable to locate any time limitations for the use of the previous password.
>
> Let me know if this answers your questions or if there is further
> clarification I can provide.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com> <mailto:kristian.smith at microsoft.com>
>
>
> ------------------------------------------------------------------------
> *From:* Kristian Smith <Kristian.Smith at microsoft.com<mailto:Kristian.Smith at microsoft.com>>
> *Sent:* Tuesday, May 14, 2024 8:39 AM
> *To:* Jo Sutton <jsutton at samba.org<mailto:jsutton at samba.org>>
> *Cc:* Microsoft Support <supportmail at microsoft.com<mailto:supportmail at microsoft.com>>;
> cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>
> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
> authenticating with a previous password - TrackingID#2405140040001588
> [Tom to Bcc]
>
> Hi Jo,
>
> Thanks for reaching out with your [MS-ADTS] question. I'll be your point
> of contact moving forward for this case. I will research this and get
> back to you with my findings.
>
> *Regards,*
>
> *Kristian Smith*
>
> Support Escalation Engineer | Microsoft® Corporation
>
> *Office phone*: +1 425-421-4442
>
> *Email*: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com> <mailto:kristian.smith at microsoft.com>
>
> ------------------------------------------------------------------------
> *From:* Tom Jebo <tomjebo at microsoft.com<mailto:tomjebo at microsoft.com>>
> *Sent:* Monday, May 13, 2024 10:32 PM
> *To:* Jo Sutton <jsutton at samba.org<mailto:jsutton at samba.org>>; cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>
> <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>
> *Cc:* Microsoft Support <supportmail at microsoft.com<mailto:supportmail at microsoft.com>>
> *Subject:* RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
> authenticating with a previous password - TrackingID#2405140040001588
> [dochelp to bcc]
> [support mail to cc]
>
> Hey Jo,
>
> Thanks for your request regarding MS-ADTS. One of the Open
> Specifications team members will respond to assist you. In the meantime,
> we've created case 2405140040001588 to track this request. Please leave
> the case number in the subject when communicating with our team about
> this request.
>
> Best regards,
> Tom Jebo
> Microsoft Open Specifications Support
>
> -----Original Message-----
> From: Jo Sutton <jsutton at samba.org<mailto:jsutton at samba.org>>
> Sent: Monday, May 13, 2024 9:59 PM
> To: cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>; Interoperability Documentation Help
> <dochelp at microsoft.com<mailto:dochelp at microsoft.com>>
> Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account
> authenticating with a previous password
>
> [Some people who received this message don't often get email from
> jsutton at samba.org<mailto:jsutton at samba.org>. Learn why this is important at
> https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification> <https://aka.ms/LearnAboutSenderIdentification%3e > ]
>
> Hi dochelp,
>
> I can't find any mention in Microsoft's documentation of what should
> happen when a Group Managed Service Account authenticates with a
> previous password - i.e. via NTLM with an NT hash from ntPwdHistory, or
> via Kerberos with a key from the OldCredentials part of a
> Primary:Kerberos-Newer-Keys blob.
>
> Should the previous password be accepted for NTLM logons? For Kerberos
> logons? Should only the immediately previous password be accepted, or
> should earlier passwords be accepted too? And during what period should
> the previous password(s) be accepted - for example, the five minutes
> immediately following the time specified by pwdLastSet?
>
> Any information you can provide to shine light on these questions would
> be welcome.
>
> Cheers,
> Jo (she/her)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240528/d56ffcca/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19860 bytes
Desc: image001.png
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240528/d56ffcca/image001.png>
More information about the cifs-protocol
mailing list