[cifs-protocol] [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General Password Policy -- interaction with LDAP_SERVER_POLICY_HINTS_OID - TrackingID#2512020040011213
Obaid Farooqi
obaidf at microsoft.com
Mon Dec 8 16:30:14 UTC 2025
Hi Douglas:
TTT does not require any installation. You just run the tttracer.exe -attach <PID of lsass> and then reproduce the problem. Jennifer has recently done that so maybe she can help.
Once you will get the traces, upload them to the following link:
https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IkNBRjFBNjdERDUxQjI4QzVCNjg0N0Y5NTFCQTM2QkVDNDk0MkQ4NEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiMTMyY2RiODQtZDI2NC00YmMyLWI4ZjMtMTI4ODljZWExMzIyIiwic3IiOiIyNTEyMDIwMDQwMDExMjEzIiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiZWUxZDhmY2QtNmQ3OS00MThlLTliNTAtNzNjZmEzMGQ4MjBkIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3NjUyMTExMTIsImV4cCI6MTc3Mjk4NzExMiwiaWF0IjoxNzY1MjExMTEyLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.wJ8xLGWVl7hyZPCsCGXUPEQdkwym6Z946X2snNhHRBeu1HEPs3KSHLAjwMdEjhU1eCeD9cmt-8DP3CO8KNMvewPiaFZeAv0PO7cSSZiVMeAQUj4MVwhD-txzq7tQzRckak30oVhIOgDBG33KYiC0V_aWFxpsNdB38_SL0Nbw-2uIhv2z3ckTeo6VMtM6h5-XqyN9bzx8H1k4U_otP9TL_ADxouzkanyi-e8u4LrddEc3-pN48WM1vlD1m431a5yYakMxYOInQA7oVRQotwEBGaiJYwYRsNMXXzGb7zzUFv5ATt5UoB5rGF-nYgbLyacBrQVmwAml88iSp3dWszrUIg&wid=132cdb84-d264-4bc2-b8f3-12889cea1322
I know the code path so I'll see if I can explain the behavior you are observing without the ttt traces while you work on collecting traces.
Regards,
Obaid Farooqi
Sr. Escalation Engineer | Microsoft
-----Original Message-----
From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Sent: Tuesday, November 25, 2025 7:17 PM
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [cifs-protocol] [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General Password Policy -- interaction with LDAP_SERVER_POLICY_HINTS_OID - TrackingID#2509240040013358
hi Obaid,
I have tested against Windows 2022.
If I do this as Administrator:
dn: cn=testuser,cn=users,DC=samba,DC=example,DC=com
changetype: modify
replace: unicodePwd
unicodePwd:: <base64 encoded recent password>
it fails (unwillingToPerform) if the LDAP_SERVER_POLICY_HINTS_OID control is set with a value of 1.
If I have control unset, or the value set to a different number, the reset succeeds.
It also succeeds with the control set to 1 if the password is not a recent password.
I am struggling to install TTD, but I will keep trying!
Douglas
On 16/10/2025 12:24, Obaid Farooqi wrote:
> Hi Douglas:
> This is what I did:
> 1. logged in on a workstation as admin 2. Open ADSI edit 3. Modified
> the unicodePwd attribute of a user (just an ordinary user testuser) 4.
> Logged in as testuser using new password and it worked.
> 5. this IMO is a password reset scenario since I am not the user whose password is being changed.
> 5. debugged the scenario and here is what I found
> LDAP operation is modify
> ADSI editor does not send the control
> LDAP_SERVER_POLICY_HINTS_OID
>
> Since after debugging I know where to look, I browse the code to where else this control is meaningful. It is only meaningful in modify operation and here what happens:
> If (the attribute being modified is password or Unicode password) {
> If (LDAP_SERVER_POLICY_HINTS_OID is 1)
> {
> Calculate the time when user is allowed to change the
> password by using when the password last change and what is minimum
> time after which the password can be changed
>
> If (calculated time > current time)
> {
> Return error STATUS_PASSWORD_RESTRICTION
> }
>
> }
> }
>
> This is all this control do.
>
> If you can send the exact LDAP message in a test environment that entra ID sends to Windows DC and collect TTD traces for that, I'll look at it.
>
>
>
> Regards,
> Obaid Farooqi
> Sr. Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
> Sent: Tuesday, October 14, 2025 8:22 PM
> To: Obaid Farooqi <obaidf at microsoft.com>
> Cc: cifs-protocol at lists.samba.org; Microsoft Support
> <supportmail at microsoft.com>
> Subject: Re: [cifs-protocol] [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General
> Password Policy -- interaction with LDAP_SERVER_POLICY_HINTS_OID -
> TrackingID#2509240040013358
>
> hi Obaid,
>
> That doesn't quite answer everything.
>
> I understand that it isn't used for a password set for a new user, but I think it is used for a password *reset* for an existing user.
>
> My understanding is a password reset doesn't require the existing password, and it ignores or wipes password history. A password change requires the user enter their old password and checks it against history.
>
> A password change in Entra ID using the self-service password reset writeback system wants to enforce on-premises password policy, even though it is not providing the old password to the on-prem AD server:
>
> https://lear/
> n.microsoft.com%2Fen-us%2Fentra%2Fidentity%2Fauthentication%2Fconcept-
> sspr-writeback&data=05%7C02%7Cobaidf%40microsoft.com%7Cdd59203959fd474
> 8647708de2c8986d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6389971
> 66524173660%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLj
> AuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7
> C&sdata=nWHeXCyxIJpQlYMkZ%2Bpy6ryEPCACcGGmUWox6YnDVaw%3D&reserved=0
>
> Enforcement of on-premises Active Directory Domain Services (AD DS)
> password policies: When a user resets their password, it's checked to
> ensure it meets your on-premises AD DS policy before committing it to
> that directory. This review includes checking the history, complexity,
> age, password filters, and any other password restrictions that you
> define in AD DS.
>
> I *think* it does this by sending a reset message with the OID, and the OID means "this reset should check policy as if it were a change". But MS-SAMR 3.1.1.7.1 doesn't mention it. Should it? that was my original question.
>
> Now that I look at that passage again, it seems like the OID should also affect the minimum password length constraint in MS-SAMR 3.1.1.7.1, but MS-ADTS does not mention that (just the history). The complexity and "other password restrictions" looks to refer to MS-SAMR 3.1.1.7.2, which doesn't use the language of "change" or "set", but says "this constraint is referenced when a cleartext password is updated". Should MS-ADTS also mention that? Or is the self-service password reset document wrong?
>
> I am not able to get a trace of the this happening with Entra ID, but I have seen a pcap showing that the (deprecated) OID is set in this case.
> I am able to write a test case that mimics it.
>
> cheers,
> Douglas
>
>
>
> On 15/10/25 12:31, Obaid Farooqi wrote:
>> Hi Douglas:
>> Based on my research LDAP_SERVER_POLICY_HINTS_OID is only used for change password. I did not see evidence for it to be used in the add scenario for a new user. This is based on code browsing.
>>
>> I have filed a bug to fix MS-ADTS. If my above assumption is incorrect (highly unlikely) and the control is used for both set and change, I'll update you.
>>
>> Please let me know if this does not answer your question.
>>
>> Regards,
>> Obaid Farooqi
>> Sr. Escalation Engineer | Microsoft
>>
>> -----Original Message-----
>> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>> Sent: Wednesday, October 8, 2025 6:38 PM
>> To: Obaid Farooqi <obaidf at microsoft.com>
>> Cc: cifs-protocol at lists.samba.org; Microsoft Support
>> <supportmail at microsoft.com>
>> Subject: Re: [cifs-protocol] [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General
>> Password Policy -- interaction with LDAP_SERVER_POLICY_HINTS_OID -
>> TrackingID#2509240040013358
>>
>> hi again.
>>
>> I noticed from this message to the Samba users list
>>
>> https://list/
>> s.samba.org%2Farchive%2Fsamba%2F2024-August%2F249724.html&data=05%7C0
>> 2
>> %7Cobaidf%40microsoft.com%7C404c0c2b3f264975954008de0b894dd3%7C72f988
>> b
>> f86f141af91ab2d7cd011db47%7C1%7C0%7C638960881535058119%7CUnknown%7CTW
>> F
>> pbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIs
>> I
>> kFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=MhyxSJvWbPxWBF9y2q
>> J
>> Tu%2BaKyoApimkXl2JqFiQDv7s%3D&reserved=0
>>
>> that Keycloak also uses the LDAP_SERVER_POLICY_HINTS_OID.
>>
>> The way they document it is "if [some option is] on, then updating password of MSAD user will use LDAP_SERVER_POLICY_HINTS_OID extension, which means that advanced MSAD password policies like 'password history'
>> or 'minimal password age' will be applied. This extension works just for MSAD 2008 R2 or newer."
>>
>> (https://github.com/keycloak/keycloak/blob/main/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties#L97).
>>
>> I guess Keycloak is trying to do the same thing as Entra, enforcing password change semantics without giving AD the old password.
>>
>> Douglas
>>
>>
>> On 1/10/25 10:33, Douglas Bagnall via cifs-protocol wrote:
>>> hi Obaid,
>>>
>>> Thanks for looking.
>>>
>>> If it helps, Azure Self-Service Password Reset does set the control
>>> (actually LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID which does the
>>> same
>>> thing) when doing a password set.
>>>
>>> I think maybe it looks like a password change on the Entra side
>>> (that is, the user needs their old password), but Entra wants to
>>> forward the change as an unconditional set but maintain history.
>>>
>>> This page
>>>
>>> https://lear/
>>> n.microsoft.com%2Fen-us%2Fentra%2Fidentity%2Fauthentication%2F&data=
>>> 0
>>> 5
>>> %7C02%7Cobaidf%40microsoft.com%7C37bbfc9a6456405eed3508de06c3c419%7C
>>> 7
>>> 2
>>> f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638955635072994735%7CUnknow
>>> n
>>> %
>>> 7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW
>>> 4
>>> z
>>> MiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=WyH8Xrqt8E9l
>>> J
>>> y
>>> %2FS%2F5aPpuOXRis2oIV%2FeEDytOpGQEc%3D&reserved=0
>>> troubleshoot-sspr-writeback#if-the-source-of-the-event-is-adsync
>>>
>>> talks a bit about it around "33008 ADPasswordPolicyError". Elsewhere
>>> it mentions LDAP_SERVER_POLICY_HINTS_OID but gives it the value
>>> 1.2.840.113556.1.4.2066 which is the one now called _DEPRECATED_,
>>> presumably because the oid is also used for the
>>> ms-DS-Required-Domain- Behavior-Version attribute.
>>>
>>> Douglas
>>>
>>>
>>>
>>> On 1/10/25 10:02, Obaid Farooqi wrote:
>>>> Hi Douglas:
>>>> To me, the quote from MS-ADTS looks more problematic than the MS-SMAR's.
>>>> There will not be a password history if we are setting a password.
>>>>
>>>> I am looking into it and I think this is a bug in MS-ADTS.
>>>>
>>>> Regards,
>>>> Obaid Farooqi
>>>> Sr. Escalation Engineer | Microsoft
>>>>
>>>> -----Original Message-----
>>>> From: Michael Bowen <Mike.Bowen at microsoft.com>
>>>> Sent: Wednesday, September 24, 2025 6:17 PM
>>>> To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>; cifs-
>>>> protocol at lists.samba.org
>>>> Cc: Microsoft Support <supportmail at microsoft.com>
>>>> Subject: RE: [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General Password Policy
>>>> -- interaction with LDAP_SERVER_POLICY_HINTS_OID -
>>>> TrackingID#2509240040013358
>>>>
>>>> [DocHelp to bcc]
>>>>
>>>> Hi Douglas,
>>>>
>>>> Thanks for your question. I've created case number 2509240040013358
>>>> to track this issue. Please leave the number in the subject line
>>>> and use reply all your correspondence. One of our engineers will
>>>> contact you soon.
>>>>
>>>> Best regards,
>>>> Michael Bowen
>>>>
>>>> Sr. Escalation Engineer - Microsoft(r) Corporation
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>>>> Sent: Wednesday, September 24, 2025 3:39 PM
>>>> To: Interoperability Documentation Help <dochelp at microsoft.com>;
>>>> cifs- protocol at lists.samba.org
>>>> Subject: [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General Password Policy --
>>>> interaction with LDAP_SERVER_POLICY_HINTS_OID
>>>>
>>>> hi Dochelp,
>>>>
>>>> MS-ADTS 3.1.1.3.4.1.27 says that when LDAP_SERVER_POLICY_HINTS_OID
>>>> is used with a control value of 1, the password history length
>>>> constraint is enforced on password-set operations.
>>>>
>>>> I think that means at the bottom of MS-SAMR 3.1.1.7.1 General
>>>> Password Policy, where it says:
>>>>
>>>>> 5. The requesting protocol message is a password change (as
>>>>> compared to a password set).
>>>>
>>>> it should say something like
>>>>
>>>> 5. The requesting protocol message is a password change (as
>>>> compared to a password set), or the message is a password set with
>>>> the LDAP_SERVER_POLICY_HINTS_OID control set with the value 0x1.
>>>>
>>>> Is that right?
>>>>
>>>> Douglas
>>>>
>>>
>>>
>>> _______________________________________________
>>> cifs-protocol mailing list
>>> cifs-protocol at lists.samba.org
>>> https://list/
>>> s.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Cobai
>>> d
>>> f
>>> %40microsoft.com%7C37bbfc9a6456405eed3508de06c3c419%7C72f988bf86f141
>>> a
>>> f
>>> 91ab2d7cd011db47%7C1%7C0%7C638955635073003873%7CUnknown%7CTWFpbGZsb3
>>> d
>>> 8
>>> eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoi
>>> T
>>> W
>>> FpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Y2rxWtoBTT%2FLV%2Fjs8SkToX
>>> s
>>> Y
>>> snQe%2FbZ5C6q0jIj3QAc%3D&reserved=0
>>
>
More information about the cifs-protocol
mailing list