Hi Jo, I conducted research on these questions you posed and wanted to share my findings with you.
In the context of gMSA authentication, we accept only the current and most recent previous password for both NTLM and Kerberos. Also, I was unable to locate any time limitations for the use of the previous password. Let me know if this answers your questions or if there is further clarification I can provide. Regards, Kristian Smith Support Escalation Engineer | Microsoft® Corporation Office phone: +1 425-421-4442 Email: kristian.sm...@microsoft.com<mailto:kristian.sm...@microsoft.com> ________________________________ From: Kristian Smith <kristian.sm...@microsoft.com> Sent: Tuesday, May 14, 2024 8:39 AM To: Jo Sutton <jsut...@samba.org> Cc: Microsoft Support <supportm...@microsoft.com>; cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org> Subject: Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588 [Tom to Bcc] Hi Jo, Thanks for reaching out with your [MS-ADTS] question. I'll be your point of contact moving forward for this case. I will research this and get back to you with my findings. Regards, Kristian Smith Support Escalation Engineer | Microsoft® Corporation Office phone: +1 425-421-4442 Email: kristian.sm...@microsoft.com<mailto:kristian.sm...@microsoft.com> ________________________________ From: Tom Jebo <tomj...@microsoft.com> Sent: Monday, May 13, 2024 10:32 PM To: Jo Sutton <jsut...@samba.org>; cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org> Cc: Microsoft Support <supportm...@microsoft.com> Subject: RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password - TrackingID#2405140040001588 [dochelp to bcc] [support mail to cc] Hey Jo, Thanks for your request regarding MS-ADTS. One of the Open Specifications team members will respond to assist you. In the meantime, we’ve created case 2405140040001588 to track this request. Please leave the case number in the subject when communicating with our team about this request. Best regards, Tom Jebo Microsoft Open Specifications Support -----Original Message----- From: Jo Sutton <jsut...@samba.org> Sent: Monday, May 13, 2024 9:59 PM To: cifs-protocol@lists.samba.org; Interoperability Documentation Help <doch...@microsoft.com> Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account authenticating with a previous password [Some people who received this message don't often get email from jsut...@samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hi dochelp, I can’t find any mention in Microsoft’s documentation of what should happen when a Group Managed Service Account authenticates with a previous password — i.e. via NTLM with an NT hash from ntPwdHistory, or via Kerberos with a key from the OldCredentials part of a Primary:Kerberos-Newer-Keys blob. Should the previous password be accepted for NTLM logons? For Kerberos logons? Should only the immediately previous password be accepted, or should earlier passwords be accepted too? And during what period should the previous password(s) be accepted — for example, the five minutes immediately following the time specified by pwdLastSet? Any information you can provide to shine light on these questions would be welcome. Cheers, Jo (she/her)
_______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol