Hi Jo, Thanks for the information. I spoke with the engineering team on this question, and they informed me that resetting the password of a gMSA with NetrServerPasswordSet2() will cause issues with epochs and other gMSA components (hence the 5-minute window you're seeing for accepting the previous password). Because this is not a supported scenario, I'm reaching out to get MS-NRPC updated to reflect that.
--If you find that you can set the password of a gMSA with NetrServerPasswordSet2() from a principal which isn't provisioned to use the gMSA, please grab a network trace and I will get a bug submitted. --If you find any undocumented behavior with the password-rolling functionality sans manually resetting with NetrServerPasswordSet2(), please let us know. Thanks for your patience while I conducted my research. Regards, Kristian Smith Support Escalation Engineer | Microsoft(r) Corporation Office phone: +1 425-421-4442 Email: kristian.sm...@microsoft.com -----Original Message----- From: Jo Sutton <jsut...@samba.org> Sent: Tuesday, June 25, 2024 9:25 PM To: Kristian Smith <kristian.sm...@microsoft.com>; Microsoft Support <supportm...@microsoft.com> Cc: cifs-protocol@lists.samba.org; Obaid Farooqi <oba...@microsoft.com>; Andrew Bartlett <abart...@samba.org>; Sreekanth Nadendla <srena...@microsoft.com> Subject: Re: [EXTERNAL] [MS-ADTS] gMSA previous password... - TrackingID#2405210040011844 Hi Kristian, I'm feeling a little better. The method I used to set the password of a gMSA was to make a netlogon connection to the DC (using the gMSA's credentials) and then call NetrServerPasswordSet2(). Cheers, Jo (she/her) On 25/06/24 8:29 am, Kristian Smith wrote: > +[@Andrew Bartlett, @Obaid Farooqi, @Sreekanth Nadendla for visibility]. > > Regards, > Kristian Smith > Support Escalation Engineer | Microsoft(r) Corporation Office phone: +1 > 425-421-4442 > Email: kristian.sm...@microsoft.com > > -----Original Message----- > From: Kristian Smith > Sent: Monday, June 24, 2024 9:03 AM > To: Jo Sutton <jsut...@samba.org>; Microsoft Support > <supportm...@microsoft.com> > Cc: Microsoft Support <supportm...@microsoft.com>; > cifs-protocol@lists.samba.org > Subject: RE: [EXTERNAL] [MS-ADTS] gMSA previous password... - > TrackingID#2405210040011844 > > Hi Jo, > > I hope you're feeling better as of late. > > I've been trying to determine how to reproduce your scenario with Windows, > but I'm having trouble. You had said that you were able to manually reset the > password of a Windows gMSA, but I have found no way to do this from Windows. > Can you explain the method you utilized to reset the gMSA to an explicitly > set password? > > I believe this may not be something that happens in a Windows-Windows > environment, but I'd like to confirm that. > > Regards, > Kristian Smith > Support Escalation Engineer | Microsoft(r) Corporation Office phone: +1 > 425-421-4442 > Email: kristian.sm...@microsoft.com > -----Original Message----- > From: Jo Sutton <jsut...@samba.org> > Sent: Monday, June 3, 2024 4:22 PM > To: Microsoft Support <supportm...@microsoft.com>; Kristian Smith > <kristian.sm...@microsoft.com> > Cc: Microsoft Support <supportm...@microsoft.com>; > cifs-protocol@lists.samba.org > Subject: Re: [EXTERNAL] [MS-ADTS] gMSA previous password... - > TrackingID#2405210040011844 > > Hi Kristian, > > I haven't been able to capture a trace yet as I've been unwell. I'll try to > get one for you this week. > > Cheers, > Jo (she/her) > > On 4/06/24 3:51 am, Kristian S wrote: >> Hi Jo, >> I hope your week is off to a good start. I'm reaching out to see if >> you've had the opportunity to capture an LSASS trace for the behavior >> you're experiencing. If so, I'll be happy to debug and analyze what >> you have. >> If I don't hear back from you by Wednesday, I'll archive the case for >> the time being and you can reach back out at your convenience. >> Looking forward to hearing from you! >> *Regards,* >> *Kristian Smith* >> Support Escalation Engineer | Azure DevOps, Windows Protocols | >> Microsoft(r) Corporation *Office phone*: +1 425-421-4442 >> *Email*: kristian.sm...@microsoft.com >> <mailto:kristian.sm...@microsoft.com> >> *Working hours*: 8:00 am - 5:00 pm PST, Monday - Friday *Team >> Manager*: Gary Ranne gar...@microsoft.com >> <mailto:gar...@microsoft.com> >> *ServiceHub*: >> https://serv/ >> iceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C02%7Ckris >> t >> ian.smith%40microsoft.com%7Cacaa100a8c8646ba729f08dc8423eaa9%7C72f988 >> b >> f86f141af91ab2d7cd011db47%7C1%7C0%7C638530537026563446%7CUnknown%7CTW >> F >> pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6 >> M >> n0%3D%7C0%7C%7C%7C&sdata=s6dKW3n%2BLI9%2BvMFRKQRt99CpYk3xvFvXSILcaIkE >> H >> to%3D&reserved=0 >> <https://ser/ >> viceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C02%7Ckri >> s >> tian.smith%40microsoft.com%7Cacaa100a8c8646ba729f08dc8423eaa9%7C72f98 >> 8 >> bf86f141af91ab2d7cd011db47%7C1%7C0%7C638530537026574090%7CUnknown%7CT >> W >> FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI >> 6 >> Mn0%3D%7C0%7C%7C%7C&sdata=0JTtY0CNpyQSB0Nj9saUnO9gOU34uiNzO7gypt5HLC0 >> % 3D&reserved=0> /In case you don't hear from me, please call your >> regional number here: >> //https://su/ >> pport.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-nu >> m >> bers.%2F&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c86 >> 4 >> 6ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6385 >> 3 >> 0537026582165%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l >> u >> MzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=fgO2qOquv3h82fd >> J >> dgVHp0J9WljWgvJJHcPXLwHeRNQ%3D&reserved=0 >> <https://sup/ >> port.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-num >> b >> ers&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c8646ba7 >> 2 >> 9f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638530537 >> 0 >> 26587159%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi >> L >> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=i8cgUHqw6Y5mC5TkxXZV >> 5 P4NRJpC%2F3NacTgDT%2FizYzo%3D&reserved=0.> >> /If you need assistance outside my normal working hours, please reach >> out to //de...@microsoft.com/ <mailto:de...@microsoft.com>/. One of >> my colleagues will gladly continue working on this issue./ >> ------------------- Original Message ------------------- >> *From:* kristian.sm...@microsoft.com; >> *Received:* Tue May 28 2024 16:42:17 GMT-0700 (Pacific Daylight Time) >> *To:* jsut...@samba.org; >> *Cc:* supportm...@microsoft.com; cifs-protocol@lists.samba.org; >> *Subject:* RE: [EXTERNAL] [MS-ADTS] gMSA previous password... - >> TrackingID#2405210040011844 >> >> Hi Jo, >> >> Please let me know if you have any trouble gathering the Lsass trace. >> I'm happy to help if you encounter any issues. >> >> *Regards,* >> >> *Kristian Smith* >> >> Support Escalation Engineer | Microsoft(r) Corporation >> >> *Office phone*: +1 425-421-4442 >> >> *Email*: kristian.sm...@microsoft.com >> <mailto:kristian.sm...@microsoft.com> >> >> *From:*Kristian Smith <kristian.sm...@microsoft.com> >> *Sent:* Wednesday, May 22, 2024 10:00 AM >> *To:* Jo Sutton <jsut...@samba.org> >> *Cc:* Microsoft Support <supportm...@microsoft.com>; >> cifs-protocol@lists.samba.org >> *Subject:* Re: [EXTERNAL] [MS-ADTS] gMSA previous password - time >> interval & post rollover - TrackingID#2405210040011844 >> >> Hi Jo, >> >> Thanks for letting me know that you're not able to reproduce this >> behavior. The best way for me to troubleshoot would be to have an >> LSASS trace and a network trace. Can you please repro the issue >> */when trying to use a previous password with Kerberos/*? >> >> Here are the tracing instructions for LSASS: >> >> 1. *Tracing Lsass with TTD:* This should be conducted on the DC where >> we are logging in. Note: Run all commands in an elevated PowerShell >> prompt on the machine. >> 1. Download and install TTD on the DC we're logging into. >> 1. Direct link to download TTD app installer: >> https://aka.ms/ttd/download <https://aka.ms/ttd/download> >> 2. Alternatively, use offline install instructions: >> >> https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method >> >> <https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-ttd-exe-command-line-util#how-to-download-and-install-the-ttdexe-command-line-utility-offline-method> >> 2. When ready to repro the issue, run the following commands to >> begin the trace. >> >> 1. >> 2. >> 1. mkdir C:\Traces_$(Get-Date -format "dd-MMM-yyyy") >> 2. TTD.exe -Attach ([int](Get-Process -NAME LSASS | Format-Wide >> -Property >> ID).formatEntryInfo.formatPropertyField.propertyValue) -out >> C:\Traces_$(Get-Date -format >> "dd-MMM-yyyy")\LSASS_Kerb_Server.run >> 3. When the following small window pops up, the trace has begun >> and *you can now reproduce the issue*. To end the trace, >> simply click "Tracing Off". >> 1. >> >> 1. >> 3. Once the trace operation is complete, we need to compress the >> .run file created by TTD for easy transfer. >> >> 1. >> 3. >> 1. Compress-Archive -Path C:\Traces_$(Get-Date -format >> "dd-MMM-yyyy")\ -DestinationPath C:\Traces_$(Get-Date >> -format "dd-MMM-yyyy").zip >> >> 1. >> 4. Upload C:\Traces_dd-MMM-yyyy.zip to the secure file share >> link below >> >> i.https://su/ >> pport.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJ >> S >> UzI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAw >> I >> iwic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLC >> J >> 3dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQi >> O >> iI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwcz >> o >> vL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJl >> e >> HAiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7 >> L >> MBa_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5E >> z >> Y5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv >> - >> PhzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeT >> z >> Qmp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226Q >> M >> oU2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ%26wid%3D6ad02fe8-3357-427d-9925-d >> 8 >> f6f81ec400&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c >> 8 >> 646ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63 >> 8 >> 530537026608518%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV >> 2 >> luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=miQS6sQAmcz4k >> X >> X38kQE%2BNdVbyNBlzcONUfALks8rmk%3D&reserved=0 >> <https://sup/ >> port.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJS >> U >> zI1NiJ9.eyJ3c2lkIjoiNmFkMDJmZTgtMzM1Ny00MjdkLTk5MjUtZDhmNmY4MWVjNDAwI >> i >> wic3IiOiIyNDA1MjEwMDQwMDExODQ0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ >> 3 >> dGlkIjoiNzI1Nzc1NDMtZTBhNy00OWM5LWE5OTctMjgwYTIxMGNjZjE3IiwiYXBwaWQiO >> i >> I0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJpc3MiOiJodHRwczo >> v >> L2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJle >> H >> AiOjE3MjQxNjkwNDgsIm5iZiI6MTcxNjM5MzA0OH0.ci6jGrcT9SKnyRccEfDUuEOJv7L >> M >> Ba_6tgF_xkAFq1fJrpI6nSjVGprJiduohlKKoRLe9W0juQNlEf5LaMOgYSDOLKXuxF5Ez >> Y >> 5S1DmSVvWQ6bBrPYniK6EApehMHNA6xJ_YjM9i20YuRqfY_r6NPU6BEPWaXb2LQCzcEv- >> P >> hzU0AqEerW3SutZgrU3O7XkvUxbOUW1R_jfo2IAETBFnDLdHOQzpmbj7Ty_cI9WBvyeTz >> Q >> mp0slUofLBpzLXZb6qSwYk3_FgYLNU0muDt3yz8hib2RLoDWqIdkrJIVmkwF6b2v226QM >> o >> U2Ge0dxEShT7sClptzVUV0QoTK0aYCxczQ%26wid%3D6ad02fe8-3357-427d-9925-d8 >> f >> 6f81ec400&data=05%7C02%7Ckristian.smith%40microsoft.com%7Cacaa100a8c8 >> 6 >> 46ba729f08dc8423eaa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638 >> 5 >> 30537026613833%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2 >> l >> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ctjtztqCH7EeVd >> n WoHBNf2FNeqTWqacWIyP7Mi77dJo%3D&reserved=0> >> >> If you are able to include a network/WireShark trace with a keytab >> file to decrypt, that would be helpful, but may not be entirely >> necessary. I will be in training for the remainder of the week but >> will debug the trace next week. Thanks for your patience. >> >> *Regards,* >> >> *Kristian Smith* >> >> Support Escalation Engineer | Microsoft(r) Corporation >> >> *Office phone*: +1 425-421-4442 >> >> *Email*: kristian.sm...@microsoft.com >> <mailto:kristian.sm...@microsoft.com> >> >> --------------------------------------------------------------------- >> - >> -- >> >> *From:*Jo Sutton <jsut...@samba.org <mailto:jsut...@samba.org>> >> *Sent:* Monday, May 20, 2024 9:19 PM >> *To:* Kristian Smith <kristian.sm...@microsoft.com >> <mailto:kristian.sm...@microsoft.com>> >> *Cc:* Microsoft Support <supportm...@microsoft.com >> <mailto:supportm...@microsoft.com>>; cifs-protocol@lists.samba.org >> <mailto:cifs-protocol@lists.samba.org> <cifs-protocol@lists.samba.org >> <mailto:cifs-protocol@lists.samba.org>> >> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account >> authenticating with a previous password - TrackingID#2405140040001588 >> >> Thank you, Kristian. >> >> I've had some difficulty trying to replicate these results. After >> manually changing the password of a Group Managed Service Account, >> there is a five minute interval during which I can use the previous >> password to log in via NTLM. However, I have not managed to get a >> previous password to work - with NTLM or with Kerberos - following >> the natural rollover of a gMSA's password. >> >> Cheers, >> Jo (she/her) >> >> On 17/05/24 11:51 am, Kristian Smith wrote: >>> Hi Jo, >>> >>> I conducted research on these questions you posed and wanted to >>> share my findings with you. >>> >>> In the context of gMSA authentication, we accept only the current >>> and most recent previous password for both NTLM and Kerberos. Also, >>> I was unable to locate any time limitations for the use of the previous >>> password. >>> >>> Let me know if this answers your questions or if there is further >>> clarification I can provide. >>> >>> *Regards,* >>> >>> *Kristian Smith* >>> >>> Support Escalation Engineer | Microsoft(r) Corporation >>> >>> *Office phone*: +1 425-421-4442 >>> >>> *Email*: kristian.sm...@microsoft.com >>> <mailto:kristian.sm...@microsoft.com> >> <mailto:kristian.sm...@microsoft.com >> <mailto:kristian.sm...@microsoft.com>> >>> >>> >>> -------------------------------------------------------------------- >>> - >>> --- >>> *From:* Kristian Smith <kristian.sm...@microsoft.com >>> <mailto:kristian.sm...@microsoft.com>> >>> *Sent:* Tuesday, May 14, 2024 8:39 AM >>> *To:* Jo Sutton <jsut...@samba.org <mailto:jsut...@samba.org>> >>> *Cc:* Microsoft Support <supportm...@microsoft.com >>> <mailto:supportm...@microsoft.com>>; >>> cifs-protocol@lists.samba.org <mailto:cifs-protocol@lists.samba.org> >> <cifs-protocol@lists.samba.org >> <mailto:cifs-protocol@lists.samba.org>> >>> *Subject:* Re: [EXTERNAL] [MS-ADTS] A Group Managed Service Account >>> authenticating with a previous password - >>> TrackingID#2405140040001588 [Tom to Bcc] >>> >>> Hi Jo, >>> >>> Thanks for reaching out with your [MS-ADTS] question. I'll be your >>> point of contact moving forward for this case. I will research this >>> and get back to you with my findings. >>> >>> *Regards,* >>> >>> *Kristian Smith* >>> >>> Support Escalation Engineer | Microsoft(r) Corporation >>> >>> *Office phone*: +1 425-421-4442 >>> >>> *Email*: kristian.sm...@microsoft.com >>> <mailto:kristian.sm...@microsoft.com> >> <mailto:kristian.sm...@microsoft.com >> <mailto:kristian.sm...@microsoft.com>> >>> >>> -------------------------------------------------------------------- >>> - >>> --- >>> *From:* Tom Jebo <tomj...@microsoft.com >>> <mailto:tomj...@microsoft.com>> >>> *Sent:* Monday, May 13, 2024 10:32 PM >>> *To:* Jo Sutton <jsut...@samba.org <mailto:jsut...@samba.org>>; >> cifs-protocol@lists.samba.org <mailto:cifs-protocol@lists.samba.org> >>> <cifs-protocol@lists.samba.org >>> <mailto:cifs-protocol@lists.samba.org>> >>> *Cc:* Microsoft Support <supportm...@microsoft.com >>> <mailto:supportm...@microsoft.com>> >>> *Subject:* RE: [EXTERNAL] [MS-ADTS] A Group Managed Service Account >>> authenticating with a previous password - >>> TrackingID#2405140040001588 [dochelp to bcc] [support mail to cc] >>> >>> Hey Jo, >>> >>> Thanks for your request regarding MS-ADTS. One of the Open >>> Specifications team members will respond to assist you. In the >>> meantime, we've created case 2405140040001588 to track this request. >>> Please leave the case number in the subject when communicating with >>> our team about this request. >>> >>> Best regards, >>> Tom Jebo >>> Microsoft Open Specifications Support >>> >>> -----Original Message----- >>> From: Jo Sutton <jsut...@samba.org <mailto:jsut...@samba.org>> >>> Sent: Monday, May 13, 2024 9:59 PM >>> To: cifs-protocol@lists.samba.org >>> <mailto:cifs-protocol@lists.samba.org>; >> Interoperability Documentation Help >>> <doch...@microsoft.com <mailto:doch...@microsoft.com>> >>> Subject: [EXTERNAL] [MS-ADTS] A Group Managed Service Account >>> authenticating with a previous password >>> >>> [Some people who received this message don't often get email from >>> jsut...@samba.org <mailto:jsut...@samba.org>. Learn why this is >>> important at https://aka.ms/LearnAboutSenderIdentification >> <https://aka.ms/LearnAboutSenderIdentification> >>> <https://aka.ms/LearnAboutSenderIdentification> >> <https://aka.ms/LearnAboutSenderIdentification%3E%C2%A0>] >>> >>> Hi dochelp, >>> >>> I can't find any mention in Microsoft's documentation of what should >>> happen when a Group Managed Service Account authenticates with a >>> previous password - i.e. via NTLM with an NT hash from ntPwdHistory, >>> or via Kerberos with a key from the OldCredentials part of a >>> Primary:Kerberos-Newer-Keys blob. >>> >>> Should the previous password be accepted for NTLM logons? For >>> Kerberos logons? Should only the immediately previous password be >>> accepted, or should earlier passwords be accepted too? And during >>> what period should the previous password(s) be accepted - for >>> example, the five minutes immediately following the time specified by >>> pwdLastSet? >>> >>> Any information you can provide to shine light on these questions >>> would be welcome. >>> >>> Cheers, >>> Jo (she/her) >> > _______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol