Hello Jo, can you change the message type from 0x00000026 ( byte
sequence seen as 26 00 00 00 below) to 0x00000003 (to indicate
message type of KerbVerifyPacMessage) and try this again ?
0:002> db ProtocolSubmitBuffer L0x5e0
00000218`69819c80 26 00 00 00 00 00 11 00-21 00 31 00 c0 05 00 00
&.......!.1.....
00000218`69819c90 00 00 02 00 00 00 00 00-00 00 00 00 c0 05 00 00
................
00000218`69819ca0 61 82 05 bc 30 82 05 b8-a0 03 02 01 05 a1 0d 1b
a...0...........
.. ..... .. ..... .. .....
.. ..... .. ..... .. .....
.. ..... .. ..... .. .....
00000218`6981a250 85 1d 35 87 38 7d b1 5b-52 c0 c3 e4 30 c8 77 7d
..5.8}.[R...0.w}
Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications
------------------------------------------------------------------------
*From:* Jo Sutton <jsut...@samba.org>
*Sent:* Tuesday, July 2, 2024 6:23 PM
*To:* Sreekanth Nadendla <srena...@microsoft.com>;
cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>
*Cc:* Microsoft Support <supportm...@microsoft.com>
*Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
Thank you, Sreekanth. I’ve uploaded a trace and network capture of a
call to NetrLogonSamLogonEx() attempting to validate a service ticket.
Cheers,
Jo (she/her)
On 3/07/24 2:02 am, Sreekanth Nadendla wrote:
> Hello Jo, you may have gotten an invitation to upload files by now.
> Please check your e-mail folders and let me know otherwise.
>
> Regards,
>
> Sreekanth Nadendla
>
> Microsoft Windows Open Specifications
>
>
------------------------------------------------------------------------
> *From:* Jo Sutton <jsut...@samba.org>
> *Sent:* Monday, July 1, 2024 10:01 PM
> *To:* Sreekanth Nadendla <srena...@microsoft.com>;
> cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>
> *Cc:* Microsoft Support <supportm...@microsoft.com>
> *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS]
> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397
> On second thoughts, I’d rather not send traces via unencrypted email.
> Can you provide somewhere for me to upload them?
>
> Cheers,
> Jo (she/her)
>
> On 2/07/24 1:57 pm, Jo Sutton via cifs-protocol wrote:
>> [moving back to cifs-protocol]
>>
>> Hi Sreekanth,
>>
>> Call me Jo :)
>>
>> As I can’t seem to upload the traces via the link you sent me,
I’ll try
>> to email them to you directly.
>>
>> The reason for asking about NETLOGON_TICKET_LOGON_INFO is that we’re
>> looking to address
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091508750%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=HMGP0yGxJKmnWCLFOEqNFxhu4wmRTFFEkmMglpvvdsk%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091515894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nk4AC9bEfOPKGFmU2TfyeuKEf1%2B10GWmqe82CuXJ9Cg%3D&reserved=0 <https://bugzilla.samba.org/show_bug.cgi?id=15249>>.
>>
>> Cheers,
>> Jo (she/her)
>>
>> On 14/06/24 3:39 am, Sreekanth Nadendla wrote:
>>> Hello Joseph, I've sent you instructions to download time travel
trace
>>> tool to collect traces for lass process earlier. But we were
informed
>>> by Andrew Bartlet that the reason why you've raised the login issue
>>> with [MS-APDS] NETLOGON_TICKET_LOGON_INFO is that you are looking to
>>> resolve a privilege escalation problem via enforcement of PAC
>>> verification. I could not see how these two issues are connected
>>> hence I'm unable to continue the investigation on my own (while you
>>> are away dealing with a personal issue).
>>> Please let us know whenever you are ready and we will gather the
>>> details, data to investigate the issue you are experiencing.
>>>
>>> Regards,
>>>
>>> Sreekanth Nadendla
>>>
>>> Microsoft Windows Open Specifications
>>>
>>>
>>>
>>>
>>>
>>>
>>> From: Jo Sutton <jsut...@samba.org>
>>>
>>> Sent: Monday, May 20, 2024 9:49 PM
>>> To: cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>;
>>> Interoperability Documentation Help <doch...@microsoft.com>
>>> Subject: [EXTERNAL] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message
>>> [Some people who received this message don't often get email from
>>> jsut...@samba.org. Learn why this is important at
>>> https://aka.ms/LearnAboutSenderIdentification
<https://aka.ms/LearnAboutSenderIdentification>
> <https://aka.ms/LearnAboutSenderIdentification
<https://aka.ms/LearnAboutSenderIdentification>> ]
>>>
>>> Hi dochelp,
>>>
>>> I’m trying to follow [MS-APDS] 2.2.2.1, “NETLOGON_TICKET_LOGON_INFO
>>> Message”, in order to create a NETLOGON_TICKET_LOGON_INFO message
that
>>> will be accepted by Windows Server 2019. However, in my attempts
so far,
>>> all I’ve got is STATUS_INVALID_PARAMETER codes from
NetrLogonSamLogonEx.
>>>
>>> Although [MS-APDS] doesn’t mention it, I assume
>>> NETLOGON_TICKET_LOGON_INFO should contain an unsigned 32‐bit
MessageType
>>> field, set to 0x00000026, that indicates the message is a
>>> NETLOGON_TICKET_LOGON_INFO message. Other than that, I’m not sure
what
>>> I’m doing wrong. Are the ticket fields arrays, are depicted in the
>>> diagram, or pointers, as claimed in the documentation?
>>>
>>> I can provide traces showing the problem if you would like.
>>>
>>> Cheers,
>>> Jo (she/her)
>>
>>
>> _______________________________________________
>> cifs-protocol mailing list
>> cifs-protocol@lists.samba.org
>>
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091520380%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=tGxKsECefd%2BvJi43VcUG9n3OCpSX0btiR%2F91JNmOBU0%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7C75a58a64714f49fb27ff08dc9ae5974e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638555558091524297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=GorMFBW%2BtUUedY7w9Cv1aExzAv%2F0LpAmIqVUJGeq8jE%3D&reserved=0 <https://lists.samba.org/mailman/listinfo/cifs-protocol>>