Hello Jo, please review the latest copy of [MS-NRPC]. It has the updated IDL definitions as well. As of now, [MS-APDS] is still being updated. The following information should be helpful in the meantime.
MS-APDS Section 3.2.5.1 shows messagetype field should be set to 0x00000026. The actual design did not introduce such message type. We are using a new logonlevel i.e. NETLOGON_LEVEL of NetlogonTicketLogonInformation and a new validationLevel i.e. NETLOGON_VALIDATION of NetlogonValidationTicketLogon. 1. From MS-APDS Section 3.2.5.1, we see the NETLOGON_TICKET_LOGON_INFO is layered on top of generic pass through structure however MS-NRPC section 2.2.1.4.6 defines TicketLogon as a new NETLOGON_LEVEL struct which refers to NETLOGON_TICKET_LOGON_INFO. The NETLOGON_TICKET_LOGON_INFO message does not utilize Generic Passthrough as described in MS-APDS 3.2.5.1. Instead, you will be using LogonLevel parameter 8 (NetlogonTicketLogonInformation <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/8c7808e5-4e5c-420e-9c90-47286da2218f> ) * 2. Generic Passthrough returns NETLOGON_VALIDATION_GENERIC_INFO2. But the new TicketLogon will return NETLOGON_VALIDATION_TICKET_LOGON. * As NETLOGON_TICKET_LOGON_INFO message does not actually utilize Generic Passthrough, you will use ValidationLevel parameter is 7 (NetLogonValidationTicketLogon<https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/95154ae4-d305-43e5-82e4-d5353e0f117c>), * * You can find a list of applicable Windows OS versions that have this security update from the following link (click the “More…” link below the title) 1. https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1 This list does not include Server 2025, but it also contains this update. Please let me know if you have additional questions. Regards, Sreekanth Nadendla Microsoft Windows Open Specifications ________________________________ From: Jo Sutton <jsut...@samba.org> Sent: Tuesday, July 16, 2024 12:33 AM To: Sreekanth Nadendla <srena...@microsoft.com>; cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org> Cc: Microsoft Support <supportm...@microsoft.com> Subject: Re: [cifs-protocol] [EXTERNAL] Re: [MS-APDS] NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397 For completeness’ sake, I ran the same procedure against a Windows Server 2022 host, and got exactly the same STATUS_INVALID_PARAMETER error. For MessageType I tried both 0x00000003 and 0x00000026 (and many other values, for good measure). Cheers, Jo (she/her) On 10/07/24 2:08 pm, Jo Sutton via cifs-protocol wrote: > Hi Sreekanth, > > I’m afraid that using 0x03 for the message type still gets me > STATUS_INVALID_PARAMETER codes. > > 0x03 is the message type corresponding to KERB_VERIFY_PAC_REQUEST, which > is used for the older method of PAC verification. But the message I’m > attempting to send is NETLOGON_TICKET_LOGON_INFO ([MS-APDS] 2.2.2.1), > which includes the entire Kerberos ticket and is used in the newer > method of PAC verification. > > What do I need to do to get Windows Server 2019 to accept a > NETLOGON_TICKET_LOGON_INFO message? I don’t see any information > indicating that Windows Server 2019 doesn’t support such messages. > > Cheers, > Jo (she/her) > > On 10/07/24 7:12 am, Sreekanth Nadendla wrote: >> Hello Jo, can you change the message type from 0x00000026 ( byte >> sequence seen as 26 00 00 00 below) to 0x00000003 (to indicate >> message type of KerbVerifyPacMessage) and try this again ? >> >> 0:002> db ProtocolSubmitBuffer L0x5e0 >> >> 00000218`69819c80 26 00 00 00 00 00 11 00-21 00 31 00 c0 05 00 00 >> &.......!.1..... >> 00000218`69819c90 00 00 02 00 00 00 00 00-00 00 00 00 c0 05 00 00 >> ................ >> 00000218`69819ca0 61 82 05 bc 30 82 05 b8-a0 03 02 01 05 a1 0d 1b >> a...0........... >> .. ..... .. ..... .. ..... >> .. ..... .. ..... .. ..... >> .. ..... .. ..... .. ..... >> 00000218`6981a250 85 1d 35 87 38 7d b1 5b-52 c0 c3 e4 30 c8 77 7d >> ..5.8}.[R...0.w} >> >> Regards, >> >> Sreekanth Nadendla >> >> Microsoft Windows Open Specifications >> >> >> ------------------------------------------------------------------------ >> *From:* Jo Sutton <jsut...@samba.org> >> *Sent:* Tuesday, July 2, 2024 6:23 PM >> *To:* Sreekanth Nadendla <srena...@microsoft.com>; >> cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org> >> *Cc:* Microsoft Support <supportm...@microsoft.com> >> *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS] >> NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397 >> Thank you, Sreekanth. I’ve uploaded a trace and network capture of a >> call to NetrLogonSamLogonEx() attempting to validate a service ticket. >> >> Cheers, >> Jo (she/her) >> >> On 3/07/24 2:02 am, Sreekanth Nadendla wrote: >> > Hello Jo, you may have gotten an invitation to upload files by now. >> > Please check your e-mail folders and let me know otherwise. >> > >> > Regards, >> > >> > Sreekanth Nadendla >> > >> > Microsoft Windows Open Specifications >> > >> > >> ------------------------------------------------------------------------ >> > *From:* Jo Sutton <jsut...@samba.org> >> > *Sent:* Monday, July 1, 2024 10:01 PM >> > *To:* Sreekanth Nadendla <srena...@microsoft.com>; >> > cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org> >> > *Cc:* Microsoft Support <supportm...@microsoft.com> >> > *Subject:* [EXTERNAL] Re: [cifs-protocol] [MS-APDS] >> > NETLOGON_TICKET_LOGON_INFO message - TrackingID#2405210040011397 >> > On second thoughts, I’d rather not send traces via unencrypted email. >> > Can you provide somewhere for me to upload them? >> > >> > Cheers, >> > Jo (she/her) >> > >> > On 2/07/24 1:57 pm, Jo Sutton via cifs-protocol wrote: >> >> [moving back to cifs-protocol] >> >> >> >> Hi Sreekanth, >> >> >> >> Call me Jo :) >> >> >> >> As I can’t seem to upload the traces via the link you sent me, >> I’ll try >> >> to email them to you directly. >> >> >> >> The reason for asking about NETLOGON_TICKET_LOGON_INFO is that we’re >> >> looking to address >> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452298587%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=gfTLS51n5vEi4j62G7YITtu3oiZ0KQ9yhOADSyVTo2w%3D&reserved=0<https://bugzilla.samba.org/show_bug.cgi?id=15249> >> >> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452307683%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=AarTYwC8gFcOXKCmrHukUiw8VMbUiDzmK744ND16vXE%3D&reserved=0<https://bugzilla.samba.org/show_bug.cgi?id=15249>> >> >> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452310647%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ELl9%2Fl09tNXh27vMQg6Vr4epM2NKC%2FhlYuDG0lOKlYU%3D&reserved=0 >> >> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15249&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452313475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=9ThDzJyYqoU7v8CC23wBYRyfvpZVTHc%2BYBg0D%2BcqjY0%3D&reserved=0<https://bugzilla.samba.org/show_bug.cgi?id=15249>>>. >> >> >> >> Cheers, >> >> Jo (she/her) >> >> >> >> On 14/06/24 3:39 am, Sreekanth Nadendla wrote: >> >>> Hello Joseph, I've sent you instructions to download time travel >> trace >> >>> tool to collect traces for lass process earlier. But we were >> informed >> >>> by Andrew Bartlet that the reason why you've raised the login issue >> >>> with [MS-APDS] NETLOGON_TICKET_LOGON_INFO is that you are looking to >> >>> resolve a privilege escalation problem via enforcement of PAC >> >>> verification. I could not see how these two issues are connected >> >>> hence I'm unable to continue the investigation on my own (while you >> >>> are away dealing with a personal issue). >> >>> Please let us know whenever you are ready and we will gather the >> >>> details, data to investigate the issue you are experiencing. >> >>> >> >>> Regards, >> >>> >> >>> Sreekanth Nadendla >> >>> >> >>> Microsoft Windows Open Specifications >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> From: Jo Sutton <jsut...@samba.org> >> >>> >> >>> Sent: Monday, May 20, 2024 9:49 PM >> >>> To: cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>; >> >>> Interoperability Documentation Help <doch...@microsoft.com> >> >>> Subject: [EXTERNAL] [MS-APDS] NETLOGON_TICKET_LOGON_INFO message >> >>> [Some people who received this message don't often get email from >> >>> jsut...@samba.org. Learn why this is important at >> >>> https://aka.ms/LearnAboutSenderIdentification >> <https://aka.ms/LearnAboutSenderIdentification> >> > <https://aka.ms/LearnAboutSenderIdentification >> <https://aka.ms/LearnAboutSenderIdentification>> ] >> >>> >> >>> Hi dochelp, >> >>> >> >>> I’m trying to follow [MS-APDS] 2.2.2.1, “NETLOGON_TICKET_LOGON_INFO >> >>> Message”, in order to create a NETLOGON_TICKET_LOGON_INFO message >> that >> >>> will be accepted by Windows Server 2019. However, in my attempts >> so far, >> >>> all I’ve got is STATUS_INVALID_PARAMETER codes from >> NetrLogonSamLogonEx. >> >>> >> >>> Although [MS-APDS] doesn’t mention it, I assume >> >>> NETLOGON_TICKET_LOGON_INFO should contain an unsigned 32‐bit >> MessageType >> >>> field, set to 0x00000026, that indicates the message is a >> >>> NETLOGON_TICKET_LOGON_INFO message. Other than that, I’m not sure >> what >> >>> I’m doing wrong. Are the ticket fields arrays, are depicted in the >> >>> diagram, or pointers, as claimed in the documentation? >> >>> >> >>> I can provide traces showing the problem if you would like. >> >>> >> >>> Cheers, >> >>> Jo (she/her) >> >> >> >> >> >> _______________________________________________ >> >> cifs-protocol mailing list >> >> cifs-protocol@lists.samba.org >> >> >> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452316262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bmgJJDYuZd3bGzlzBX7QnlH9wbNyYoqRZ3hH6t3cBUA%3D&reserved=0<https://lists.samba.org/mailman/listinfo/cifs-protocol> >> >> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452319086%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=wIxF7Mv4EEPRpDkZKAReemWJ5ciMvdTRuVzLSO06DAU%3D&reserved=0<https://lists.samba.org/mailman/listinfo/cifs-protocol>> >> >> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452321842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=J2vrgrV1StI0%2BvgT7ZreEJ%2FI%2F4fKD8Jn%2B3iSrr7FowQ%3D&reserved=0 >> >> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452324601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=MTZ%2F670nGiMD%2Fu83tsGGyERHbe7y93r%2B43qsybmjlfE%3D&reserved=0<https://lists.samba.org/mailman/listinfo/cifs-protocol>>> > > > _______________________________________________ > cifs-protocol mailing list > cifs-protocol@lists.samba.org > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Csrenaden%40microsoft.com%7Cc19a6b0c9013423d7bfc08dca550844c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638567012452327359%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2BhCD7Q6i2P3hvlr2MKjxU63BsGe9RMYOkSURCiUE39w%3D&reserved=0<https://lists.samba.org/mailman/listinfo/cifs-protocol>
_______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol