'Re: [cifs-protocol] [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - Tr'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    Re: [cifs-protocol] [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId attribute - Tr
From:       "Jeff McCashland \(He/him\) via cifs-protocol" <cifs-protocol () lists ! samba ! org>
Date:       2023-11-30 19:00:00
Message-ID: MN0PR21MB3701D7D2B0C2D97782F6AF6AA382A () MN0PR21MB3701 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]

Hi Joseph,

I have part of the answer for you. msDS-ManagedPasswordId is initialized whenever a \
User account is created in AD. This may also be initialized when a Kerberos TGT is \
generated. 

I am still looking into when the values are updated. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open \
Specifications Team

-----Original Message-----
From: Jeff McCashland (He/him) 
Sent: Thursday, November 30, 2023 9:44 AM
To: Joseph Sutton <jsutton@samba.org>
Cc: Microsoft Support <supportmail@microsoft.com>; cifs-protocol@lists.samba.org
Subject: RE: [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId \
attribute - TrackingID#2311280040000920

Hi Joseph,

I will continue researching this and get back to you. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open \
                Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
Time (US and Canada) Local country phone number found here: \
http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Joseph Sutton <jsutton@samba.org>
Sent: Wednesday, November 29, 2023 1:52 PM
To: Jeff McCashland (He/him) <jeffm@microsoft.com>
Cc: Microsoft Support <supportmail@microsoft.com>; cifs-protocol@lists.samba.org
Subject: Re: [EXTERNAL] [MS-ADTS] Procedure for setting msDS-ManagedPasswordId \
attribute - TrackingID#2311280040000920

Hi,

Thank you for those links. So much of the format of these attributes I had inferred \
from reading [MS-GKDI]: what I cannot find in either article are details on how the \
attributes' values are first set and then periodically updated.

If I were to create a Group Managed Service Account right now and examined its \
msDS-ManagedPasswordId attribute, I might see a key index of (362, 0, 27). Say the \
interval after which the managed password was to be automatically changed was set to \
one day. If I were to examine the same attribute tomorrow, I might then see the key \
index had changed to (362, 0, 29). Furthermore, I might see that the \
msDS-ManagedPasswordPreviousId attribute (which had previously been empty) had been \
assigned the previous day's key index (362, 0, 27).

Evidently the values of these attributes must periodically be updated by some method \
in order for the managed password protocol to work. My question is: by what procedure \
should this be done?

Regards,
Joseph

On 30/11/23 7:34 am, Jeff McCashland (He/him) wrote:
> Hi Joseph,
> 
> I found a couple of online resources that appear to describe how to 
> generate the msDS-ManagedPasswordId attribute:
> 
> Introducing the Golden GMSA Attack
> 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecu
> rityboulevard.com%2F2022%2F03%2Fintroducing-the-golden-gmsa-attack%2F&
> data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df
> 4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588042290%7CUn
> known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
> wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LelSmrZuPGbzFBjMPsU87KSIynavAF7
> ViQQy%2BYpgRjM%3D&reserved=0
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsec
> urityboulevard.com%2F2022%2F03%2Fintroducing-the-golden-gmsa-attack%2F
> &data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257d
> f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588051293%7CU
> nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
> WwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pvoqNwoVEgry05Bry2zat0O9bU0q1D
> XX2gepx9mPq5s%3D&reserved=0>
> 
> How to recover from a Golden gMSA attack
> 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flear
> n.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fwindows-secu
> rity%2Frecover-from-golden-gmsa-attack&data=05%7C01%7Cjeffm%40microsof
> t.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd01
> 1db47%7C1%7C0%7C638368915588057505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7
> C&sdata=EuZEsNrVHjjxjlVUWTu5sVgTT%2B1pxit6PEoLNZ%2FimQ0%3D&reserved=0
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flea
> rn.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fwindows-sec
> urity%2Frecover-from-golden-gmsa-attack&data=05%7C01%7Cjeffm%40microso
> ft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd0
> 11db47%7C1%7C0%7C638368915588063990%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
> 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%
> 7C&sdata=U%2BvJ0ARvX3KPmwFSTKu01Os0ZYDnJTcJHNtZ%2B5Q60Z4%3D&reserved=0
> > 
> 
> Please let me know if these help any.
> 
> Best regards,*
> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/ | 
> Microsoft/****Protocol Open Specifications Team*
> 
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada)
> 
> Local country phone number found here: 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638368915588070730%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=XJrBgpkrtwDdro9AT80LIeu6BoPipaYnQHhSlVuVD3g%3D&reserved=0
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
> ort.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
> %7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47
> %7C1%7C0%7C638368915588074945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
> ta=LWTGmIq753PjwViRiluqkK80fD7FGK%2F017N6uIODCoc%3D&reserved=0> | 
> Extension 1138300
> 
> *From:*Jeff McCashland (He/him)
> *Sent:* Tuesday, November 28, 2023 8:28 AM
> *To:* Joseph Sutton <jsutton@samba.org>
> *Cc:* Microsoft Support <supportmail@microsoft.com>; 
> cifs-protocol@lists.samba.org
> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
> 
> [try again- Kristian to BCC
> 
> *From:*Jeff McCashland (He/him)
> *Sent:* Tuesday, November 28, 2023 8:27 AM
> *To:* Kristian Smith <Kristian.Smith@microsoft.com 
> <mailto:Kristian.Smith@microsoft.com>>; Joseph Sutton 
> <jsutton@samba.org <mailto:jsutton@samba.org>>; 
> cifs-protocol@lists.samba.org <mailto:cifs-protocol@lists.samba.org>
> *Cc:* Microsoft Support <supportmail@microsoft.com 
> <mailto:supportmail@microsoft.com>>
> *Subject:* RE: [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
> 
> [Kristian to BCC]
> 
> Hi Joseph,
> 
> I will look into your question and let you know what I find.
> 
> Best regards,*
> /Jeff M/**/^c /**/Cashland (He/him) /**| Senior Escalation Engineer/ | 
> Microsoft/****Protocol Open Specifications Team*
> 
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada)
> 
> Local country phone number found here: 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638368915588078943%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=tkxE0x8I%2B04b8YNTpQSyEY12gn7j84cNLaeDAc1ocwE%3D&reserved=0
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
> ort.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
> %7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af91ab2d7cd011db47
> %7C1%7C0%7C638368915588082884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
> ta=ZsqOTIBuuVFdcqTuia8meW%2BrE9Fgx4tkLT2G3le%2BUdA%3D&reserved=0> | 
> Extension 1138300
> 
> *From:*Kristian Smith <Kristian.Smith@microsoft.com 
> <mailto:Kristian.Smith@microsoft.com>>
> *Sent:* Monday, November 27, 2023 6:39 PM
> *To:* Joseph Sutton <jsutton@samba.org <mailto:jsutton@samba.org>>; 
> cifs-protocol@lists.samba.org <mailto:cifs-protocol@lists.samba.org>
> *Cc:* Microsoft Support <supportmail@microsoft.com 
> <mailto:supportmail@microsoft.com>>
> *Subject:* Re: [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute - TrackingID#2311280040000920
> 
> [DocHelp to Bcc]
> 
> [Case mail to Cc]
> 
> Hi Joseph,
> 
> Thank you for your request. The case number 2311280040000920 has been 
> created for this inquiry. One of our team members will follow up with 
> you soon.
> 
> *Regards,*
> 
> *Kristian Smith*
> 
> Support Escalation Engineer | Azure DevOps, Windows Protocols | 
> Microsoft® Corporation
> 
> *Office phone*: +1 425-421-4442
> 
> *Email*: kristian.smith@microsoft.com 
> <mailto:kristian.smith@microsoft.com>
> 
> *Working hours*: 8:00 am - 5:00 pm PST, Monday - Friday
> 
> *Team Manager*: Gary Ranne garyra@microsoft.com 
> <mailto:garyra@microsoft.com>
> 
> *ServiceHub*: 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fserv
> iceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C01%7Cjeffm
> %40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141af
> 91ab2d7cd011db47%7C1%7C0%7C638368915588086793%7CUnknown%7CTWFpbGZsb3d8
> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3
> 000%7C%7C%7C&sdata=dEauc2KQK4aFU651P9jTIflUtc%2FNo2xOEbtxm0ptVA0%3D&re
> served=0
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fser
> viceshub.microsoft.com%2Fsupport%2Fcontactsupport_&data=05%7C01%7Cjeff
> m%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1257df4%7C72f988bf86f141a
> f91ab2d7cd011db47%7C1%7C0%7C638368915588090768%7CUnknown%7CTWFpbGZsb3d
> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
> 3000%7C%7C%7C&sdata=J8RQLZPBTRSaUz96apjc%2FVAdm68kGw%2FwYLjeW0dPGXI%3D
> &reserved=0>
> 
> /In case you don't hear from me, please call your regional number here: 
> //https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu
> pport.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-num
> bers&data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf1
> 257df4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588094707
> %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
> k1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0zHR9%2B93B63JnnnOu49ldUcm
> xH85vxpdd4fWB0mledo%3D&reserved=0. 
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsup
> port.microsoft.com%2Fhelp%2F13948%2Fglobal-customer-service-phone-numb
> ers&data=05%7C01%7Cjeffm%40microsoft.com%7C8b3892695c1c41c7cf8208dbf12
> 57df4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638368915588099387%
> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
> 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SCTt0XWCAtZTwsZSQuREvqzU5TW
> 6a5MQLrCSGC1r3f8%3D&reserved=0.>///
> 
> /If you need assistance outside my normal working hours, please reach 
> out to //devbu@microsoft.com <mailto:devbu@microsoft.com>//. One of my 
> colleagues will gladly continue working on this 
> issue.//devbu@microsoft.com <mailto:devbu@microsoft.com>//. One of my 
> colleagues will gladly continue working on this issue./
> 
> ----------------------------------------------------------------------
> --
> 
> *From:*Joseph Sutton <jsutton@samba.org <mailto:jsutton@samba.org>>
> *Sent:* Monday, November 27, 2023 2:53 PM
> *To:* cifs-protocol@lists.samba.org
> <mailto:cifs-protocol@lists.samba.org> <cifs-protocol@lists.samba.org 
> <mailto:cifs-protocol@lists.samba.org>>; Interoperability 
> Documentation Help <dochelp@microsoft.com 
> <mailto:dochelp@microsoft.com>>
> *Subject:* [EXTERNAL] [MS-ADTS] Procedure for setting 
> msDS-ManagedPasswordId attribute
> 
> Hi dochelp,
> 
> The calculation of the msDS-ManagedPassword attribute depends upon the 
> values of two other important attributes, namely 
> msDS-ManagedPasswordId and msDS-ManagedPasswordPreviousId. I can't 
> find any documentation on how these two attributes are to be set 
> initially (on the creation of a Group Managed Service Account), nor on 
> how and when they are subsequently to be updated.
> 
> Are you able to give me any information on the procedure by which 
> these attributes are assigned values? - Are they supposed to be 
> updated periodically?
> 
> Regards,
> Joseph
> 

_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

[prev in list] [next in list] [prev in thread] [next in thread] 