[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [EXTERNAL] Protocol documentation for automatic rollover of expired passwords wi
From: Andrew Bartlett via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2024-04-29 4:14:26
Message-ID: 31b3f5b596b9e2097db4cf794fa072b09990d31e.camel () samba ! org
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Kristian, that is must helpful.
Can you clarify which parts of the AD DC calls
ResetSmartCardAccountPassword and under what circumstances? Is it just
the KDC during PK-INIT AS-REQ processing?
Is there anything else that rotates these passwords? The reason I ask
is that this being the only case would suggest that where the DC is not
the PDC, the PK-INIT AS-REQ processing must wait for the PDC before
continuing processing. (We know the local case does, it gets the new
password for return in the PAC).
Finally, the doc needs some correction, the references to pwdLastSet
make not sense (it should always be in the past), I think a meta-
variable for the calculated password expiry is what is meant.
Thanks!
Andrew Bartlett
On Thu, 2024-04-25 at 21:41 +0000, Kristian Smith wrote:
> [Michael to Bcc]
>
>
>
>
>
> Hi Andrew,
>
>
>
>
>
> Thanks for reaching out with your question. The password-rolling
> attribute you're looking for is "msDS-
> ExpirePasswordsOnSmartCardOnlyAccounts"
>
>
>
>
>
> It can be found in the following docs:
>
> [MS-SAMS] 3.3.5.7.2 Normative Specification
>
> [MS-ADA2] 2.319 Attribute msDS-ExpirePasswordsOnSmartCardOnlyAccounts
>
>
>
>
>
> To a lesser extent here as well:
>
> [MS-ADSC] 2.44 Class domainDNS
>
>
>
>
>
> Let me know if this answers the question, or if there is anything
> that can be clarified.
>
>
>
>
>
> Regards,
> Kristian Smith
> Support Escalation Engineer | Microsoft ® Corporation
> Office phone: +1 425-421-4442
> Email:
> kristian.smith@microsoft.com
>
>
>
> From: Michael Bowen <Mike.Bowen@microsoft.com>
>
> Sent: Wednesday, April 24, 2024 10:39 AM
>
> To: Andrew Bartlett <abartlet@samba.org>
>
> Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>;
> Microsoft Support <supportmail@microsoft.com>
>
> Subject: Re: [EXTERNAL] Protocol documentation for automatic rollover
> of expired passwords with UF_SMARTCARD_REQUIRED -
> TrackingID#2404240040010190
>
>
>
> <!--
> p
> {margin-top:0;
> margin-bottom:0}
> -->
>
>
>
> [Case number in subject]
>
> [Casemail to cc]
>
> [Dochelp to bcc]
>
>
>
> Hi Andrew,
>
>
>
>
>
> Thank you for your request. The case number 2404240040010190 has been
> created for this inquiry. One of our team members will follow up with
> you soon.
>
>
>
>
>
> Best regards,
>
> Mike Bowen
>
> Sr. Escalation Engineer - Microsoft ® Corporation
>
>
>
>
> From: Andrew Bartlett <abartlet@samba.org>
>
> Sent: Tuesday, April 23, 2024 5:52 PM
>
> To: Interoperability Documentation Help <dochelp@microsoft.com>
>
> Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>
>
> Subject: [EXTERNAL] Protocol documentation for automatic rollover of
> expired passwords with UF_SMARTCARD_REQUIRED
>
>
>
> Kia Ora Dochelp!
>
>
>
> I'm looking for any documentation as to the finer details of
>
>
>
> >
> > DCs can support automatic rolling of the NTLM and other password-
> > based secrets on a user account configured to require PKI
> > authentication. This configuration is also known as "Smart card
> > required for interactive logon"
> >
> >
> >
>
>
>
> from
>
>
>
>
> https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features
>
>
>
> I don't see any mention of this in MS-ADPS, but am not sure where
> next to check.
>
>
>
> In particular, while I have reproduced the rollover for 'must change
> now', I'm wondering when the password otherwise rolls over, is it
> before the expiry (eg with the 'old password allowed time' grace of
> 60mins for example, or at the expiry?
>
>
>
> Thanks,
>
>
>
> Andrew Bartlett
>
>
>
>
>
[Attachment #5 (text/html)]
<html dir="ltr"><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr" style="text-align:left; direction:ltr;"><div>Thanks <span \
style="font-size: 14.666667px;">Kristian, that is must \
helpful</span>. </div><div><br></div><div>Can you clarify which parts of the AD \
DC calls ResetSmartCardAccountPassword and under what circumstances? Is it just \
the KDC during PK-INIT AS-REQ processing?</div><div><br></div><div><span \
style="font-size: 14.666667px;">Is there anything else that rotates these passwords? \
The reason I ask is that this being the only case would suggest that where the \
DC is not the PDC, the </span><span style="font-size: 14.666667px;">PK-INIT \
AS-REQ processing must wait for the PDC before continuing processing. (We know \
the local case does, it gets the new password for return in the \
PAC).</span></div><div><span style="font-size: 14.666667px;"></span></div><div><span \
style="font-size: 14.666667px;"><br></span></div><div><span style="font-size: \
14.666667px;">Finally, the doc needs some correction, the references to pwdLastSet \
make not sense (it should always be in the past), I think a meta-variable for the \
calculated password expiry is what is meant.</span></div><div><span style="font-size: \
14.666667px;"><br></span></div><div><span style="font-size: \
14.666667px;">Thanks!</span></div><div><span style="font-size: \
14.666667px;"><br></span></div><div><span style="font-size: 14.666667px;">Andrew \
Bartlett</span></div><div></div><div><br></div><div>On Thu, 2024-04-25 at 21:41 \
+0000, Kristian Smith wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; \
border-left:2px #729fcf solid;padding-left:1ex"> <div class="elementToProof" \
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, \
Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"> [Michael to Bcc]</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> Hi Andrew,</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> Thanks for reaching out with your question. The password-rolling attribute \
you're looking for is "msDS-ExpirePasswordsOnSmartCardOnlyAccounts" </div> <div \
class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <b>It can be found in the following docs:</b></div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, \
Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"> \
[MS-SAMS] 3.3.5.7.2 Normative Specification</div> <div style="font-family: \
Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; \
font-size: 11pt; color: rgb(0, 0, 0);"> [MS-ADA2] 2.319 Attribute \
msDS-ExpirePasswordsOnSmartCardOnlyAccounts</div> <div class="elementToProof" \
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, \
Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"> <br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <b>To a lesser extent here as well: </b></div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> [MS-ADSC] 2.44 Class domainDNS</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> Let me know if this answers the question, or if there is anything that can \
be clarified.</div> <div class="elementToProof" style="font-family: Aptos, \
Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: \
11pt; color: rgb(0, 0, 0);"> <br>
</div>
<div id="Signature" style="color: inherit; background-color: inherit;">
<p style="margin-top: 0px; margin-bottom: 0px;"><span style="font-family: "Segoe \
UI"; font-size: 9pt; color: rgb(47, 47, 47); background-color: \
white;"><b>Regards,</b></span></p> <p style="text-align: left; margin-top: 4pt; \
margin-bottom: 0pt;"><span style="font-family: "Segoe UI"; font-size: 9pt; \
color: rgb(47, 47, 47); background-color: white;"><b>Kristian Smith</b></span></p> <p \
style="text-align: left; margin-top: 4pt; margin-bottom: 0pt;"><span \
style="font-family: "Segoe UI"; font-size: 9pt; color: rgb(47, 47, 47); \
background-color: white;">Support Escalation Engineer | Microsoft ® \
Corporation</span></p> <p style="text-align: left; margin-top: 4pt; margin-bottom: \
0pt;"><span style="font-family: "Segoe UI"; font-size: 9pt; color: rgb(47, \
47, 47); background-color: white;"><b>Office phone</b>: +1 425-421-4442</span></p> <p \
style="text-align: left; margin-top: 4pt; margin-bottom: 0pt;"><span \
style="font-family: "Segoe UI"; font-size: 9pt; color: rgb(47, 47, 47); \
background-color: white;"><b>Email</b>: </span><span style="font-family: "Segoe \
UI"; font-size: 9pt; color: rgb(0, 0, 0); background-color: white;"><a \
href="mailto:kristian.smith@microsoft.com" \
id="OWA3c2023e6-4e73-0372-97be-98926cb721f4" class="OWAAutoLink" \
data-loopstyle="linkonly" style="margin: \
0px;">kristian.smith@microsoft.com</a></span></p> </div>
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> Michael Bowen \
<Mike.Bowen@microsoft.com><br> <b>Sent:</b> Wednesday, April 24, 2024 10:39 \
AM<br> <b>To:</b> Andrew Bartlett <abartlet@samba.org><br>
<b>Cc:</b> cifs-protocol mailing list <cifs-protocol@lists.samba.org>; \
Microsoft Support <supportmail@microsoft.com><br> <b>Subject:</b> Re: \
[EXTERNAL] Protocol documentation for automatic rollover of expired passwords with \
UF_SMARTCARD_REQUIRED - TrackingID#2404240040010190</font> <div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div class="x_elementToProof" \
style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
font-size:11pt; color:rgb(0,0,0)"> [Case number in subject]</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
font-size:11pt; color:rgb(0,0,0)"> [Casemail to cc]</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
font-size:11pt; color:rgb(0,0,0)"> [Dochelp to bcc]</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
font-size:11pt; color:rgb(0,0,0)"> </div>
<div class="x_elementToProof" \
style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
font-size:11pt; color:rgb(0,0,0)"> Hi Andrew,</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
font-size:11pt; color:rgb(0,0,0)"> <br>
</div>
<div class="x_elementToProof" \
style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
font-size:11pt; color:rgb(0,0,0)"> Thank you for your request. The case number \
2404240040010190 has been created for this inquiry. One of our team members will \
follow up with you soon.</div> <div class="x_elementToProof" \
style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
font-size:11pt; color:rgb(0,0,0)"> <br>
</div>
<div class="x_elementToProof" \
style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
font-size:11pt; color:rgb(0,0,0)"> Best regards, </div>
<div id="x_Signature">
<p style="margin:0in; font-family:Calibri,sans-serif; font-size:11pt"><span \
style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
color:rgb(51,51,51); background-color:white">Mike Bowen</span><span \
style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
color:rgb(51,51,51)"><br> </span><span \
style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; \
color:rgb(51,51,51); background-color:white">Sr. Escalation Engineer - Microsoft ® \
Corporation</span></p> <p style="margin:0in; font-family:Calibri,sans-serif; \
font-size:11pt"> </p> </div>
<div id="x_appendonsend"></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" \
style="font-size:11pt"><b>From:</b> Andrew Bartlett <abartlet@samba.org><br> \
<b>Sent:</b> Tuesday, April 23, 2024 5:52 PM<br> <b>To:</b> Interoperability \
Documentation Help <dochelp@microsoft.com><br> <b>Cc:</b> cifs-protocol mailing \
list <cifs-protocol@lists.samba.org><br> <b>Subject:</b> [EXTERNAL] Protocol \
documentation for automatic rollover of expired passwords with \
UF_SMARTCARD_REQUIRED</font> <div> </div>
</div>
<div style="text-align:left; direction:ltr">
<div>Kia Ora Dochelp!</div>
<div><br>
</div>
<div>I'm looking for any documentation as to the finer details of</div>
<div><br>
</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf \
solid;padding-left:1ex"> <div>
<div style="color:rgb(0,0,0); font-family:Ubuntu; font-size:14.666667px; \
font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; \
orphans:auto; text-align:left; text-indent:0px; text-transform:none; \
white-space:normal; widows:auto; word-spacing:0px; background-color:rgb(255,255,255); \
text-decoration:none"> DCs can support automatic rolling of the NTLM and other \
password-based secrets on a user account configured to require PKI authentication. \
This configuration is also known as "Smart card required for interactive logon"</div> \
<div style="color:rgb(0,0,0); font-family:Ubuntu; font-size:14.666667px; \
font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; \
orphans:auto; text-align:left; text-indent:0px; text-transform:none; \
white-space:normal; widows:auto; word-spacing:0px; background-color:rgb(255,255,255); \
text-decoration:none"> </div>
</div>
</blockquote>
<div><br>
</div>
<div>from</div>
<div><br>
</div>
<div> <a href="https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/ac \
tive-directory-functional-levels#windows-server-2016-domain-functional-level-features" \
originalsrc="https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features" \
shash="Sp06k/i4BNMTQlpMR7EmYDjDXm24z80yPn+1utTKCZBE102HSHN6mAG+qUpltVg3WPdm02ikhpY/Prf \
NVSBbkln0tcJm8SxRnvPierTrT8RyvODy82nnRxGodaeeZTs9QKGEIuNW+6gIE9WZsLGUPqJob9sQeGoXFqVuc \
5G0MRY=">https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-direct \
ory-functional-levels#windows-server-2016-domain-functional-level-features</a></div> \
<div><br> </div>
<div>I don't see any mention of this in MS-ADPS, but am not sure where next to \
check.</div> <div><br>
</div>
<div>In particular, while I have reproduced the rollover for 'must change now', I'm \
wondering when the password otherwise rolls over, is it before the expiry (eg with \
the 'old password allowed time' grace of 60mins for example, or at the expiry?</div> \
<div><br> </div>
<div>Thanks,</div>
<div><br>
</div>
<div>Andrew Bartlett</div>
<div><span></span></div>
</div>
</div>
</blockquote><div><span></span></div></body></html>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic