[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: [cifs-protocol] msDS-ExpirePasswordsOnSmartCardOnlyAccounts - meta-variable for the calculated passw
From: Kristian Smith via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2024-04-29 18:57:36
Message-ID: BY5PR21MB1426F6F678995C253AA3628E951B2 () BY5PR21MB1426 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
Hi Andrew,
I've created this case thread for second part of your question:
"Finally, the doc needs some correction, the references to pwdLastSet make =
not sense (it should always be in the past), I think a meta-variable for th=
e calculated password expiry is what is meant."
I will research this question as well and let you know what I discover.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft=AE Corporation
Office phone: +1 425-421-4442
Email: kristian.smith@microsoft.com<mailto:kristian.smith@microsoft.com>
________________________________
From: Andrew Bartlett <abartlet@samba.org>
Sent: Sunday, April 28, 2024 9:14 PM
To: Kristian Smith <Kristian.Smith@microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; Microsoft S=
upport <supportmail@microsoft.com>
Subject: Re: [EXTERNAL] Protocol documentation for automatic rollover of ex=
pired passwords with UF_SMARTCARD_REQUIRED - TrackingID#2404240040010190
You don't often get email from abartlet@samba.org. Learn why this is import=
ant<https://aka.ms/LearnAboutSenderIdentification>
Thanks Kristian, that is must helpful.
Can you clarify which parts of the AD DC calls ResetSmartCardAccountPasswor=
d and under what circumstances? Is it just the KDC during PK-INIT AS-REQ p=
rocessing?
Is there anything else that rotates these passwords? The reason I ask is t=
hat this being the only case would suggest that where the DC is not the PDC=
, the PK-INIT AS-REQ processing must wait for the PDC before continuing pro=
cessing. (We know the local case does, it gets the new password for return=
in the PAC).
Finally, the doc needs some correction, the references to pwdLastSet make n=
ot sense (it should always be in the past), I think a meta-variable for the=
calculated password expiry is what is meant.
Thanks!
Andrew Bartlett
On Thu, 2024-04-25 at 21:41 +0000, Kristian Smith wrote:
[Michael to Bcc]
Hi Andrew,
Thanks for reaching out with your question. The password-rolling attribute =
you're looking for is "msDS-ExpirePasswordsOnSmartCardOnlyAccounts"
It can be found in the following docs:
[MS-SAMS] 3.3.5.7.2 Normative Specification
[MS-ADA2] 2.319 Attribute msDS-ExpirePasswordsOnSmartCardOnlyAccounts
To a lesser extent here as well:
[MS-ADSC] 2.44 Class domainDNS
Let me know if this answers the question, or if there is anything that can =
be clarified.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft=AE Corporation
Office phone: +1 425-421-4442
Email: kristian.smith@microsoft.com<mailto:kristian.smith@microsoft.com>
From: Michael Bowen <Mike.Bowen@microsoft.com>
Sent: Wednesday, April 24, 2024 10:39 AM
To: Andrew Bartlett <abartlet@samba.org>
Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; Microsoft S=
upport <supportmail@microsoft.com>
Subject: Re: [EXTERNAL] Protocol documentation for automatic rollover of ex=
pired passwords with UF_SMARTCARD_REQUIRED - TrackingID#2404240040010190
[Case number in subject]
[Casemail to cc]
[Dochelp to bcc]
Hi Andrew,
Thank you for your request. The case number 2404240040010190 has been creat=
ed for this inquiry. One of our team members will follow up with you soon.
Best regards,
Mike Bowen
Sr. Escalation Engineer - Microsoft=AE Corporation
________________________________
From: Andrew Bartlett <abartlet@samba.org>
Sent: Tuesday, April 23, 2024 5:52 PM
To: Interoperability Documentation Help <dochelp@microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>
Subject: [EXTERNAL] Protocol documentation for automatic rollover of expire=
d passwords with UF_SMARTCARD_REQUIRED
Kia Ora Dochelp!
I'm looking for any documentation as to the finer details of
DCs can support automatic rolling of the NTLM and other password-based secr=
ets on a user account configured to require PKI authentication. This config=
uration is also known as "Smart card required for interactive logon"
from
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-dir=
ectory-functional-levels#windows-server-2016-domain-functional-level-featur=
es
I don't see any mention of this in MS-ADPS, but am not sure where next to c=
heck.
In particular, while I have reproduced the rollover for 'must change now', =
I'm wondering when the password otherwise rolls over, is it before the expi=
ry (eg with the 'old password allowed time' grace of 60mins for example, or=
at the expiry?
Thanks,
Andrew Bartlett
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> Hi Andrew,</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> I've created this case thread for second part of your question:</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 9pt; color: rgb(0, 0, \
0);"> "Finally, the doc needs some correction, the references to pwdLastSet make \
not sense (it should always be in the past), I think a meta-variable for the \
calculated password expiry is what is meant."</div> <div class="elementToProof" \
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, \
Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"> <br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> I will research this question as well and let you know what I \
discover.</div> <div class="elementToProof" style="font-family: Aptos, \
Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: \
11pt; color: rgb(0, 0, 0);"> <br>
</div>
<div id="Signature" style="color: inherit; background-color: inherit;">
<p style="margin-top: 0px; margin-bottom: 0px;"><span style="font-family: "Segoe \
UI"; font-size: 9pt; color: rgb(47, 47, 47); background-color: \
white;"><b>Regards,</b></span></p> <p style="text-align: left; margin-top: 4pt; \
margin-bottom: 0pt;"><span style="font-family: "Segoe UI"; font-size: 9pt; \
color: rgb(47, 47, 47); background-color: white;"><b>Kristian Smith</b></span></p> <p \
style="text-align: left; margin-top: 4pt; margin-bottom: 0pt;"><span \
style="font-family: "Segoe UI"; font-size: 9pt; color: rgb(47, 47, 47); \
background-color: white;">Support Escalation Engineer | Microsoft® \
Corporation</span></p> <p style="text-align: left; margin-top: 4pt; margin-bottom: \
0pt;"><span style="font-family: "Segoe UI"; font-size: 9pt; color: rgb(47, \
47, 47); background-color: white;"><b>Office phone</b>: +1 425-421-4442</span></p> <p \
style="text-align: left; margin-top: 4pt; margin-bottom: 0pt;"><span \
style="font-family: "Segoe UI"; font-size: 9pt; color: rgb(47, 47, 47); \
background-color: white;"><b>Email</b>: </span><span style="font-family: "Segoe \
UI"; font-size: 9pt; color: rgb(0, 0, 0); background-color: white;"><a \
href="mailto:kristian.smith@microsoft.com" \
id="OWA81397eca-0afa-945b-c73d-d2401f45587f" class="OWAAutoLink" \
data-loopstyle="linkonly" style="margin: \
0px;">kristian.smith@microsoft.com</a></span></p> </div>
<div id="appendonsend" style="color: inherit; background-color: inherit;"></div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, \
Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"> <br>
</div>
<hr style="display: inline-block; width: 98%;">
<div id="divRplyFwdMsg" dir="ltr" style="color: inherit; background-color: inherit;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; color: rgb(0, 0, \
0);"><b>From:</b> Andrew Bartlett <abartlet@samba.org><br> \
<b>Sent:</b> Sunday, April 28, 2024 9:14 PM<br> <b>To:</b> Kristian Smith \
<Kristian.Smith@microsoft.com><br> <b>Cc:</b> cifs-protocol mailing list \
<cifs-protocol@lists.samba.org>; Microsoft Support \
<supportmail@microsoft.com><br> <b>Subject:</b> Re: [EXTERNAL] Protocol \
documentation for automatic rollover of expired passwords with UF_SMARTCARD_REQUIRED \
- TrackingID#2404240040010190</span> <div> </div>
</div>
<table align="left" style="direction: ltr; display: table; width: 100%; table-layout: \
fixed; border-collapse: collapse; border-spacing: 0px; box-sizing: border-box; color: \
inherit; background-color: inherit;"> <tbody>
<tr>
<td style="direction: ltr; background-color: rgb(166, 166, 166); padding: 7px 2px; \
vertical-align: middle; width: 1px;"> </td>
<td style="direction: ltr; text-align: left; background-color: rgb(234, 234, 234); \
padding: 7px 5px 7px 15px; vertical-align: middle; color: rgb(33, 33, 33); width: \
100%;"> <div style="direction: ltr; text-align: left; font-family: \
wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, \
sans-serif; font-size: 12px;"> You don't often get email from abartlet@samba.org. <a \
href="https://aka.ms/LearnAboutSenderIdentification" data-auth="NotApplicable" \
id="OWA6865460a-ed76-ab98-786e-2ab72f19e73a" class="OWAAutoLink" \
data-loopstyle="linkonly"> Learn why this is important</a></div>
</td>
<td align="left" style="direction: ltr; background-color: rgb(234, 234, 234); \
padding: 7px 5px; vertical-align: middle; color: rgb(33, 33, 33); width: 75px;"> \
</td> </tr>
</tbody>
</table>
<div style="direction: ltr; text-align: left;">Thanks <span style="font-size: \
14.6667px;"> Kristian, that is must helpful</span>. </div>
<div style="direction: ltr; text-align: left;"><br>
</div>
<div style="direction: ltr; text-align: left;">Can you clarify which parts of the AD \
DC calls ResetSmartCardAccountPassword and under what circumstances? Is it just \
the KDC during PK-INIT AS-REQ processing?</div> <div style="direction: ltr; \
text-align: left;"><br> </div>
<div style="direction: ltr; text-align: left; font-size: 14.6667px;">Is there \
anything else that rotates these passwords? The reason I ask is that this being \
the only case would suggest that where the DC is not the PDC, the PK-INIT AS-REQ \
processing must wait for the PDC before continuing processing. (We know the \
local case does, it gets the new password for return in the PAC).</div> <div \
style="direction: ltr; text-align: left; font-size: 14.6667px;"><br> </div>
<div style="direction: ltr; text-align: left; font-size: 14.6667px;">Finally, the doc \
needs some correction, the references to pwdLastSet make not sense (it should always \
be in the past), I think a meta-variable for the calculated password expiry is what \
is meant.</div>
<div style="direction: ltr; text-align: left; font-size: 14.6667px;"><br>
</div>
<div style="direction: ltr; text-align: left; font-size: 14.6667px;">Thanks!</div>
<div style="direction: ltr; text-align: left; font-size: 14.6667px;"><br>
</div>
<div style="direction: ltr; text-align: left; font-size: 14.6667px;">Andrew \
Bartlett</div> <div style="direction: ltr; text-align: left;"><br>
</div>
<div style="direction: ltr; text-align: left;">On Thu, 2024-04-25 at 21:41 +0000, \
Kristian Smith wrote:</div> <blockquote style="margin: 0px 0px 0px 0.8ex; \
padding-left: 1ex; border-left: 2px solid rgb(114, 159, 207);"> <div \
style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> [Michael to Bcc]</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> Hi Andrew,</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> Thanks for reaching out with your question. The password-rolling attribute \
you're looking for is \
"msDS-ExpirePasswordsOnSmartCardOnlyAccounts" </div> <div \
style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <b>It can be found in the following docs:</b></div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> [MS-SAMS] 3.3.5.7.2 Normative Specification</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> [MS-ADA2] 2.319 Attribute \
msDS-ExpirePasswordsOnSmartCardOnlyAccounts</div> <div style="direction: ltr; \
text-align: left; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, \
Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <b>To a lesser extent here as well: </b></div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> [MS-ADSC] 2.44 Class domainDNS</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> Let me know if this answers the question, or if there is anything that can \
be clarified.</div> <div style="direction: ltr; text-align: left; font-family: Aptos, \
Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: \
11pt; color: rgb(0, 0, 0);"> <br>
</div>
<div id="x_Signature" style="color: inherit; background-color: inherit;">
<p style="margin-top: 0px; margin-bottom: 0px;"><span style="font-family: "Segoe \
UI"; font-size: 9pt; color: rgb(47, 47, 47); background-color: \
white;"><b>Regards,</b></span></p> <p style="text-align: left; margin-top: 4pt; \
margin-bottom: 0pt;"><span style="font-family: "Segoe UI"; font-size: 9pt; \
color: rgb(47, 47, 47); background-color: white;"><b>Kristian Smith</b></span></p> <p \
style="text-align: left; margin-top: 4pt; margin-bottom: 0pt;"><span \
style="font-family: "Segoe UI"; font-size: 9pt; color: rgb(47, 47, 47); \
background-color: white;">Support Escalation Engineer | Microsoft® \
Corporation</span></p> <p style="text-align: left; margin-top: 4pt; margin-bottom: \
0pt;"><span style="font-family: "Segoe UI"; font-size: 9pt; color: rgb(47, \
47, 47); background-color: white;"><b>Office phone</b>: +1 425-421-4442</span></p> <p \
style="text-align: left; margin-top: 4pt; margin-bottom: 0pt;"><span \
style="font-family: "Segoe UI"; font-size: 9pt; color: rgb(47, 47, 47); \
background-color: white;"><b>Email</b>: </span><span style="font-family: "Segoe \
UI"; font-size: 9pt; color: rgb(0, 0, 0); background-color: white;"><a \
href="mailto:kristian.smith@microsoft.com" \
id="OWAcd3b6420-08f6-2b22-f993-6167037de4af" class="x_OWAAutoLink" \
data-loopstyle="linkonly" style="margin: \
0px;">kristian.smith@microsoft.com</a></span></p> </div>
<div id="x_divRplyFwdMsg" dir="ltr" style="color: inherit; background-color: \
inherit;"> <span style="font-family: Calibri, sans-serif; font-size: 11pt; color: \
rgb(0, 0, 0);"><b>From:</b> Michael Bowen <Mike.Bowen@microsoft.com><br> \
<b>Sent:</b> Wednesday, April 24, 2024 10:39 AM<br> <b>To:</b> Andrew \
Bartlett <abartlet@samba.org><br> <b>Cc:</b> cifs-protocol mailing list \
<cifs-protocol@lists.samba.org>; Microsoft Support \
<supportmail@microsoft.com><br> <b>Subject:</b> Re: [EXTERNAL] Protocol \
documentation for automatic rollover of expired passwords with UF_SMARTCARD_REQUIRED \
- TrackingID#2404240040010190</span> <div> </div>
</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> [Case number in subject]</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> [Casemail to cc]</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> [Dochelp to bcc]</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> </div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> Hi Andrew,</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> Thank you for your request. The case number 2404240040010190 has been \
created for this inquiry. One of our team members will follow up with you soon.</div> \
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> <br>
</div>
<div style="direction: ltr; text-align: left; font-family: Aptos, Aptos_EmbeddedFont, \
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, \
0, 0);"> Best regards, </div>
<div id="x_x_Signature" style="color: inherit; background-color: inherit;">
<p style="margin: 0in; font-family: Calibri, sans-serif; font-size: 11pt;"><span \
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, \
Helvetica, sans-serif; color: rgb(51, 51, 51); background-color: white;">Mike \
Bowen</span><span style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, \
Calibri, Helvetica, sans-serif; color: rgb(51, 51, 51);"><br> </span><span \
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, \
Helvetica, sans-serif; color: rgb(51, 51, 51); background-color: white;">Sr. \
Escalation Engineer - Microsoft® Corporation</span></p> <p style="margin: 0in; \
font-family: Calibri, sans-serif; font-size: 11pt;"> </p> </div>
<div id="x_x_appendonsend" style="color: inherit; background-color: inherit;"></div>
<hr style="direction: ltr; text-align: left; display: inline-block; width: 98%;">
<div id="x_x_divRplyFwdMsg" dir="ltr" style="color: inherit; background-color: \
inherit;"> <span style="font-family: Calibri, sans-serif; font-size: 11pt; color: \
rgb(0, 0, 0);"><b>From:</b> Andrew Bartlett <abartlet@samba.org><br> \
<b>Sent:</b> Tuesday, April 23, 2024 5:52 PM<br> \
<b>To:</b> Interoperability Documentation Help <dochelp@microsoft.com><br> \
<b>Cc:</b> cifs-protocol mailing list <cifs-protocol@lists.samba.org><br> \
<b>Subject:</b> [EXTERNAL] Protocol documentation for automatic rollover of \
expired passwords with UF_SMARTCARD_REQUIRED</span> <div> </div>
</div>
<div style="direction: ltr; text-align: left;">Kia Ora Dochelp!</div>
<div style="direction: ltr; text-align: left;"><br>
</div>
<div style="direction: ltr; text-align: left;">I'm looking for any documentation as \
to the finer details of</div> <div style="direction: ltr; text-align: left;"><br>
</div>
<blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left: 2px \
solid rgb(114, 159, 207);"> <div style="direction: ltr; text-align: left; \
text-indent: 0px; background-color: rgb(255, 255, 255); font-family: Ubuntu; \
font-size: 14.6667px; color: rgb(0, 0, 0);"> DCs can support automatic rolling of the \
NTLM and other password-based secrets on a user account configured to require PKI \
authentication. This configuration is also known as "Smart card required for \
interactive logon"</div> <div style="background-color: rgb(255, 255, \
255);"></div> </blockquote>
<div style="direction: ltr; text-align: left;"><br>
</div>
<div style="direction: ltr; text-align: left;">from</div>
<div style="direction: ltr; text-align: left;"><br>
</div>
<div style="direction: ltr; text-align: left;"> <a \
href="https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features" \
id="OWAe1c20b80-6d13-903f-790a-c9794d88c81b" class="OWAAutoLink" \
shash="FZUwRvoEaRN6I1aWIbvai5Myd8FlmPaaew2pu/aoj+5lTR5al9U7AZ9OKHo0XoIn+8jRAi6O6VOnwOq \
7urGjlghjHwOa6kWbuYVIYE44Dy/sj6GQ75+afxWRrnyZOfPW5HTPC2vJi5qtFgfMryZt8MGp61CT2xxuvsGttpK0afs=" \
originalsrc="https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features" \
data-auth="Verified" \
data-loopstyle="linkonly">https://learn.microsoft.com/en-us/windows-server/identity/ad \
-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features</a></div>
<div style="direction: ltr; text-align: left;"><br>
</div>
<div style="direction: ltr; text-align: left;">I don't see any mention of this in \
MS-ADPS, but am not sure where next to check.</div> <div style="direction: ltr; \
text-align: left;"><br> </div>
<div style="direction: ltr; text-align: left;">In particular, while I have reproduced \
the rollover for 'must change now', I'm wondering when the password otherwise rolls \
over, is it before the expiry (eg with the 'old password allowed time' grace of \
60mins for example, or at the expiry?</div>
<div style="direction: ltr; text-align: left;"><br>
</div>
<div style="direction: ltr; text-align: left;">Thanks,</div>
<div style="direction: ltr; text-align: left;"><br>
</div>
<div style="direction: ltr; text-align: left;">Andrew Bartlett</div>
</blockquote>
</body>
</html>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
--===============0409907679265662168==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic