Saturday, July 25, 2020

PCNS and Kerberos S4U2Self updating lastLogonTimestamp

While trying to decommission a legacy user domain that was a target for MIM password synchronisation, I noticed that lastLogonTimestamp was being updated whenever a password was changing in another connected forest. It turns out this was because we still had PCNS on Domain Controllers in the legacy forest (for bi-directional password sync), and a ‘feature’ of PCNS is to update lastLogonTimestamp due to a Kerberos S4U2Self network logon. Note that this is still governed by the ‘ms-DS-Logon-Time-Sync-Interval’ attribute (default 14 days) providing a window so that LLT isn’t updated *every* time you log on, only as soon as you fall out of the time sync window.

I poked around a little and I believe this occurs because the pcnssvc.exe calls the AuthzInitializeContextFromSid() function, which appears to perform a network logon of the target user to grab information from the token. This uses the Kerberos 2003 extensions for S4U (service for user). This made it invalid to use lastLogonTimestamp as a mechanism to determine whether accounts are still being logged in to, as PCNS was making it seem like they were!

I also think that anything that uses the S4U extensions will exhibit the same behaviour. For example, to do an equivalent in PowerShell, you can create a new windows identity object with only the UPN, which also results in a network logon of the target account: 

  new-object system.security.principal.windowsidentity("user@domain.com")

This results in event 4624 network logon on the local machine - which consequently will fail if the target user doesn’t have SeNetworkLogonRight – ‘Access this computer from the network’ right: 

  Logon Information:
 Logon Type:  3
 Restricted Admin Mode: -
 Virtual Account:  No
 Elevated Token:  Yes

  Impersonation Level:  Identification

And looking at the Kerberos conversation, after getting a TGT, it ends doing a AP-REQ using the ‘PA-FOR-USER’ S4U2Self structure:










And once the ticket has been acquired, if you use ‘klist tickets’, you’ll see the krbtgt and the S4U ticket (only showing your user, it won’t display the:













References:

AuthzInitializeContextFromSid function
http://msdn.microsoft.com/en-us/library/windows/desktop/aa376309(v=vs.85).aspx AuthzInitializeContextFromSid attempts to retrieve the user's token group information by performing an S4U logon. AuthzInitializeContextFromSid attempts to retrieve the information available in a logon token had the client actually logged on. An actual logon token provides more information, such as logon type and logon properties, and reflects the behavior of the authentication package used for the logon.

WindowsIdentity Constructor (String)
http://msdn.microsoft.com/en-us/library/td3046fc.aspx
This constructor is intended for use on computers joined only to Windows Server 2003 domains. An exception is thrown for other domain types. This restriction is because the constructor uses the KERB_S4U_LOGON structure.

Kerberos S4U2self
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13
The S4U2self extension allows a service to obtain a service ticket to itself on behalf of a user. The user is identified to the KDC using the user's name and realm. Alternatively, the user might be identified based on the user's certificate. The Kerberos ticket-granting service (TGS) exchange request and response messages, KRB_TGS_REQ and KRB_TGS_REP, are used along with one of two new data structures. The new PA-FOR-USER data structure is used when the user is identified to the KDC by the user name and realm name.

Wayne's World of IT (WWoIT). 
at 5 comments:

Friday, July 10, 2020

FIM/MIM XPath queries

Here are a few XPath queries I've built and collected along the way. It's intriguing how powerful and yet still ultimately rather crappy and limiting FIM XPath can be. And if you want a good explanation of why – try using SQL Profiler to see the resultant T-SQL when the FIM service translates what seems like even a simple XPath query with a few conditions (especially if you're using a negative condition).

You can test any of these with the FIMAutomation snap-in, with two simple commands to export the results, then return the displayname from each ($URI points to your resource management service, typically on port 5725): 

$objects = Export-FIMConfig -uri $URI -onlyBaseResources -customConfig $filter
$objects.ResourceManagementObject.ResourceManagementAttributes | where {$_.attributename -eq 'DisplayName'} | select value




Query for failed ERE's matching the specified sync rule
$filter = "/ExpectedRuleEntry[DisplayName='AD: SyncRule1' and StatusError = 'ma-extension-error']"

Find groups that have been modified in the last 10 days
$filter = "/Request[Target = /Group[Type = 'Security'] and Operation = 'Put' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P10D'))]"

People with Attribute1 set to Null
$filter = "/Person[(not(starts-with(Attribute1, '%')))]"

All people that are an owner of one or more groups
$filter = "/Person[ObjectID = /Group/Owner]"

Find groups owned by the specified person
$filter = "/Group[DisplayedOwner=/Person[DisplayName='User1']]"

Find groups that have no Owner or displayedOwner
$filter = "/Group[not(Owner = /Person) and not(DisplayedOwner = /Person)]"

Find all people that have an accountName set
$filter = "/Person[AccountName != '&Invalid&']"

Find all anonymous password resets in the last day
$filter = "/Request[Creator = /Resource[ObjectID = 'b0b36673-d43b-4cfa-a7a2-aff14fd90522'] and RequestStatus = 'Completed' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P1D'))]"

Groups in a set that don't have the required ERE
$filter = "/Group[ObjectID = /Set[DisplayName = 'All Security Groups Internal Global Static Owner Approved']/ComputedMember and not(ExpectedRulesList = /ExpectedRuleEntry)]"

SSPR registered internal enabled people
$filter = "/Person[AccountType = 'Person' and AccountStatus = 'Enabled' and Domain = 'CORP' and not(AuthNLockoutRegistrationID = /GateRegistration)]"

People created in the last 8 hours
$filter = "/Person[CreatedTime >= op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('-PT8H'))]"

Find if the specified person is a member of a group
$filter = "/Person[ObjectID = /Group[DisplayName = 'Group1']/ComputedMember and AccountName = 'User1']"

Find distribution groups owned by the specified person
$filter = "/Group[Type='Distribution' and Owner=/Person[AccountName='User1']]"

How many people have filled out the QA gate in the last 8 hours
$filter = "/GateRegistration[GateID = 'authenticationGateActivity3' and CreatedTime >= op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('-PT8H'))]"

Find MA data
$filter = "/ma-data"

People with the specified SKU (multi-valued reference)
$filter = "/Person[Office365ServicePlans = /Office365License[SKU ='E3']]"

People with the specified Office 365 plan
$filter = "/Person[Office365ServicePlans = /Office365License[DisplayName ='E3 Office Pro Plus']]"

MPRs referencing a set of requestsors
$filter = "/ManagementPolicyRule[PrincipalSet=/Set[DisplayName='All Service Desk Users']]"

CORP user unabled without CORP outbound ERE
$filter = "/Person[AccountStatus = 'Enabled' and Domain = 'CORP' and not(ExpectedRulesList = /ExpectedRuleEntry[DisplayName = 'AD: CORP Outbound User'])]"

Security Groups that have one or more deleted owners
$filter = "/Group[Type = 'Security' and Owner = /Person[AccountStatus = 'Deleted']]"

Security Groups that have no owner
$filter = "/Group[Type = 'Security' and not(Owner = /Person)]"

People without an account name (null string attribute check)
$filter = "/Person[not(AccountName != '&NotPresent&') and not(DisplayName = 'Built-in Synchronization Account')]"

People without a display name (null string attribute check)
$filter = "/Person[not(DisplayName != '&NotPresent&')]"

Enabled People without a primary domain
$filter = "/Person[AccountStatus = 'Enabled' and not(Domain != '&NotPresent&')]"

Internal Enabled People without a specific attribute set
$filter = "/Person[Domain = 'CORP' and AccountStatus = 'Enabled' and not(Attribute1 != '&NotPresent&')]"

People synchronised to office 365 but without any licenses
$filter = "/Person[SyncTo365 = True and not(Office365ServicePlans = /Office365License)]"

People locked out for SSPR
$filter = "/Person[ObjectID = /Set[DisplayName = 'All People with Internal Accounts enabled']/ComputedMember and (AuthNWFLockedOut = '9c3aca59-a85c-437f-bb67-9ce5a70521d7')]"

Orphaned ERE's that don't have a parent
$filter = "/ExpectedRuleEntry[not(ResourceParent = /Set[DisplayName = 'All Objects']/ComputedMember)]"

Note that a few of these reference a custom object type of Office 365 license (see this post).

Wayne's World of IT (WWoIT). 
at 3 comments: