Labels

Saturday, July 25, 2020

PCNS and Kerberos S4U2Self updating lastLogonTimestamp

While trying to decommission a legacy user domain that was a target for MIM password synchronisation, I noticed that lastLogonTimestamp was being updated whenever a password was changing in another connected forest. It turns out this was because we still had PCNS on Domain Controllers in the legacy forest (for bi-directional password sync), and a ‘feature’ of PCNS is to update lastLogonTimestamp due to a Kerberos S4U2Self network logon. Note that this is still governed by the ‘ms-DS-Logon-Time-Sync-Interval’ attribute (default 14 days) providing a window so that LLT isn’t updated *every* time you log on, only as soon as you fall out of the time sync window.

I poked around a little and I believe this occurs because the pcnssvc.exe calls the AuthzInitializeContextFromSid() function, which appears to perform a network logon of the target user to grab information from the token. This uses the Kerberos 2003 extensions for S4U (service for user). This made it invalid to use lastLogonTimestamp as a mechanism to determine whether accounts are still being logged in to, as PCNS was making it seem like they were!

I also think that anything that uses the S4U extensions will exhibit the same behaviour. For example, to do an equivalent in PowerShell, you can create a new windows identity object with only the UPN, which also results in a network logon of the target account:


  new-object system.security.principal.windowsidentity("user@domain.com")

This results in event 4624 network logon on the local machine - which consequently will fail if the target user doesn’t have SeNetworkLogonRight – ‘Access this computer from the network’ right:

  Logon Information:
 Logon Type:  3
 Restricted Admin Mode: -
 Virtual Account:  No
 Elevated Token:  Yes

  Impersonation Level:  Identification

And looking at the Kerberos conversation, after getting a TGT, it ends doing a AP-REQ using the ‘PA-FOR-USER’ S4U2Self structure:










And once the ticket has been acquired, if you use ‘klist tickets’, you’ll see the krbtgt and the S4U ticket (only showing your user, it won’t display the:













References:

AuthzInitializeContextFromSid function
http://msdn.microsoft.com/en-us/library/windows/desktop/aa376309(v=vs.85).aspx AuthzInitializeContextFromSid attempts to retrieve the user's token group information by performing an S4U logon. AuthzInitializeContextFromSid attempts to retrieve the information available in a logon token had the client actually logged on. An actual logon token provides more information, such as logon type and logon properties, and reflects the behavior of the authentication package used for the logon.

WindowsIdentity Constructor (String)
http://msdn.microsoft.com/en-us/library/td3046fc.aspx
This constructor is intended for use on computers joined only to Windows Server 2003 domains. An exception is thrown for other domain types. This restriction is because the constructor uses the KERB_S4U_LOGON structure.

Kerberos S4U2self
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13
The S4U2self extension allows a service to obtain a service ticket to itself on behalf of a user. The user is identified to the KDC using the user's name and realm. Alternatively, the user might be identified based on the user's certificate. The Kerberos ticket-granting service (TGS) exchange request and response messages, KRB_TGS_REQ and KRB_TGS_REP, are used along with one of two new data structures. The new PA-FOR-USER data structure is used when the user is identified to the KDC by the user name and realm name.

Wayne's World of IT (WWoIT). 

1 comment:

Kungfuqq441 said...

http://www.yonggitsd.com/ Yonggitsd sudah terpercaya menjadi blog dalam pencarian informasi-informasi penting mengenai permainan judi online seperti idn poker dan domino qq online.


All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 20 years, and I know just about enough to realise that I don’t know very much.