Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
jsclmedave

Administrator
Registered:
Posts: 469
Reply with quote  #1 
Attempting to help a IT Techy colleague out on this issue.

Scenario - 

An application scanning Servers in multiple Domains via their IP Address.  Since it is by their IP address Kerberos is not used for authentication.

It should fall back to NTLM \ LDAP call to a DC to verify the user account and password.


Issue is the the Account Name (BigDog) exists in multiple domains with different passwords.


The application attempts to connect to DomainA\ServerA


The connection is refused for Bad Password Attempt - FROM a DC in DomainE ..!

The event logs show -



Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/13/2018  3:11:07 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      ServerA.DomainA.com
Description:
An account failed to log on.
Subject:
                Security ID:                         NULL SID
                Account Name:                 -
                Account Domain:                             -
                Logon ID:                             0x0
Logon Type:                                       3
Account For Which Logon Failed:
                Security ID:                         NULL SID
                Account Name:                 BigDog
                Account Domain:                             DomainE
Failure Information:
                Failure Reason:                 Unknown user name or bad password.
                Status:                                  0xC000006D
                Sub Status:                         0xC000006A
Process Information:
                Caller Process ID:             0x0
                Caller Process Name:     -
Network Information:
                Workstation Name:        ServerA
                Source Network Address:            10.10.230.12
                Source Port:                       63226
Detailed Authentication Information:
                Logon Process:                  NtLmSsp 
                Authentication Package:               NTLM
                Transited Services:          -
                Package Name (NTLM only):       -
                Key Length:                        0



Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          11/13/2017 4:10:53 PM

Event ID:      4776

Task Category: Credential Validation

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      DomainADomainController.DomainA.com

Description:

The computer attempted to validate the credentials for an account.

 

Authentication Package:               MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account: BigDog

Source Workstation:       ApplicationServerA

Error Code:         0xC0000234

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{BR549-5478-4994-A5BA-3E3B032OU812}" />

    <EventID>4776</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>14336</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2018-13-06T20:10:53.139638600Z" />

    <EventRecordID>151411106</EventRecordID>

    <Correlation />

    <Execution ProcessID="580" ThreadID="11152" />

    <Channel>Security</Channel>

    <Computer>DomainADomainController.DomainA.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>

    <Data Name="TargetUserName">BigDog</Data>

    <Data Name="Workstation">ServerA</Data>

    <Data Name="Status">0xc0000234</Data>

  </EventData>

</Event>

 





I read somewhere (i've searched all day via Google) that when using NTLM \ LDAP the Domain portion, or Header. 

So basically since the BigDog account exists in multiple Domains which the Application Server has access to.

It appears that the first DC that replies is providing the PW even if its the wrong Domain...


I am proposing that they change the account name in each Domain to reflect that Domain

BigDogA
BigDogB
BigDogC
BigDogE

Then use those accounts accordingly for each domain.

BUT  Proof is needed that the DomainA\  is getting stripped off of the authentication request.  

So any links showing this would be greatly appreciated...






__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 47
Reply with quote  #2 
Would you mind telling us the name of the program that you are using to scan? Can he login to each domain manually using RDP or something else first? Then run the scan?
0
jsclmedave

Administrator
Registered:
Posts: 469
Reply with quote  #3 
Service Now. 

Manual RDP login to a Server in DomainE works fine IF the account is not locked out.

Mid Servers (Scanning) are located in all of the Domains.  If I manually RDP to one of those Servers and from there connect via RDP I'm good. 

In the above example both the Scanning Server and the Target Server are in the same DomainA but the DC that provided the request was in DomainE  In that Domain the Account name is the same, but the password is not, so it counts as a failed attempt.

That's why I believe that the Domain Name is getting stripped off during the authentication request and the wrong DC is replying with the wrong password since it cannot tell that the account is for DomainA.



__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 47
Reply with quote  #4 
I don't know that program but a quick Google search mentioned something about login scripts & UI. It's a long shot.

https://community.servicenow.com/community?id=community_blog&sys_id=0a3daae5dbd0dbc01dcaf3231f9619fa
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 247
Reply with quote  #5 
Are those multiple domains part of one forest, or trusted domains ?
I guess you can't set the same password for all BigDog accounts in the different domains ?
Does using UPN helps you out ?

>> Proof is needed that the DomainA\  is getting stripped
Sniffing tool WireShark ?
Ask the supplier/developer ?

__________________
Pieter Demeulemeester
0
lady_mcse

Avatar / Picture

Senior Member
Registered:
Posts: 104
Reply with quote  #6 
Being a person who communes regularly with horses and cats who are both extremely curious critters ... 
What would happen you change the password of DomainE\Bigdog to be the same as the password for DomainA\Bigdog?  

0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 47
Reply with quote  #7 
Both of those ideas crossed my mind too, the trusted domain & the password change ideas & I don't even have a horse or a cat.
0
dennis-360ict

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 73
Reply with quote  #8 
Im a bit lost and in curous what tou are trying to achieve, could you elaborate?
__________________
-----
Home is where is sleep
0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 47
Reply with quote  #9 
Dennis, his friend is trying to complete a remote vulnerability scan that requires that he be logged in to the targets which sounds strange but I'm not familiar with that software. The targets have the same computer name with different passwords.
0
jsclmedave

Administrator
Registered:
Posts: 469
Reply with quote  #10 
Quote:
Originally Posted by Donato
Dennis, his friend is trying to complete a remote vulnerability scan that requires that he be logged in to the targets which sounds strange but I'm not familiar with that software. The targets have the same computer name with different passwords.


No not same Computer name...

Same Account in each Domain (NOT same Forest) that has a different Password.


Separate Domains, Separate Forest, NOT all trusted. 

In the example shown DomainE is NOT a trusted Domain with DomainA.



ServerA IS in DomainA  However via the event logs we see the authenticating Domain Controller is in DomainE which does have that account but the password is not the same as the account (same name) in DomainA.

We have captured traffic and the DomainA\ part is missing, only the account name is present.

MGT wants an answer to THAT.  Why is the DomainA\ getting dropped during the authentication process??  IF the DomainA\ was still there the DC in DomainE should not have even attempted to answer.  Since it is missing and DomainE has that account it is answering with the wrong password.


Having the same password in each domain would be considered a security risk and would open the door to an audit nightmare.


I have already suggested different Account Names in each Domain so that other DC in other Domains would not have those accounts so should not try to authenticate.

Again main thing needed is that MGT wants an answer to WHY is the DomainA\ getting dropped during the authentication process in the event logs and wireshark captures.

Is that normal for NTLM \ LDAP authentication..?   Find the answer to that and they can press on.


UPDATE!: They are checking to see if they can pass the accounts UPN name -  BigDog@DomainA.com







__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 47
Reply with quote  #11 
Quote:
Having the same password in each domain would be considered a security risk and would open the door to an audit nightmare.

It doesn't have to stay that way forever, just enough to finish the scan.
Quote:
I have already suggested different Account Names in each Domain so that other DC in other Domains would not have those accounts so should not try to authenticate.

Yes, I saw your suggestion. The thing is that it's easier to change a password for a day or two than it is to change an account name.
Quote:
Again main thing needed is that MGT wants an answer to WHY is the DomainA\ getting dropped during the authentication process in the event logs and wireshark captures.

Answering that question is the hardest part of the entire problem. I think that if your friend finishes the scan by changing the passwords temporarily, he can give management a finished scan report & he will have time to work on that question. Is he starting the scan from outside all the domains?


0
jsclmedave

Administrator
Registered:
Posts: 469
Reply with quote  #12 
Quote:
Originally Posted by Donato

It doesn't have to stay that way forever, just enough to finish the scan.



Scan are daily AND upon request to fix a Server record so basically 24/7

Quote:
Originally Posted by Donato

Yes, I saw your suggestion. The thing is that it's easier to change a password for a day or two than it is to change an account name.


Their AD Team is ready to streamline the change since they are ready to put this issue to rest once and for all.  The only thing that "should" be using this account are the scanning applications.  Placing new account names or changing them in the app can be done in an hour tops.


Quote:
Originally Posted by Donato

Answering that question is the hardest part of the entire problem. I think that if your friend finishes the scan by changing the passwords temporarily, he can give management a finished scan report & he will have time to work on that question. Is he starting the scan from outside all the domains?


Scans for all of the Domains are continuous and upon request. 

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 47
Reply with quote  #13 
Did they just switch to Service Now & did the problem just arise due to the change? The only other solution that comes to mind is to download Service Now to each domain & run it there unless a different license has to be bought for each site.
0
jsclmedave

Administrator
Registered:
Posts: 469
Reply with quote  #14 
Quote:
Originally Posted by Donato
Did they just switch to Service Now & did the problem just arise due to the change? The only other solution that comes to mind is to download Service Now to each domain & run it there unless a different license has to be bought for each site.


No this has been a recurring problem for a long time.  The AD people I know over there has told them almost 3 years ago this was going to cause issues and to have a diff Account Name in each Domain but the SVCNOW team wouldnt listen.  Which I know their AD reminds them everytime they close a ticket about the issue.

I am suspect that others are also using those accounts for who knows what as well compounding the issue so changing to a new name and even changing the PW then locking it down tight could also be accomplished.

When people start screaming about it you will see who else was using it...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.