Monthly Archives: March 2017

Azure AD Pass-through Authentication – How does it work? Part 1

Posted on by

Hi everyone. I decided to take a break from the legacy and jump back to modern. Today I’m going to do some digging into Microsoft’s Azure AD Pass-through Authentication solution. The feature was introduced into public preview in December of 2016 and was touted as the simple and easy alternative to AD FS. Before I jump into the weeds of pass-through authentication, let’s do a high level overview of each option.

I will first cover the AD FS (Active Directory Federation Services) solution. When AD FS is used a solution for authentication to Azure Active Directory, it’s important to remember that AD FS is simply a product that enables the use of a technology to solve a business problem. In this instance the technology we are using is modern authentication (sometimes referred to as claims-based authentication) to solve the business problem of obtaining some level of assurance that a user is who they say they are.

When Azure AD and AD FS are integrated to enable the use of modern authentication, the Windows Services Federation Language (WS-FED) standard is used. You are welcome to read the standard for details, but the gist of WS-FED is a security token service generates logical security tokens (referred to assertions) which contain claims. The claims are typically pulled from a data store (such as Active Directory) and contain information about the user’s identity such as logon ID or email address. The data included in claims has evolved significantly over the past few years to include other data about the context of the user’s device (such as a trusted or untrusted device) and user’s location (coming from a trusted or untrusted IP range). The assertions are signed by the security token service (STS) and delivered to an application (referred to as the relying party) which validates the signature on the assertion, consumes the claims from the assertion, and authorizes the user access to the application.

You may have noticed above that we never talked about a user’s credentials. The reason for that is the user’s credentials aren’t included in the assertion. Prior to the STS generating the assertion, the user needs to authenticate to the STS. When AD FS is used, it’s common for the user to authenticate to the STS using Kerberos. Those of you that are familiar with Active Directory authentication know that a user obtains a Kerberos ticket-granting-ticket during workstation authentication to a domain-joined machine. When the user accesses AD FS (in this scenario the STS) the user provides a Kerberos service ticket. The process to obtain that service ticket, pass it to AD FS, getting an assertion, and passing that assertion back to the Azure AD (relying party in this scenario) is all seamless to the user and results in a true single sign-on experience. Additionally, there is no need to synchronize a user’s Active Directory Domain Services password to Azure AD, which your security folk will surely love.

The challenge presented with using AD FS as a solution is you have yet another service which requires on-premises infrastructure, must be highly available, and requires an understanding of the concepts I have explained above. In addition, if the service needs to be exposed to the internet and be accessible by non-domain joined machines, a reverse proxy (often Microsoft Web Application Proxy in the Microsoft world) which also requires more highly available infrastructure and the understanding of concepts such as split-brain DNS.

Now imagine you’re Microsoft and companies want to limit their on-premises infrastructure and the wider technology mark is slim in professionals that grasp all the concepts I have outlined above. What do you do? Well, you introduce a simple lightweight solution that requires little to no configuration or much understanding of what is actually happening. In come Azure AD Pass-through authentication.

Azure AD Pass-through authentication doesn’t require an STS or a reverse proxy. Nor does it require synchronization of a user’s Active Directory Domain Service password to Azure AD. It also doesn’t require making changes to any incoming flows in your network firewall. Sounds glorious right? Microsoft thinks this as well, hence why they’ve been pushing it so hard.

The user experience is very straightforward where the user plugs in their Active Directory Domain Services username and password at the Azure AD login screen. After the user hits the login screen, the user is logged in and go about their user way. Pretty fancy right? So how does Microsoft work this magic? It’s actually quite complicated but ingeniously implemented to seem incredibly simplistic.

The suspense is building right? Well, you’ll need to wait until my next entry to dig into the delicious details. We’ll be using a variety of tools including a simple packet capturing tool, a web proxy debugging tool, and an incredibly awesome API monitoring tool.

See you next post!

Digging deep into the AD DS workstation logon process – Part 3

Posted on by

Today I will continue my series of posts on the AD DS workstation logon process. In part 1 I covered the DC locator process and in part 2 a breakdown of the SMB conversation. In today’s post we’ll focus on the NetLogon process.

Let’s first take a few minutes to talk about the NetLogon Remote Protocol (MS-NRPC). The protocol serve a number of purposes in an Active Directory environment. Those purposes vary upon whether it is a member or domain controller making a remote call, but can be summed up as follows:

  1. Pass-through authentication – Deliver the logon request from the domain-joined machine to the domain controller for verification of the credentials and return of user authorization attributes (such as groups) back to the domain-joined machine.
  2. Pass-through authentication and domain trusts – Establish a secure channel to pass a logon request from a domain controller in the trusting domain to a domain controller in the trusted domain.
  3. Secure control maintenance – Allow the workstation to cycle its credential over a secure channel with the domain controller.
  4. Domain trust services – Allows applications to obtain a listing of domain trusts
  5. Message protection services – Used to authenticate the messages sent and received from a domain controller such as with the Windows Time service.
  6. Administrative services – Used for the following operations
    • NetLogon on Domain Controllers
      • Receive logon request
      • Determine account domain
      • Determine trust link
      • Find DC in trusted domain and setup secure channel
      • Deliver logon request
      • Return user validation data
    • NetLogon on Domain Members
      • Find a DC in its domain and setup secure channel
      • Logon requests flow over that channel going forward, including machine account password changes
  7. Account database replication – In Windows 2000 there existed the concept of a primary domain controller and backup domain controller. At that time NetLogon was used to replicate the account database between the BDC and PDC.

Since this series is focused on the workstation logon process, the sixth function for administrative services is functionality I’ll be breaking down in the remainder of the post. Here also is a link to the MS-NRPC specification which I used heavily to put together this post.

Shall we then?

  1. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 135
    Protocol: RPC
    Purpose: The domain-joined workstation initiates a request for a bind handle from the domain controller’s RCP EndPoint Mapper Service. The domain controller responds with a bind acknowledgement providing the information necessary for the workstation to now connect to the RCP Endpoint Mapper.
    Link:

  2. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 135
    Protocol: RPC
    Purpose: The domain-joined workstation queries the endpoint mapper on the domain controller for the endpoint that it can connect to in order to call the NRPC application. The domain controller responds with the IP and port information.

  3. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: (Random port from DC’s dynamic port range)
    Protocol: RPC
    Purpose: The domain-joined workstation initiates a request for a bind handle for the NRPC application from the endpoint it received in the previous step. The domain controller responds with a bind acknowledgement providing the information necessary for the workstation to now connect to the NRPC application.

  4. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: (Random port from DC’s dynamic port range)
    Protocol: RPC
    Purpose: The domain-joined workstation calls the NetrServerReqChallenge method and and provides the necessary variables. Three of those key variables are:

    1. PrimaryName – The name of the server receiving the call
    2. ComputerName – The name of the client making the call
    3. ClientChallenge – A 64-bit nonce generated by the client. I’ll explain how this is used later in the process.

    The domain controller returns the ServerChallenge, which is a 64-bit nonce generated by the server.
    Links:

  5. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: (Random port from DC’s dynamic port range)
    Protocol: RPC
    Purpose: The domain-joined workstation calls the NetrServerAuthenticate3 method and and provides the necessary variables. The key variables here are:

    1. PrimaryName – The name of the server receiving the call
    2. AccountName – The name of the the account that contains the password of the computer account.
    3. SecureChannelType – Describes the type of channel being requested. In this case we are requesting a WorkstationSecureChannel.
    4. ComputerName – The name of the client making the call
    5. ClientCredential – The client credential is the encrypted 64-bit client challenge exchanged with the server at the previous step. The challenge is encrypted using the workstation’s secret key (computer account’s Active Directory credential). The encryption used will depend on what the client supports. In this scenario, with the default configuration on a Windows Server 2016, it is AES128.
    6. NegotiateFlags – Provides information about the workstation’s capabilities including encryption methods the client supports.

    The domain controller validates the client credential by accessing the workstation’s secret key (computer account’s Active Directory credential) and inputing it into the agreed upon encryption algorithm along with the client challenge received earlier. After the workstation’s identity is validated, the domain controller returns the following information:

    • Server Credential – The encrypted 64-bit server challenge exchanged with the workstation earlier in the process. The challenge is encrypted using the workstation’s secret key (computer account’s Active Directory credential). The encryption used will depend on what the client supports. In this scenario, with the default configuration on a Windows Server 2016, it is AES128.
    • NegotiateFlags – Provides information about the domain controller’s capabilities including encryption methods the client supports.
    • AccountRID – The workstation’s RID
    • ReturnValue – Success or Error

    The workstation validates the server credential by accessing its secret key (computer account’s Active Directory credential) and inputing it into the agreed upon encryption algorithm along with the server challenge received earlier. Once the credential is verified, the computer value will be used as the session key going forward for communication between the two nodes.
    Links:

  6. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: (Random port from DC’s dynamic port range)
    Protocol: RPC
    Purpose: The domain-joined workstation requests that further calls to the NRPC application be authenticated and encrypted. The domain controller accepts the alteration in communication context.

  7. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: (Random port from DC’s dynamic port range)
    Protocol: RPC
    Purpose: *This conversation is encrypted* The domain-joined workstation calls the NetrLogonGetCapabilities method. The domain controller returns the same capabilities it returned when NetrServerAuthenticate3 was called. The client then examines these capabilities to verify they match what was originally received to setup the secure session. This is performed to mitigate man-in-the-middle attacks.

  8. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: (Random port from DC’s dynamic port range)
    Protocol: RPC
    Purpose: *This conversation is encrypted* The domain-joined workstation calls the NetrLogonGetDomainInfo method. The domain controller returns information about the domain the client belongs to. The information returned includes properties such as the DNS Domain Name, DNS Forest Name, and Domain SID.

  9. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 135
    Protocol: RPC
    Purpose: The domain-joined workstation queries the endpoint mapper on the domain controller for the endpoint that it can connect to in order to call the LSARpc application. The domain controller responds with the IP and port information.

  10. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 389
    Protocol: LDAP
    Purpose: The domain-joined workstation establishes a connection to the LDAP service on the domain controller and queries the RootDSE with the following query:

    • Filter: (objectclass Present)
    • Attributes: Attributes: ( subschemaSubentry )( dsServiceName )( namingContexts )( defaultNamingContext )( schemaNamingContext )( configurationNamingContext )( rootDomainNamingContext )( supportedControl )( supportedLDAPVersion )( supportedLDAPPolicies )( supportedSASLMechanimsms ) ( dnsHostName ) ( ldapServiceName ) ( serverName ) ( supportedCapabilities)

    The domain controller returns the information to the workstation.

  11. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: (Random port from DC’s dynamic port range)
    Protocol: RPC
    Purpose: The domain-joined workstation initiates a request for a bind handle for the LSARpc application from the endpoint it received in the previous step. The domain controller responds with a bind acknowledgement providing the information necessary for the workstation to now connect to the NRPC application.

  12. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 88
    Protocol: Kerberos
    Purpose: The domain-joined machine attempts to verify its identity with the domain controller by sending a KRB-AS-REQ without pre-authentication data. The domain controller checks the object that represents the principal to determine if the account has the “Do not require Kerberos preauthentication.” If the option is not checked, the domain controller returns KRB_ERROR (25) indicating preauthentication data is required.

  13. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: (Random port from DC’s dynamic port range)
    Protocol: RPC
    Purpose: *This conversation is encrypted* The domain-joined workstation calls the LsarLookupNames4 method. This method translates batches of security principals to their SID form. The domain controller responds by translates the principals to SIDs. The communication is encrypted with the session key established during the NetLogon process.

    I can’t find any clear cut information on this, but my guess is the workstation is attempting to resolve its own SID and perhaps the SID of the domain controller for processing of access control lists.

  14. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 88
    Protocol: Kerberos
    Purpose: The domain-joined machine re-attempts to verify its identity with the domain controller by sending a KRB-AS-REQ with pre-authentication data. The domain controller validates the principal’s identity and responds with a KRB-AS-REP which includes a Kerberos TGT for the principal to use to obtain additional Kerberos service tickets.

We’ll break here for today. In the next entry we’ll start to hit some of the LDAP conversation that goes on between the workstation and the domain controller. Much of that conversation is encrypted, so I’ll be doing my best to correlate the LDAP queries that appear in the Directory Services log back to the packet captures.

Thanks and see you then!

Digging deep into the AD DS workstation logon process – Part 2

Posted on by

Welcome back.

Today I will continue my analysis of the workstation logon process. Please take a read through Part 1 if you haven’t already. We left off with the workstation obtaining a Kerberos service ticket in order to authenticate to the domain controller to access the SMB share.

Ready? Let’s go!

  1. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 445
    Protocol: SMB
    Purpose: The domain-joined workstation requests a new authenticated SMB session with the domain controller and provides its Kerberos service ticket as proof of authentication.
    Links:

  2. Source: Domain-joined machine
    Destination: Primary DNS Server
    Connection: UDP
    Port: 53
    Protocol: DNS
    Purpose: DsGetDcName API issues a DNS query for an SRV record to the domain-joined machine’s primary DNS server for a domain controller offering the Kerberos service within its site using the SRV record of _ldap._tcp.FAKESITE._sites.dc._msdcs.contoso.local. The primary DNS server returns the results of the SRV query.

  3. Source: Domain-joined machine
    Destination: Domain Controller resolved from IP returned from previous step
    Connection: UDP
    Port: 389
    Protocol: LDAP
    Purpose: DsGetDcName API on domain-joined machine issues a specially crafted LDAP query (referred to by Microsoft as an LDAP Ping) to the domain controller it receives back from the query and then queries the RootDSE for the NetLogon attribute. The detail query is as follows:

    • Filter: (&(DnsDomain=)(Host=HOSTNAME)(DomainGUID=)(NtVer=)(DnsHostName=))
    • Attributes: NetLogon

    The domain controller passes the query to the NetLogon service running on the domain controller which evaluates the query to determine which site the server belongs in. The domain controller returns information about its state and provides the information detailed below (https://msdn.microsoft.com/en-us/library/cc223807.aspx):

    • Flags:
      • DSPDCFLAG – DC is PDC of the domain
      • DSGCFLAG – DC is a GC of the forest
      • DSLDAPFLAG – Server supports an LDAP server
      • DSDSFlag- DC supports a DS and is a domain controller
      • DSKDCFlag DC is running KDC service
      • DSTimeServFlag – DC is running time service
      • DSClosestFlag – DC is in the closest site to the client
      • DSWritableFLag – DC has a writable DS
      • DSGoodTimeServFlag (0) – DC is running time service
      • DSNDNCFlag – DomainName is a non-domain NC serviced by the LDAP server
      • DSSelectSecretDomain6Flag – the server is a not an RODC
      • DSFullSecretDomain6Flag – The server is a writable DC
      • DSWSFlag – The Active Directory Web Service is present on the server
      • DSDNSControllerFlag – DomainControllerName is not a DNS name
      • DSDNSDomainFlag – DomainName is not a DNS name
      • DSDNSForestFlag – DnsForestName is not a DNS name
    • DomainGuid:
    • DnsForestName: contoso.local
    • DnsDomainName: contoso.local
    • DnsHostName: dc2.contoso.local
    • NetbiosDomainName: CONTOSO
    • NetbiosComputerName: DC2
    • Username:
    • DcSiteName: FAKESITE
    • ClientSiteName: FAKESITE
    • NextClosestSIteName: Default-First-Site-Name

    The client caches this information to its DCLocator cache.

  4. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 445
    Protocol: SMB
    Purpose: The domain-joined workstation sends an SMB TREE CONNECT Request to the domain controller for the IPC$ share accessed by \IPC$. The IPC$ share is used to setup a named pipe for further RPC calls to the service such as allowing the workstation to enumerate the shares available on the server. The domain controller responds with an SMB TREE CONNECT Response providing information about the capabilities of the IPC$ share.
    Links:

  5. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 445
    Protocol: SMB
    Purpose: The domain-joined workstation sends an SMB IOCTL Request to the domain controller with the control FSCTL_VALIDATE_NEGOTIATE_INFO (0x00140204). This control is used to verify that the domain controller hasn’t changed the authentication mechanism originally negotiated. The domain controller responds with an SMB IOCTL Response confirming the authentication mechanism has not changed. This helps to prevent man in the middle attacks.
    Links:

  6. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 445
    Protocol: SMB
    Purpose: The domain-joined workstation sends an SMB IOCTL Request to the domain controller with the control FSCTL_QUERY_NETWORK_INTERFACE_INFO (0x001401FC). This control is used to determine whether or not the server has multiple IPs and a new channel should be established. The domain controller responds with an SMB IOCTL Response providing an answer.
    Links:

  7. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 445
    Protocol: SMB
    Purpose: The domain-joined workstation sends an SMB IOCTL Request to the domain controller with the control SCTL_DFS_GET_REFERRALS (0x00060194). This control requests the DFS referral for the domain-based DNS root. The domain controller responds with an SMB IOCTL Response providing an answer with an entry for the FQDN and NetBios entries.
    Links:

  8. Source: Domain-joined machine
    Destination: Primary DNS Server
    Connection: UDP
    Port: 389
    Protocol: LDAP
    Purpose: The domain-joined workstation sends a DNS query for the A record for the second domain controller record it received back in the initial queries for the various SRV records. The domain controller responds with the answer to the DNS query.

  9. Source: Domain-joined machine
    Destination: Domain Controller resolved from IP returned from previous step
    Connection: UDP
    Port: 389
    Protocol: LDAP
    Purpose: DsGetDcName API on domain-joined machine issues a specially crafted LDAP query (referred to by Microsoft as an LDAP Ping) to the domain controller it receives back from the query and then queries the RootDSE for the NetLogon attribute. The detail query is as follows:

    • Filter: (&(DnsDomain=)(Host=HOSTNAME)(DomainGUID=)(NtVer=)(DnsHostName=))
    • Attributes: NetLogon

    The domain controller passes the query to the NetLogon service running on the domain controller which evaluates the query to determine which site the server belongs in. The domain controller returns information about its state and provides the information detailed below (https://msdn.microsoft.com/en-us/library/cc223807.aspx):

    • Flags:
      • DSPDCFLAG – DC is PDC of the domain
      • DSGCFLAG – DC is a GC of the forest
      • DSLDAPFLAG – Server supports an LDAP server
      • DSDSFlag- DC supports a DS and is a domain controller
      • DSKDCFlag DC is running KDC service
      • DSTimeServFlag – DC is running time service
      • DSClosestFlag – DC is in the closest site to the client
      • DSWritableFLag – DC has a writable DS
      • DSGoodTimeServFlag (0) – DC is running time service
      • DSNDNCFlag – DomainName is a non-domain NC serviced by the LDAP server
      • DSSelectSecretDomain6Flag – the server is a not an RODC
      • DSFullSecretDomain6Flag – The server is a writable DC
      • DSWSFlag – The Active Directory Web Service is present on the server
      • DSDNSControllerFlag – DomainControllerName is not a DNS name
      • DSDNSDomainFlag – DomainName is not a DNS name
      • DSDNSForestFlag – DnsForestName is not a DNS name
    • DomainGuid:
    • DnsForestName: contoso.local
    • DnsDomainName: contoso.local
    • DnsHostName: DCSERVER.contoso.local
    • NetbiosDomainName: CONTOSO
    • NetbiosComputerName: DCSERVER
    • Username:
    • DcSiteName: Default-First-Site-Name
    • ClientSiteName: FAKESITE
    • NextClosestSIteName: Default-First-Site-Name

    The client caches this information to its DCLocator cache.

All right folks, we’re going to break here. My next post will continue with the NetLogon process.

Thanks and see you then!

Digging deep into the AD DS workstation logon process – Part 1

Posted on by

Hi everyone. The holidays are over, spring is quickly approaching, and it’s been far too long since I’ve had a chance to do a deep dive. This year I have some work on the agenda for Microsoft Active Directory Domain Services (AD DS). That work will require a very strong understanding of the network flows, ports, and protocols that provide the service. While there are many different resources on the web, I haven’t found one that gets to the level I’d like to see. This made for the perfect opportunity for a series of blog posts.

Many of us have faced the challenge where there is a requirement to separate the domain controllers providing the AD DS service and the domain members with a firewall. Microsoft does a wonderful job defining the ports and protocols required for this scenario in this link (https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx). The integration is pretty straightforward with the only decision typically being whether to define static RPC ports or leveraging a firewall which is capable of handling dynamic RPC ports.

One of the things I’ve always wondered is when are each of these ports and protocols used? What better place to start than a common source for troubleshooting? For this series of blogs I will do a deep dive into the flows a domain-joined machine uses and what happens within those connections. Yeah I know, AD DS isn’t that glamorous in the year 2017, but all the moving parts, protocols, standards, and functions that power something as seemingly simple as a logon are fascinating and worth a deeper look.

To provide for this scenario I built a small lab in Azure with three Windows Server 2016 Standard VMs. Each VM is configured as seen below:

Name: DCSERVER
Roles: Active Directory Domain Services, DNS
IP: 10.0.10.101

Name: DC2
Roles: Active Directory Domain Services, DNS
IP: 10.0.10.102

Name: MEMBER
Roles: None
IP: 10.0.10.100

The AD DS forest uses the CONTOSO.LOCAL DNS namespace and has one custom site defined named FAKESITE. DCSERVER is servicing the Default-First-Site-Name and DC2 is servicing FAKESITE. FAKESITE has been assigned a subnet range that includes MEMBER. For tools I used Procmon to capture the registry entries that a domain-joined member’s Active Directory site is cached to. Additionally I used netsh to perform a network capture at boot up

Beyond the network flows, I was interested in observing the DCLocator (DSGetDcName) API behavior. I cleared the three registry entries listed below to ensure MEMBER would perform a DCLocator query at boot up. Additionally I used netsh to get a network capture at boot up (https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/) and Microsoft Network Monitor to analyze the capture.

– HKLMSystemCurrentControlSetServicesTcpipParametersDomain
– HKLMSystemCurrentControlSetServicesNetlogonParametersSiteName
– HKLMSystemCurrentControlSetServicesNetlogonParameterDynamicSiteName

With the background information taken care of, let’s jump into workstation authentication process.

  1. Source: Domain-joined machine
    Destination: Primary DNS Server
    Connection: UDP
    Port: 53
    Protocol: DNS
    Purpose: DsGetDcName API on domain-joined machine uses the information collected from the registries entries listed at the bottom of this step to issue a DNS query for an SRV record to the machine’s primary DNS server for a server offering an LDAP service _ldap._tcp.dc_msdsc.contoso.local. The primary DNS server returns the results of the SRV query.

    • HKLMSystemCurrentControlSetServicesTcpipParametersHostname
    • HKLMSystemCurrentControlSetServicesTcpipParametersDomain
    • HKLMSystemCurrentControlSetServicesTcpipParametersNameServer
    • HKLMSystemCurrentControlSetServicesTcpipParametersDhcpNameServer
    • HKLMSystemCurrentControlSetServiesNetlogonParametersSiteName
    • HKLMSystemCurrentControlSetServiesNetlogonParametersDynamicSiteName
  2. Source: Domain-joined machine
    Destination: Primary DNS Server
    Connection: UDP
    Port: 53
    Protocol: DNS
    Purpose: DSGetDcName API on domain-joined machine issues a DNS query for the A record of a domain controller from the results of the SRV query. The primary DNS server returns the results of the A record query.

  3. Source: Domain-joined machine
    Destination: Domain Controller
    Connection: UDP
    Port: 389
    Protocol: LDAP
    Purpose: DsGetDcName API on domain-joined machine issues a specially crafted LDAP query (referred to by Microsoft as an LDAP Ping) to the domain controller querying the RootDSE for the NetLogon attribute. The detail query is as follows:

    • Filter: (&(DnsDomain=)(Host=HOSTNAME)(DomainSID=)(DomainGUID=)(NtVer=)(DnsHostName=))
    • Attributes: NetLogon

    The domain controller passes the query to the NetLogon service running on the domain controller which evaluates the query to determine which site the server belongs in. The domain controller returns information about its state and provides the information detailed below (https://msdn.microsoft.com/en-us/library/cc223807.aspx):

    • Flags:
      • DSPDCFLAG – DC is PDC of the domain
      • DSGCFLAG – DC is a GC of the forest
      • DSLDAPFLAG – Server supports an LDAP server
      • DSDSFlag- DC supports a DS and is a domain controller
      • DSKDCFlag DC is running KDC service
      • DSTimeServFlag – DC is running time service
      • DSClosestFlag – DC is in the closest site to the client
      • DSWritableFLag – DC has a writable DS
      • DSGoodTimeServFlag (0) – DC is running time service
      • DSNDNCFlag – DomainName is a non-domain NC serviced by the LDAP server
      • DSSelectSecretDomain6Flag – the server is a not an RODC
      • DSFullSecretDomain6Flag – The server is a writable DC
      • DSWSFlag – The Active Directory Web Service is present on the server
      • DSDNSControllerFlag – DomainControllerName is not a DNS name
      • DSDNSDomainFlag – DomainName is not a DNS name
      • DSDNSForestFlag – DnsForestName is not a DNS name
    • DomainGuid:
    • DnsForestName: contoso.local
    • DnsDomainName: contoso.local
    • DnsHostName: DCSERVER.contoso.local
    • NetbiosDomainName: CONTOSO
    • NetbiosComputerName: DCSERVER
    • Username:
    • DcSiteName: Default-First-Site-Name
    • ClientSiteName: FAKESITE
    • NextClosestSIteName: Default-First-Site-Name

    The client caches this information to its DCLocator cache and will perform another LDAP Ping to another domain controller if it was determined the domain controller is not within the client’s site.

  4. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 445
    Protocol: SMB
    Purpose: The domain-joined workstation sends an SMB2 NEGOTIATE Request to the domain controller and receives back an SMB2 Negotiate Response. This process allows the machines to agree upon an authentication mechanism. This SMB session will be leveraged through the logon process to communicate with a domain controller’s SYSVOL to process group policy and run any startup scripts.
    Links:

  5. Source: Domain-joined machine
    Destination: Primary DNS Server
    Connection: UDP
    Port: 53
    Protocol: DNS
    Purpose: DsGetDcName API issues a DNS query for an SRV record to the machine’s primary DNS server for a domain controller offering the Kerberos service using the SRV record of _kerberos._tcp.dc._msdcs.contoso.local. The primary DNS server returns the results of the SRV query.

  6. Source: Domain-joined machine
    Destination: Domain Controller
    Connection: UDP
    Port: 389
    Protocol: LDAP
    Purpose: DsGetDcName API on domain-joined machine issues a specially crafted LDAP query (referred to by Microsoft as an LDAP Ping) to the domain controller querying the RootDSE for the NetLogon attribute. The detail query is as follows:

    • Filter: (&(DnsDomain=)(Host=HOSTNAME)(DomainGUID=)(NtVer=)(DnsHostName=))
    • Attributes: NetLogon

    The domain controller passes the query to the NetLogon service running on the domain controller which evaluates the query to determine which site the server belongs in. The domain controller returns information about its state and provides the information detailed below (https://msdn.microsoft.com/en-us/library/cc223807.aspx):

    • Flags
      • DSPDCFLAG – DC is PDC of the domain
      • DSGCFLAG – DC is a GC of the forest
      • DSLDAPFLAG – Server supports an LDAP server
      • DSDSFlag- DC supports a DS and is a domain controller
      • DSKDCFlag DC is running KDC service
      • DSTimeServFlag – DC is running time service
      • DSClosestFlag – DC is in the closest site to the client
      • DSWritableFLag – DC has a writable DS
      • DSGoodTimeServFlag (0) – DC is running time service
      • DSNDNCFlag – DomainName is a non-domain NC serviced by the LDAP server
      • DSSelectSecretDomain6Flag – the server is a notan RODC
      • DSFullSecretDomain6Flag – The server is a writable DC
      • DSWSFlag – The Active Directory Web Service is present on the server
      • DSDNSControllerFlag – DomainControllerName is not a DNS name
      • DSDNSDomainFlag – DomainName is not a DNS name
      • DSDNSForestFlag – DnsForestName is not a DNS name
    • DomainGuid:
    • DnsForestName: contoso.local
    • DnsDomainName: contoso.local
    • DnsHostName: DCSERVER.contoso.local
    • NetbiosDomainName: CONTOSO
    • NetbiosComputerName: DCSERVER
    • Username:
    • DcSiteName: Default-First-Site-Name
    • ClientSiteName: FAKESITE
    • NextClosestSIteName: Default-First-Site-Name

    The client caches this information to its DCLocator cache and will perform another LDAP Ping to another domain controller if it was determined the domain controller is not within the client’s site.

  7. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 88
    Protocol: Kerberos
    Purpose: The domain-joined machine attempts to verify its identity with the domain controller by sending a KRB-AS-REQ without pre-authentication data. The domain controller checks the object that represents the principal to determine if the account has the “Do not require Kerberos preauthentication.” If the option is not checked, the domain controller returns KRB_ERROR (25) indicating preauthentication data is required.

  8. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 88
    Protocol: Kerberos
    Purpose: The domain-joined machine re-attempts to verify its identity with the domain controller by sending a KRB-AS-REQ with pre-authentication data. The domain controller validates the principal’s identity and responds with a KRB-AS-REP which includes a Kerberos TGT for the principal to use to obtain additional Kerberos service tickets.

  9. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 88
    Protocol: Kerberos
    Purpose: The domain-joined machine requests a service ticket for CIFS service running on the domain controller by sending a KRB-TGS-REQ for the CIFS service principal. The domain controller validates the machine’s Kerberos TGT and returns a service ticket for the CIFS service. The domain-joined machine will use the service ticket to authenticate to the SMB service in order to access the SYSVOL share.

  10. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 88
    Protocol: Kerberos
    Purpose: The domain-joined machine requests a service ticket for CIFS service running on the domain controller by sending a KRB-TGS-REQ for the CIFS service principal name. The domain controller validates the machine’s Kerberos TGT and returns a service ticket for the CIFS service. The domain-joined machine will use the service ticket to authenticate to the SMB service in order to access the SYSVOL share.

  11. Source: Domain-joined machine
    Destination: Same Site or Closest Site Domain Controller
    Connection: TCP
    Port: 88
    Protocol: Kerberos
    Purpose: The domain-joined machine requests a Kerberos TGT by sending a KRB-TGS-REQ for the KRBTGT service principal name. I have to admit, I’m pretty clueless on this one. The only usage I can find online references cross realm.

As you can see, there’s a ton of interesting chatter that only gets more interesting once we begin breaking down the SMB conversation. The SMB portion involved a ton of reading on my end, because I haven’t often done any deep dive troubleshooting into the protocol. As always, I’ll include the links that helped me along the learning path as we cruise through those sections. See you on the next post!