{"id":5307,"date":"2021-09-25T03:02:41","date_gmt":"2021-09-25T03:02:41","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=5307"},"modified":"2023-02-02T20:42:24","modified_gmt":"2023-02-02T20:42:24","slug":"password-synced-to-remote-computer-without-connectivity-to-domain-controller-after-password-change","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/password-synced-to-remote-computer-without-connectivity-to-domain-controller-after-password-change","title":{"rendered":"Password Synced to Remote computer without connectivity to Domain Controller after Password Change"},"content":{"rendered":"\n

Recently had a customer be able to change passwords from Exchange webmail and for the password to sync back to their local computer without having direct access to the domain controller on a LAN or via VPN.<\/p>\n\n\n\n

To trace this 365 support were able to use the below script from here<\/a><\/p>\n\n\n\n

Download the file Auth.zip from https:\/\/cesdiagtools.blob.core.windows.net\/windows\/Auth.zip<\/a><\/p>\n\n\n\n

Logs as shows : <\/p>\n\n\n\n

To obtain the TGT we starting locating a DC and fail to find one standard Dclocator<\/a> (expected as no VPN or connection to Domain Controller)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Now we see a call to KDCProxy,<\/a> this is what is responsible for getting you authenticated without having a line of site to your DC.<\/p>\n\n\n\n

Line two of this tells you the KDC proxy gateway is connecting too<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This is what we see when the correct password is entered.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The question in my mind , was how was it able to get KDC proxy gateway address? Its a FQDB used by the RDP Gateway , and the below found my answer<\/p>\n\n\n\n

“This is called the KDC Proxy Service (KPS), and it was introduced as a supporting service for Direct Access and Remote Desktop Gateway deployments”<\/p>\n\n\n\n

KDC Proxy is installed with 2016 Server Remote Desktop Gateway role , so if you have a Terminal Server Enviroment listing on Port 443 which it needs for the Gateway you have this running!<\/p>\n\n\n\n

But I have never seen this elsewhere and they have RDP Gateway roles?<\/p>\n\n\n\n

This site gives a nice rundown of it all KDC Proxy for Remote Access (syfuhs.net)<\/a> – There’s a little known feature in Windows called the KDC Proxy that lets clients communicate with KDC servers over an HTTPS channel instead of TCP.<\/p>\n\n\n\n

By default , the Keys\u00a0HttpsClientAuth<\/strong>\u00a0and\u00a0DisallowUnprotectedPasswordAuth\u00a0<\/strong>do no exist in\u00a0 HKLM\\SYSTEM\\CurrentControlSet\\Services\\KPSSVC\\Settings , however this setup they did\u00a0<\/p>\n\n\n\n

HttpsClientAuth : Dword 0 ( Disable client authentication  ) \nDisallowUnprotectedPasswordAuth  : Dword 0 ( Enable password authentication ) <\/code><\/pre>\n\n\n\n
Which enabled this Password reset without connection to Domain Controller ( When\u00a0DisallowUnprotectedPasswordAuth<\/code>\u00a0is set to\u00a00<\/code>\u00a0the KDC proxy will allow the user to retrieve a\u00a0krbtgt<\/code>\u00a0using username and password. ) <\/p>\n\n\n\n
It must be secure to Enable this without Password Auth and Windows Hello instead as you open yourself up for a Brute Force attack ( as the Logins are not restricted and count towards lockout polices )\u00a0<\/p>\n\n\n\n
<\/p>\n\n\n\n
You need to make sure the user authenticating is using the primary domain name not an Alternate UPN

Failed to locate a domain controller in domain xxxxxxx.com.au with locator flags 0x601: error code 0x54B.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"
Recently had a customer be able to change passwords from Exchange webmail and for the password to sync back to their local computer without having direct access […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[3590,1677,3591,3585,3812,3589,3586,721,3587,3588,1398,1351],"class_list":["post-5307","post","type-post","status-publish","format-standard","hentry","category-research","tag-disallowunprotectedpasswordauth","tag-domain-controller","tag-httpsclientauth","tag-kdc-proxy","tag-kerberos","tag-kps","tag-line-of-sight","tag-password","tag-password-change","tag-password-sync","tag-sync","tag-vpn"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/5307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=5307"}],"version-history":[{"count":5,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/5307\/revisions"}],"predecessor-version":[{"id":6643,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/5307\/revisions\/6643"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=5307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=5307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=5307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}