Extended Protection and Authentication

Question

Extended Protection and Authentication

mara2021 1,121

We are a hybrid deployment. Exchange Server 2019 (SRV01 and SRV02). We use ADSync. The servers are in a DAG. They are behind a load balancer. Our users are in Exchange Online. We have an SMTP relay. We have an on-premises mailbox for our on-premises archiver application. Exchange online forwards the email to this mailbox (considered a 3rd party mailbox). The mailbox sends emails to the archiver server. Both servers are configured for TLS1.2, NTLM is set to send NTLMv2 responses only. Refuse LM & NTLM. Extended Protection is enabled on SRV01. Extended Protection is not enabled on SRV02.

SRV02 shows successes for the mailbox and is only using NTLMv2.

SRV01(extended protection enabled) shows failures for the mailbox and is only using NTLM.

Extended protection is the only difference on the server. Everything else is the same.

Is the enabled Extended Protection causing the failures? If it was NTLMv2 responses only, I would think failures would be on SRV02 also.

Any suggestions on what may be causing this and how to fix? Thank you.

Anonymous

2024-04-29T08:16:41.34+00:00

Hello @mara2021,

According to your description, if SRV01 and SRV02 have the same configuration except for enabling extended protection, then the problem must be caused by enabling extended protection. Also, what do you mean by the fault on SRV01? Do you mean you can't send emails normally? If possible, could you please provide more error details.
mara2021 1,121 Reputation points

2024-04-29T13:36:42.2866667+00:00
We receive failure to authenticate. Below is the log:

System

Provider

[ Name] Microsoft-Windows-Security-Auditing

[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}

EventID 4625 Version 0 Level 0 Task 12544 Opcode 0 Keywords 0x8010000000000000

TimeCreated

[ SystemTime] 2024-04-25T15:12:59.375807200Z

EventRecordID 94236290

Correlation

[ ActivityID] {60af4c97-9503-0005-e169-af600395da01}

Execution

[ ProcessID] 992

[ ThreadID] 20052

Channel Security Computer SRV01 (EP is enabled) Security

EventData

SubjectUserSid S-1-0-0

SubjectUserName -

SubjectDomainName -

SubjectLogonId 0x0

TargetUserSid S-1-0-0

TargetUserName Mailbox.

TargetDomainName DOMAIN NAME

Status 0xc000035b

FailureReason %%2304

SubStatus 0x0

LogonType 3

LogonProcessName

AuthenticationPackageName NTLM

WorkstationName Archive Server

TransmittedServices -

LmPackageName -

KeyLength 0

ProcessId 0x0

ProcessName -

IpAddress Load Balancer IP Address

IpPort 46136
mara2021 1,121 Reputation points

2024-04-29T13:41:31.2666667+00:00
Log without EP (SRV02)

System

Provider

[ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d} EventID 4624 Version 2 Level 0 Task 12544 Opcode 0 Keywords 0x8020000000000000

TimeCreated

[ SystemTime] 2024-04-26T15:24:30.417225100Z EventRecordID 178258943

Correlation

[ ActivityID] {7f757599-7fef-0003-7b7d-757fef7fda01}

Execution

[ ProcessID] 1092 [ ThreadID] 1016084 Channel Security Computer SRV02 (EP not enabled) Security

EventData

SubjectUserSid S-1-0-0

SubjectUserName -

SubjectDomainName -

SubjectLogonId 0x0

TargetUserSid S-1-5-21-1240842779-1673249513-1429243679-18498

TargetUserName Mailbox

TargetDomainName DOMAIN NAME

TargetLogonId 0x2a8727a8e

LogonType 3

LogonProcessName NtLmSsp

AuthenticationPackageName NTLM

WorkstationName Archive Server

LogonGuid {00000000-0000-0000-0000-000000000000}

TransmittedServices -

LmPackageName NTLM V2

KeyLength 128

ProcessId 0x0

ProcessName -

IpAddress Load Balancer IP Address

IpPort 42984

ImpersonationLevel %%1833

RestrictedAdminMode -

TargetOutboundUserName -

TargetOutboundDomainName -

VirtualAccount %%1843

TargetLinkedLogonId 0x0

ElevatedToken %%1843
Anonymous

2024-04-30T05:40:33.3033333+00:00

Hello @mara2021 ,

I need time to look into this issue, and it looks like this issue needs help from Windows, I helped you add the Windows tag. I will reply as soon as possible if there is an update.
mara2021 1,121 Reputation points

2024-04-30T12:46:24.3966667+00:00

Thank you.

1 answer

Your answer

Anonymous

2024-04-29T08:16:41.34+00:00

Hello @mara2021,

According to your description, if SRV01 and SRV02 have the same configuration except for enabling extended protection, then the problem must be caused by enabling extended protection. Also, what do you mean by the fault on SRV01? Do you mean you can't send emails normally? If possible, could you please provide more error details.
mara2021 1,121 Reputation points

2024-04-29T13:36:42.2866667+00:00

We receive failure to authenticate. Below is the log:

System

Provider

[ Name] Microsoft-Windows-Security-Auditing

[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}

EventID 4625 Version 0 Level 0 Task 12544 Opcode 0 Keywords 0x8010000000000000

TimeCreated

[ SystemTime] 2024-04-25T15:12:59.375807200Z

EventRecordID 94236290

Correlation

[ ActivityID] {60af4c97-9503-0005-e169-af600395da01}

Execution

[ ProcessID] 992

[ ThreadID] 20052

Channel Security Computer SRV01 (EP is enabled) Security

EventData

SubjectUserSid S-1-0-0

SubjectUserName -

SubjectDomainName -

SubjectLogonId 0x0

TargetUserSid S-1-0-0

TargetUserName Mailbox.

TargetDomainName DOMAIN NAME

Status 0xc000035b

FailureReason %%2304

SubStatus 0x0

LogonType 3

LogonProcessName

AuthenticationPackageName NTLM

WorkstationName Archive Server

TransmittedServices -

LmPackageName -

KeyLength 0

ProcessId 0x0

ProcessName -

IpAddress Load Balancer IP Address

IpPort 46136
mara2021 1,121 Reputation points

2024-04-29T13:41:31.2666667+00:00

Log without EP (SRV02)

System

Provider

[ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d} EventID 4624 Version 2 Level 0 Task 12544 Opcode 0 Keywords 0x8020000000000000

TimeCreated

[ SystemTime] 2024-04-26T15:24:30.417225100Z EventRecordID 178258943

Correlation

[ ActivityID] {7f757599-7fef-0003-7b7d-757fef7fda01}

Execution

[ ProcessID] 1092 [ ThreadID] 1016084 Channel Security Computer SRV02 (EP not enabled) Security

EventData

SubjectUserSid S-1-0-0

SubjectUserName -

SubjectDomainName -

SubjectLogonId 0x0

TargetUserSid S-1-5-21-1240842779-1673249513-1429243679-18498

TargetUserName Mailbox

TargetDomainName DOMAIN NAME

TargetLogonId 0x2a8727a8e

LogonType 3

LogonProcessName NtLmSsp

AuthenticationPackageName NTLM

WorkstationName Archive Server

LogonGuid {00000000-0000-0000-0000-000000000000}

TransmittedServices -

LmPackageName NTLM V2

KeyLength 128

ProcessId 0x0

ProcessName -

IpAddress Load Balancer IP Address

IpPort 42984

ImpersonationLevel %%1833

RestrictedAdminMode -

TargetOutboundUserName -

TargetOutboundDomainName -

VirtualAccount %%1843

TargetLinkedLogonId 0x0

ElevatedToken %%1843
Anonymous

2024-04-30T05:40:33.3033333+00:00

Hello @mara2021 ,

I need time to look into this issue, and it looks like this issue needs help from Windows, I helped you add the Windows tag. I will reply as soon as possible if there is an update.
mara2021 1,121 Reputation points

2024-04-30T12:46:24.3966667+00:00

Thank you.

Answer 1

Microsoft Extended Protection for Authentication (EPA) is a security feature that enhances the protection of user authentication credentials and prevents unauthorized access to resources. It's designed to mitigate common attacks like man-in-the-middle, replay, and credential forwarding.

EPA introduces two main components:

Channel Binding: Verifies the identity of the client and server in a authentication session, ensuring that both parties are genuine and not impersonated.
Authentication Header: Adds an extra layer of protection to the authentication process by inserting a unique token in the authentication header, making it difficult for attackers to reuse or tamper with the credentials.

EPA supports various authentication protocols, including:

NTLM (NT LAN Manager)
Kerberos
TLS-DSK (Transport Layer Security-Desktop Single Sign-On)

Benefits of Microsoft Extended Protection for Authentication:

Improved security for user authentication
Enhanced protection against credential-based attacks
Better compliance with security standards and regulations
Compatible with existing authentication infrastructure

By implementing EPA, organizations can strengthen their authentication processes and reduce the risk of unauthorized access to sensitive resources.

mara2021 1,121 Reputation points

2024-04-29T14:34:40.3333333+00:00

Suggestions on how to resolve. Thanks.

Share via

Extended Protection and Authentication

1 answer

Your answer