DPAPI EventID 4694 when changing password of useraccount using ESAE-Domain Account

Question

Hi everyone.

I tried finding a solution, searching through the web, but didn't find anything helpful

following scenario:We access Domain-Controllers using an ESAE-Domain with Accounts that use a certificates to logon. We connect using mstsc.exe /remoteguard. The User is member of the Domain-Administrators group through Shadow-Principle.Everything is working fine. (login, Domain-Admin Rights working etc.) The Domain-Controllers got exchanged against 2 New Windows Server 2022 Domain Controllers, hosted in Azure.

FSMO-Roles have been moved.

The Old DCs have been decomissioned. Connecting to the DCs is working without any issues, BUT, when I want to change the password of an user account, I receive an error-message:The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.within EventVWR (Security Log) I see dpapi Error with Event-ID: 4694
Looking throught this post: DPAPI MasterKey backup failures - Windows Server | Microsoft Learn I did the following:
Trying to run Cred man I receive Error 0x80090345 pointing in the same direction. nltest /dsgetdc:<domain> /writable gives me NO error, and a valid result, for both local Domain and ESAE-Domain.

Both Domains only consist of RWDCs, no RODCs.

Netlogon Log showed me following: (DC / Domain-names and IP-Addresses changed)
01/03 09:26:24 [MISC] [8616] DOM: DsGetDcName function called: client PID=772, Dom:ESAE Acct:(null) Flags: DS WRITABLE NETBIOS RET_DNS 01/03 09:26:24 [MISC] [8616] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c1fffff101/03 09:26:24 [MAILSLOT] [8616] Received ping from xxxxxxxx(xxxxxxx.domain.forest) esae.domain.local (null) on <Local>01/03 09:26:24 [CRITICAL] [8616] Ping from xxxxxxxx for domain esae.domain.local ESAE for (null) on <Local> is invalid since we don't host the named domain.01/03 09:26:24 [MISC] [8616] NetpDcGetName: esae.domain.local using cached information ( NlDcCacheEntry = 0x00000180E21132C0 )01/03 09:26:24 [MISC] [8616] DsGetDcName: results as follows: DCName:\DC1.esae.domain.local DCAddress:\127.127.10.10 DCAddrType:0x1 DomainName:esae.domain.local DnsForestName:esae.domain.local Flags:0xe003f17d DcSiteName:ESAE-Site ClientSiteName:(null)01/03 09:26:24 [MISC] [8616] DOM: DsGetDcName function returns 0 (client PID=772): Dom:ESAE Acct:(null) Flags: DS WRITABLE NETBIOS RET_DNS

The solution from the site, saving the masterkey locally it, of course, not applicable in this case, since we are connecting to a DC.

did we forget something regarding the Shadow-Principals?

Could a Port be missing to be allowed from Azure to the local Datacenter?

Answer 1

Hello G_Grote,

Thank you for posting in Microsoft Community forum.

1.Based on the description "when I want to change the password of an user account", did you mean you change the password for local AD user account or Azure AD user account?

2.Did you change the AD domain user password on Domain Controller or on one domain machine?

3.If the problem occurs suddenly? Or if the problem always occurs?

4.Have you made any changes in the AD domain before the problem occurs?

Please check if the setting below was set via local group policy or any Domain GPO.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Enable computer and user accounts to be trusted for delegationTrust computer and user accounts for delegation - Windows Security | Microsoft Learn

Meanwhile, we can see event ID 4694 here:

There is no recommendation for this event in this document.

This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.

4694(S, F) Protection of auditable protected data was attempted. - Windows Security | Microsoft Learn

Best Regards,
Daisy Zhou

Answer 2

Hi Daisy,

thank you for the fast reply.

Regarding your questions:

1. I want to change the password for a local AD user account, not in azure ad.
2. Yes, I try to change it using dsa.msc on one of the two Domain Controllers.
3. Sadly the problem is everytime we try to change a password, using the ESASE-Account. Using an Domain-local Domain-Administrator, The password can be changed without any issue.
4. The Only change I am aware of, is that the Domain-Controllers have been migrated. from Windows Server 2016 (Hosted Locally on site) to Windows Server 2022 (Hosted as virtual Machines in Azure)

The Setting fpr Enable computer and user accounts to be trusted for delegation is: BUILTIN\Administrators 

The User I am working with is, as mentioned, through shadow-principal member of the Group "Domain Administrators", and therefor nested in this group.

Best regards

Gerrit

Answer 3

Hello G_Grote,

Thank you for your reply.

If you remove the user from the Domain-Administrators group through Shadow-Principle, can he/she reset AD password?

Best Regards,
Daisy Zhou

Answer 4

Hi,

Sorry, English is not my first language, mabye I made a mistake :)

The account I am using is a member of the Domain-Administrator through Shadow-Priciple.

Not the account, I want to reset the password of.

(my Account): ESAE-Domain\ADMIN

Account to change the password: TargetDomain\User (Normal user, AdminCount: 0)

When I want to reset the password of "User" in the TargetDomain, while connected to a Domain-Controller of the TargetDomain, then I receive the error.

When I remove my User from the Shadow-Principal Group, I am no longer able to connect to the DomainController, since I am no longer member of the Domain Administrators group.

Answer 5

Hello G_Grote,

Thank you for your reply.

So your Account (ESAE-Domain\ADMIN) and the account to change the password: TargetDomain\User (Normal user, AdminCount: 0) are in different domain?

If so, how did you use ESAE-Domain\ADMIN to change password in target domain?

Did you use ESAE-Domain\ADMIN to sign in the DC in target domain and find the TargetDomain\User to rest its password?

Best Regards,
Daisy Zhou