question

CitarNosis avatar image
0 Votes"
CitarNosis asked DaisyZhou-MSFT answered

TaskFolder.RegisterTaskDefinition and TASK_LOGON_S4U

Hi.

We're using TaskFolder.RegisterTaskDefinition in a powershell script in this manner:

 $tasksFolder.RegisterTaskDefinition(
     $taskName, $taskDefinition, 6, $logonName, $password, 2, $null
 ) | Out-Null


The '2' there denotes a field logonType, which we've tested using TASK_LOGON_PASSWORD (1) and TASK_LOGON_S4U (2). From: taskfolder-registertaskdefinition


TASK_LOGON_S4U is supposed to be using kerberos' tokens to create a session and give the task it's token for user logon: 3bff5864-8135-400e-bdd9-33b552051d94

So far so good. Now here's the question: is this supposed to work with non-ad servers?
We've tested TASK_LOGON_S4U with windows server 2019 and windows server 2012R2 (with latest updates), neither of them was joined to a domain.
By our understanding, kerberos is available only on active domain.
We also ran TASK_LOGON_S4U in two tests with process monitor logging, one on workgroup (non-ad) and one with AD (same server joined to it's own domain controller) and this is the main difference in authentication we could glean from those:
AD:

 "08:24:23,3370239","lsass.exe","500","ReadFile","C:\Windows\System32\samsrv.dll","SUCCESS","Offset: 754.688, Length: 15.872, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
 "08:24:23,3433235","lsass.exe","500","ReadFile","C:\Windows\System32\samsrv.dll","SUCCESS","Offset: 738.304, Length: 16.384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
 "08:24:23,3441425","lsass.exe","500","ReadFile","C:\Windows\System32\kdcsvc.dll","SUCCESS","Offset: 507.392, Length: 15.360, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
 "08:24:23,3464303","lsass.exe","500","ReadFile","C:\Windows\System32\kerberos.dll","SUCCESS","Offset: 887.296, Length: 14.848, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
 "08:24:23,3514033","lsass.exe","500","ReadFile","C:\Windows\System32\kerberos.dll","SUCCESS","Offset: 870.912, Length: 16.384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
 "08:24:23,3524441","lsass.exe","500","ReadFile","C:\Windows\NTDS\ntds.dit","SUCCESS","Offset: 5.103.616, Length: 8.192, I/O Flags: Non-cached, Priority: Normal"

Without AD:

 "06:35:55,9278313","lsass.exe","564","ReadFile","C:\Windows\System32\lsasrv.dll","SUCCESS","Offset: 648.192, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
 "06:35:55,9288930","lsass.exe","564","ReadFile","C:\Windows\System32\lsasrv.dll","SUCCESS","Offset: 644.096, Length: 8.192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"

This doesn't really clarify much more than lsass (Local Security Authority Subsystem Service) does not load kerberos.dll when in non-ad mode. We made a search in the procmon logs and kerberos.dll is definitely not loaded without AD and definitely loaded with AD.
Both of these tests produced a positive result: the task was registered and executed with no errors.

To repeat the question: is this supposed to work in workgroup computers?
If so, how does it work?
Any documentation on the subject? We couldn't find any that would clarify how S4U works without a domain, the docs are usually referencing a domain workflow.







windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @CitarNosis,

Thank you for posting here.

Here is a similar case for your reference.
IIS: Using Kerberos with client computers that are not on the domain
https://stackoverflow.com/questions/14224580/iis-using-kerberos-with-client-computers-that-are-not-on-the-domain

Please note: This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.