A Guide to Recognizing Your Post Authentication Actions

Patch My Pc | install & update thousands of apps

LAPS (local administrator password solution) is everywhere!!!! This time I am deep-diving into the wonders of the Post Authentication Actions (PAA) and what is actually happening (or maybe not happening) when you try to authenticate yourself with the managed account.

1. Introduction

Some weeks ago I put on my swimming goggles and started diving into the wonders of Windows LAPS and how clicking on the magic password reset button in Intune triggered the password reset on the device itself.

Windows Laps | Password Rotation | Threadpool | LRPC (call4cloud.nl)

This blog was focused on the Password rotation and not so much on the Post Authentication Actions (PAA), even when I slightly touched that subject

Afbeelding met tekst, Lettertype, schermopname, algebra  Automatisch gegenereerde beschrijving

As shown above, I noticed that even when the authentication is NOT successful when trying to run a process as admin with the managed account, a background task/queue will still be scheduled to reset the password

Afbeelding met tekst, schermopname, lijn, Lettertype  Automatisch gegenereerde beschrijving

Which is odd, right? Exactly that part (odd) caught my attention. I wanted to know why the PAA was queued even though it shouldn’t. So I decided to open the IDA tool and just start looking

(Lucikly, the issue I am describing above is now fixed…)

2. Post Authentication Actions

After opening IDA and spending some time looking at LAPS.dll and LAPScsp.dll and looking through all the code I felt that I was missing something. Let me explain why I had that feeling!

I knew where to start digging because I had already found some interesting stuff. In the Windows LAPS password reset blog, I showed you what happened when a task was queued in the background.

As shown below, the magic word is the “SubmitDelayedSerialOperation” Function inside LAPS.DLL

LAPS Post Authenication Actions Threadpool

So I already knew that something, somewhere, somehow was calling this function. After looping back through what was using this function I stumbled upon another function called “NotifyLocalAccountAuthentication”

Notify Local Account Authentication LAPS

When taking a closer look, the SAM_LOGON_STATISTICS was shouting at me. When taking a closer look at which functions LAPS imports, I noticed (of course….) SAMSRV being mentioned

Afbeelding met tekst, schermopname, nummer, Lettertype  Automatisch gegenereerde beschrijving

But as shown above, nothing that indicates something called Logon_Statistics. I couldn’t care less so I just opened the SAMSRV.DLL and started searching and digging my way around it. After removing the _ between the two words, I got a nice hit.

Afbeelding met tekst, schermopname, Lettertype, lijn  Automatisch gegenereerde beschrijving

I was like, okay, that’s nice, but ow my…. how the f… could that flow fit my screen? Here is the SamIUpdateLogonStatistics Function flow …

Afbeelding met tekst, schets, tekening, diagram  Automatisch gegenereerde beschrijving

Yeah…!! exactly that!! Now you know that it will take a lot of time to get to know the code! Luckily, this time, the first search was successful! I just decided to start searching for LAPS…. Guess what functions it showed me!

Afbeelding met tekst, Lettertype, Website, Webpagina  Automatisch gegenereerde beschrijving

If we just click on one of them, it brings us to the proper place in the disassembly code

CHecking if LAPS is enabled

So, first of all, it starts checking if the LAPS feature is enabled by calling upon this function (Feature_service_Laps_private_isEnabled)

For your information, this type of function has been used a lot lately. When you spend some time on the internet and reading things you like, you could have stumbled upon this MSDoc named Known Issue Rollback, AKA KIR

Known Issue Rollback: Helping you keep Windows devices protected and productive – Microsoft Community Hub

Inside this doc, this part is mentioned “at the code level”

Afbeelding met tekst, schermopname, visitekaartje, Lettertype  Automatisch gegenereerde beschrijving

Mmm, that certainly looks a lot like this code in the SAMSRV.DLL right?

KIR LAPS

Microsoft implemented KIR to ensure easy rollbacks without breaking existing deployments. So, assuming the LAPS feature is enabled on our device, the next step will be to execute the SampLAPSNotifyLocalAccountAuthentication Function.

It’s like opening a magic box that’s full of functions as from there it will call upon the LAPS.DLL function that we noticed earlier

This function is a “delayed” import from the ext-ms-win-laps-l1-1-0.dll. This is an API not a DLL….

Afbeelding met tekst, schermopname, Lettertype  Automatisch gegenereerde beschrijving

When this API is used, the LAPS.DLL is called. When the LAPS is loaded, it executes the PAA. But….. I did NOT notice any “catch” in it when the authentication failed because a wrong password was entered. It just calls upon the LAPS.DLL, and LAPS queues the post-authentication action. Let me show you the flow so you can decide for yourself!

3. PAA FLOW

If you have read the information above, you will get this. It’s not as big as the first LAPS password reset flow but it makes a great addition to it!

As always, just click on it to get the BMP version you can save to get a better picture

Post Authentication Actions LAPS FLow

I will recommend reading my other Windows LAPS blog about the thread pools because without it it could be difficult to understand it all (but that’s just my piece of advice)

4. PAA Flow Improved

Part1: LAPS PAA Detection

PAA FLow Improved LAPS

Part2: LAPS Background schedule

LAPS POst Authentication Actions Background schedule

Conclusion

So now we know how the local password is reset when we press the magic button in Intune and we also know how the PAA is triggered when authenticating with the managed account…. But how does the device block a local password reset for the managed account?

Afbeelding met tekst, schermopname, Lettertype  Automatisch gegenereerde beschrijving

That’s something we will learn in the next blog post

Leave a Reply

Your email address will not be published. Required fields are marked *

4  +  1  =  

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.