fix(rotation): use local auth for Windows local account verification

[victorvhs017]

Context

When using domain credentials (e.g., MYDOMAIN\Administrator) to rotate a local account password on a member server, the verification step was failing with "Authentication failed" because it tried to authenticate the rotated local account using the domain from the app connection configuration.

Local accounts exist in the machine's local SAM database, not in Active Directory. Attempting to authenticate MYDOMAIN\localuser would fail because localuser doesn't exist in AD.

Screenshots

Steps to verify the change

Test Environment Setup

1. Set up AWS test environment with two Windows servers:

   • EC2 - 1 (Domain Controller): Windows Server with Active Directory configured (e.g., TESTDOMAIN.local)
   • EC2 - 2 (Member Server): Windows Server joined to the domain, with a local account created (e.g., testuser)

2. Create local account on member server (EC2 - 2):

   New-LocalUser -Name "testuser" -Password (ConvertTo-SecureString "InitialP@ss123!" -AsPlainText -Force) -PasswordNeverExpires
   # Add to Administrators group for Login as Target method
   Add-LocalGroupMember -Group "Administrators" -Member "testuser"

3. Ensure security groups allow SMB (port 445) between Infisical and the member server

Test Case 1: Login as Root (Domain Admin rotates local account)

1. Configure SMB Connection:

   • Host: Member server private IP (EC2 - 2)
   • Port: 445
   • Domain: TESTDOMAIN
   • Username: Administrator (domain admin)
   • Password: Domain admin password

2. Create Windows Local Account Rotation:

   • Target Username: testuser
   • Method: Login as Root

3. Trigger rotation and verify it succeeds

Test Case 2: Login as Target (Local account rotates itself)

1. Configure SMB Connection:

   • Host: Member server private IP (EC2 - 2)
   • Port: 445
   • Domain: Leave empty (local account)
   • Username: testuser
   • Password: Current password of testuser

2. Create Windows Local Account Rotation:

   • Target Username: testuser
   • Method: Login as Target
   • Current Password: Current password of testuser

3. Trigger rotation and verify it succeeds

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR updates Windows local account rotation to verify rotated credentials without applying the SMB connection’s configured domain, fixing failures when a domain admin rotates a local account on a member server. It also expands documentation to clarify prerequisites (member server/standalone only), explains the two rotation methods, and documents Windows-specific requirements for “Login as Target” (local admin + Remote UAC token filtering behavior).

Main code change is in backend/src/ee/services/secret-rotation-v2/windows-local-account-rotation/windows-local-account-rotation-fns.ts, where the post-rotation verification step and the self-rotation connection config now explicitly omit domain for local SAM users. Docs updates live under /docs and should make the expected configuration discoverable for customers.

Confidence Score: 4/5

• This PR is likely safe to merge and addresses a real Windows local-account auth mismatch, with one edge-case behavior worth clarifying/validating.
• Core change is narrowly scoped (omit domain for local SAM verification/self-rotation) and aligns with SMB auth semantics for local users. Remaining concern is that the code now guarantees verification failure if a domain account is mistakenly used with this rotation type; if local-only is intended, this should be enforced explicitly for clearer UX.
• backend/src/ee/services/secret-rotation-v2/windows-local-account-rotation/windows-local-account-rotation-fns.ts

Important Files Changed

Filename	Overview
backend/src/ee/services/secret-rotation-v2/windows-local-account-rotation/windows-local-account-rotation-fns.ts	Updates SMB verification/self-rotation to omit domain for local accounts; logic seems consistent with local SAM authentication.
docs/documentation/platform/secret-rotation/windows-local-account.mdx	Clarifies prerequisites and adds Login-as-Target requirements/warnings; no functional code changes.
docs/integrations/app-connections/smb.mdx	Updates SMB connection docs to clarify member-server targeting and domain credential behavior; API sample response still omits password (existing pattern).

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}