I found a better explanation of gMASs and MSAs here:
https://syfuhs.net/how-managed-service-accounts-in-active-directory-work
(I'm still not sure if the KDS key is used to derive the keys for
regular MSAs or just gMSAs. And if not, then how key retrieval works for
MSAs.)
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9