[cifs-protocol] [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId attribute - TrackingID#2311210040001007

Sreekanth Nadendla srenaden at microsoft.com
Fri Dec 8 20:40:53 UTC 2023 

Hello Joseph, the attribute msDS-ManagedPasswordId is expected to contain two fields 'Size' and 'Data'. Representing a byte array along with its size. The Size member indicates the length of the byte array, and the Data member is a pointer to the actual array of bytes.

Data field holds the pointer to GmsaKeyId buffer while Size is set to total number of bytes of the GmsaKeyId buffer.

Are you saying that the contents inside the Data field don't appear to be GmsaKey related ?


Regards,

Sreekanth Nadendla

Microsoft Windows Open Specifications



________________________________
From: Joseph Sutton <jsutton at samba.org>
Sent: Monday, November 20, 2023 7:05 PM
To: cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId attribute

Hi dochelp,

[MS-ADTS] 3.1.1.4.5.39, “msDS-ManagedPassword”, makes reference to the
attribute ‘msDS-ManagedPasswordId’, which (it states) contains a key ID
that is involved in the computation of the managed password. I’m trying
to work out the format of this attribute.

A couple of times that document mentions that the key ID identifies a
Group Key Envelope data structure, defined in section 2.2.4 of
[MS-GKDI]. Now I have obtained some samples of ‘msDS-ManagedPasswordId’
attributes from Group Managed Service Accounts created by Windows. While
these samples appear to be superficially similar to Group Key Envelope
format, they have a few notable differences: the fields from
‘cbKDFAlgorithm’ to ‘cbL2Key’ are missing, replaced by a single 32‐bit
field containing I don’t know what; and the fields from ‘KDF Algorithm’
to ‘Secret Agreement Parameters’, and both ‘L1 Key’ and ‘L2 Key’, are
similarly missing.

Also mysterious is the field ‘isPublicKey’, which according to [MS-GKDI]
must contain either 0 or 1, but in my samples has the value 2 !

Can you provide me with some details on the format of the
‘msDS-ManagedPasswordId’ attribute, and on how it resembles or differs
from the Group Key Envelope structure?

Regards,
Joseph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20231208/94c0b175/attachment.htm>

More information about the cifs-protocol mailing list