[cifs-protocol] [MS-ADTS] Format of the msDS-ManagedPasswordId attribute
Joseph Sutton
jsutton at samba.org
Tue Nov 21 00:05:23 UTC 2023
Hi dochelp,
[MS-ADTS] 3.1.1.4.5.39, “msDS-ManagedPassword”, makes reference to the
attribute ‘msDS-ManagedPasswordId’, which (it states) contains a key ID
that is involved in the computation of the managed password. I’m trying
to work out the format of this attribute.
A couple of times that document mentions that the key ID identifies a
Group Key Envelope data structure, defined in section 2.2.4 of
[MS-GKDI]. Now I have obtained some samples of ‘msDS-ManagedPasswordId’
attributes from Group Managed Service Accounts created by Windows. While
these samples appear to be superficially similar to Group Key Envelope
format, they have a few notable differences: the fields from
‘cbKDFAlgorithm’ to ‘cbL2Key’ are missing, replaced by a single 32‐bit
field containing I don’t know what; and the fields from ‘KDF Algorithm’
to ‘Secret Agreement Parameters’, and both ‘L1 Key’ and ‘L2 Key’, are
similarly missing.
Also mysterious is the field ‘isPublicKey’, which according to [MS-GKDI]
must contain either 0 or 1, but in my samples has the value 2 !
Can you provide me with some details on the format of the
‘msDS-ManagedPasswordId’ attribute, and on how it resembles or differs
from the Group Key Envelope structure?
Regards,
Joseph
More information about the cifs-protocol
mailing list