[cifs-protocol] [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval - TrackingID#2311230040000495

[Jeff McCashland (He/him)]

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Joseph,

Thank you for your question. We have created SR 2311230040000495 to track this issue. One of our engineers will respond soon. 

Note that due to the U.S. Thanksgiving holiday, the response may be delayed until Monday at the latest. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Joseph Sutton <jsutton at samba.org> 
Sent: Wednesday, November 22, 2023 5:07 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval

Hi dochelp,

I think there may be an error — or at least some opportunity for confusion — in the documentation for GetgMSAPasswordBlob ([MS-ADTS] 3.1.1.4.5.39, “msDS-ManagedPassword”). The documentation states that GKDIRolloverInterval is equal to:

(TO!msDS-ManagedPasswordInterval × 24 ∕ KeyCycleDuration) × KeyCycleDuration

GKDIRolloverInterval is later added to the time returned by GKDIGetKeyStartTime(), implying that the former value is measured in 100ns units as is the latter. However, the expression given in the documentation appears to be equivalent to ‘TO!msDS-ManagedPasswordInterval × 24’, which would produce a quantity in hours.

If GKDIRolloverInterval is meant to be a FILETIME, I think the correct expression should be:

TO!msDS-ManagedPasswordInterval × 24 × 60 × 60 × 10⁷

This gives an answer consistent with the results I’m seeing from Windows.

Regards,
Joseph