[cifs-protocol] [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval - TrackingID#2311230040000495

Obaid Farooqi obaidf at microsoft.com
Fri Nov 24 08:11:55 UTC 2023 

Hi Joseph:
Thanks for bringing this to our attention. You are right. The correct formula would be

(TO!msDS-ManagedPasswordInterval × 24 ∕ 10) × KeyCycleDuration

I have filed a bug to address issue in the document.

Please let me know if this does not answer your question.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Jeff McCashland (He/him) <jeffm at microsoft.com>
Sent: Wednesday, November 22, 2023 7:58 PM
To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
Cc: Microsoft 365 Smart Support Mailbox <support at microsoft.com>
Subject: RE: [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval - TrackingID#2311230040000495

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Joseph,

Thank you for your question. We have created SR 2311230040000495 to track this issue. One of our engineers will respond soon.

Note that due to the U.S. Thanksgiving holiday, the response may be delayed until Monday at the latest.

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Joseph Sutton <jsutton at samba.org>
Sent: Wednesday, November 22, 2023 5:07 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval

Hi dochelp,

I think there may be an error — or at least some opportunity for confusion — in the documentation for GetgMSAPasswordBlob ([MS-ADTS] 3.1.1.4.5.39, “msDS-ManagedPassword”). The documentation states that GKDIRolloverInterval is equal to:

(TO!msDS-ManagedPasswordInterval × 24 ∕ KeyCycleDuration) × KeyCycleDuration

GKDIRolloverInterval is later added to the time returned by GKDIGetKeyStartTime(), implying that the former value is measured in 100ns units as is the latter. However, the expression given in the documentation appears to be equivalent to ‘TO!msDS-ManagedPasswordInterval × 24’, which would produce a quantity in hours.

If GKDIRolloverInterval is meant to be a FILETIME, I think the correct expression should be:

TO!msDS-ManagedPasswordInterval × 24 × 60 × 60 × 10⁷

This gives an answer consistent with the results I’m seeing from Windows.

Regards,
Joseph

More information about the cifs-protocol mailing list