<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Andrew,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">We completed our investigation to this issue and propose the following changes to [MS-DTYP], [MS-LSAD], [MS-SAMR] and [MS-WKST]. The text below contains yellow highlighting to identify changed text. If the
highlighting causes a problem for you, please let me know.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thank you for your patience.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Bryan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="color:#1F497D">[MS-DTYP]<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added</span><span style="color:#1F497D"> new section</span><span style="color:#1F497D">:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D;background:yellow;mso-highlight:yellow">2.3.14 Anonymous Session Key<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D;background:yellow;mso-highlight:yellow">The Anonymous Session Key is comprised of 16 bytes
</span><span style="color:#1F497D;background:yellow;mso-highlight:yellow">of UTF-8
</span><span style="color:#1F497D;background:yellow;mso-highlight:yellow">characters:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D;background:yellow;mso-highlight:yellow"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:.5in"><span style="color:#1F497D;background:yellow;mso-highlight:yellow">UCHAR AnonymousSessionKey[] = {“SystemLibraryDTC”</span><span style="color:#1F497D;background:yellow;mso-highlight:yellow">};</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="color:#1F497D">[MS-LSAD]<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2.1 Transport<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">[…]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Cryptographic operations (as specified in section 5.1) MUST utilize a session key obtained from the SMB session on the client or server,
<span style="background:yellow;mso-highlight:yellow">or the Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) if using an anonymous connection.</span><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">5 Security<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">5.1 Security Considerations for Implementers<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">[…]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">The session key for sections 5.1.1 and 5.1.2 is obtained from the SMB transport, as specified in section 2.1. The session key is obtained from the SMB transport every time a message
that needs encryption is to be sent or a message that needs decryption is to be received.
<span style="background:yellow;mso-highlight:yellow">Clients should avoid using the Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) to encrypt sensitive data since this does not protect the data.</span><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="color:#1F497D">[MS-SAMR]<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2.2.7.6 SAMPR_USER_ALL_INFORMATION<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">[…]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">LmOwfPassword: An RPC_SHORT_BLOB structure where Length and MaximumLength MUST be 16, and the Buffer MUST be formatted with an ENCRYPTED_LM_OWF_PASSWORD structure with the cleartext
value being an LM hash, and the encryption key being the 16-byte SMB [MS-SMB] session key established by the underlying authentication protocol (either Kerberos [MS-KILE] or NTLM [MS-NLMP])<span style="background:yellow;mso-highlight:yellow">, or the Anonymous
Session Key (see section 2.3.14 of [MS-DTYP]) if using an anonymous connection</span>.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">NtOwfPassword: An RPC_SHORT_BLOB structure where Length and MaximumLength MUST be 16, and the Buffer MUST be formatted with an ENCRYPTED_NT_OWF_PASSWORD structure with the cleartext
value being an NT hash, and the encryption key being the 16-byte SMB [MS-SMB] session key established by the underlying authentication protocol (either Kerberos [MS-KILE] or NTLM [MS-NLMP])
<span style="background:yellow;mso-highlight:yellow">, or the Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) if using an anonymous connection</span>.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2.2.7.23 SAMPR_USER_INTERNAL1_INFORMATION<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">[…]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">EncryptedNtOwfPassword: An NT hash encrypted with the 16-byte SMB [MS-SMB] session key for the connection established by the underlying authentication protocol (either Kerberos [MS-KILE]
or NTLM [MS-NLMP<span style="background:yellow;mso-highlight:yellow">]) , or the Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) if using an anonymous connection</span>.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">EncryptedLmOwfPassword: An LM hash encrypted with the 16-byte SMB [MS-SMB] session key for the connection established by the underlying authentication protocol (either Kerberos [MS-KILE]
or NTLM [MS-NLMP])<span style="background:yellow;mso-highlight:yellow">, or the Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) if using an anonymous connection</span>.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2.2.7.26 SAMPR_USER_INTERNAL5_INFORMATION<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">[…]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">UserPassword: A cleartext password, encrypted according to the specification for SAMPR_ENCRYPTED_USER_PASSWORD, with the encryption key being the 16-byte SMB [MS-SMB] session key established
by the underlying authentication protocol (either Kerberos [MS-KILE] or NTLM [MS-NLMP])
<span style="background:yellow;mso-highlight:yellow">, or the Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) if using an anonymous connection</span>.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2.2.7.27 SAMPR_USER_INTERNAL5_INFORMATION_NEW<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">[…]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">UserPassword: A password, encrypted according to the specification for SAMPR_ENCRYPTED_USER_PASSWORD_NEW, with the encryption key being the 16-byte SMB [MS-SMB] session key established
by the underlying authentication protocol (either Kerberos [MS-KILE] or NTLM [MS-NLMP])
<span style="background:yellow;mso-highlight:yellow">, or the Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) if using an anonymous connection</span>.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">3.1.5.6.4.4 UserInternal4Information<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">[…]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">3. If the USER_ALL_NTPASSWORDPRESENT or USER_ALL_LMPASSWORDPRESENT flag is present in the WhichFields field, the server MUST update the clearTextPassword attribute with the
(decrypted) value of SAMPR_USER_INTERNAL4_INFORMATION.UserPassword, using the decryption key of the 16-byte SMB [MS-SMB] session key established by the underlying authentication protocol (Kerberos or NTLM)
<span style="background:yellow;mso-highlight:yellow">, or the Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) if using an anonymous connection</span>.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">3.2.2.2 MD5 Usage<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">[…]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">- user-session-key is a 16-byte value obtained from the 16-byte SMB [MS-SMB] session key established by the underlying authentication protocol (either Kerberos [MS-KILE]
or NTLM [MS-NLMP]) <span style="background:yellow;mso-highlight:yellow">, or the Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) if using an anonymous connection</span>.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">5 Security<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">5.1 Security Considerations for Implementers<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Sensitive information, such as the cleartext password for accounts, is communicated through this protocol; therefore, implementers must pay special attention to the secrecy of this data.
Although this protocol does not use transport-level encryption (with the exception of SamrValidatePassword), it does rely on the key strength of the SMB transport for encrypting cleartext data.
<span style="background:yellow;mso-highlight:yellow">Clients should avoid using the Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) to encrypt sensitive data since this does not protect the data.</span><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="color:#1F497D">[MS-WKST]<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2.2.5.18.3 Encryption and Decryption<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">[…]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">- user-session-key is a 16-byte value obtained from the 16-byte SMB session key established by the underlying authentication protocol (either Kerberos [MS-KILE] or NTLM
[MS-NLMP])<span style="background:yellow;mso-highlight:yellow">, or the Anonymous Session Key (see section 2.3.14 of [MS-DTYP])</span> if using an anonymous connection, as specified in [MS-SMB] Per SMB Session (section 3.2.1.3).<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Added:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">5 Security<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">5.1 Security Considerations for Implementers<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">[…]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D;background:yellow;mso-highlight:yellow">This protocol relies on the key strength of the SMB transport for encrypting passwords (see section 2.2.5.18.3). Clients should avoid using the
Anonymous Session Key (see section 2.3.14 of [MS-DTYP]) to encrypt sensitive data since this does not protect the data.</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Bryan Burgin <br>
Sent: Wednesday, January 04, 2012 2:38 PM<br>
To: Andrew Bartlett (abartlet@samba.org)<br>
Cc: 'cifs-protocol@cifs.org'; MSSolve Case Email<br>
Subject: RE: [REG:111101553031054] [cifs-protocol] SystemLibraryDTC</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">[Hongwei to bcc]<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Andrew,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I'm filling in for Hongwei on this issue. I am engaged with several document groups here to sort this issue out. Presently I'm working with Neil Martin, who you know, and the current thinking is that this might be addressed in an update
to [MS-DTYP]. I'll let you know the outcome or ping you if we need any further information.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Going forward, I'll be your primary contact for this issue.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Bryan<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<o:p></o:p></p>
<p class="MsoPlainText">From: Bryan Burgin<o:p></o:p></p>
<p class="MsoPlainText">Sent: Wednesday, January 04, 2012 2:18 PM<o:p></o:p></p>
<p class="MsoPlainText">To: "Hongwei Sun" <<a href="mailto:hongweis@microsoft.com"><span style="color:windowtext;text-decoration:none">hongweis@microsoft.com</span></a>><o:p></o:p></p>
<p class="MsoPlainText">Cc: "<a href="mailto:cifs-protocol@cifs.org"><span style="color:windowtext;text-decoration:none">cifs-protocol@cifs.org</span></a>" <<a href="mailto:cifs-protocol@cifs.org"><span style="color:windowtext;text-decoration:none">cifs-protocol@cifs.org</span></a>>;
"MSSolve Case Email" <<a href="mailto:casemail@microsoft.com"><span style="color:windowtext;text-decoration:none">casemail@microsoft.com</span></a>><o:p></o:p></p>
<p class="MsoPlainText">Subject: [REG:111101553031054] [cifs-protocol] SystemLibraryDTC<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On Tue, 2011-11-15 at 03:56 +0000, Hongwei Sun wrote: <o:p>
</o:p></p>
<p class="MsoPlainText">> Andrew,<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> After reviewing code, we confirmed that this fixed session key are
<o:p></o:p></p>
<p class="MsoPlainText">> used by some SAMR/LSAD RPC functions. We are working on updating all
<o:p></o:p></p>
<p class="MsoPlainText">> the related documents. When they are available , I will let you know.<o:p></o:p></p>
<p class="MsoPlainText">Thanks! <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Now would also be a good time to work out a way to remove them :-). I would be very happy to work with your developers on a secure way we can indicate to a server that these keys should not be used, or that they should only be available
over encrypted transports. <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Andrew Bartlett <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">--<o:p></o:p></p>
<p class="MsoPlainText">Andrew Bartlett<o:p></o:p></p>
<p class="MsoPlainText"><a href="http://samba.org/~abartlet/"><span style="color:windowtext;text-decoration:none">http://samba.org/~abartlet/</span></a>
<o:p></o:p></p>
<p class="MsoPlainText">Authentication Developer, Samba Team <a href="http://samba.org">
<span style="color:windowtext;text-decoration:none">http://samba.org</span></a> <o:p>
</o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
</body>
</html>