[cifs-protocol] RE: 600634 - RE: salt used for various principal
types
Richard Guthrie
rguthrie at microsoft.com
Tue Aug 26 15:37:35 GMT 2008
Andrew
Microsoft does use different methods of calculating the salt value used in encryption depending on the type account that is submitted to the salt calculation implementation. For example, in the case of interdomain trust accounts, "krbtgt" is appended. In the case of machine accounts, "host" is appended to the start of the salt value.
Implementers are free to implement a salt algorithm of their choice, without affecting interoperability. In the case of the implementation acting as a KDC, the KDC that changes a password also stores that salt value in Active Directory in the supplementalCredentials field. In the case of a client using a salt value the KDC does not know how to interpret, the KDC will tell the client which salt value to use.
We also have a related issue we are working together, where we have documented what the salt value structure stored in AD looks as part of the work we are currently doing on the supplementalCredentials structure. This value is stored as a UNICODE_STRING as per the documentation on KERB_STORED_CREDENTIAL (section 2.2.10.4 Primary:Kerberos - KERB_STORED_CREDENTIAL) and KERB_STORED_CREDENTIAL_NEW (Section 2.2.10.6 Primary:Kerberos-Newer-Keys - KERB_STORED_CREDENTIAL_NEW).
Please let us know if you have further questions.
Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
-----Original Message-----
From: Richard Guthrie
Sent: Tuesday, August 05, 2008 11:27 AM
To: 'Andrew Bartlett'
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: 600634 - RE: salt used for various principal types
Andrew,
I will be working with you to resolve this issue. I will conduct my research and get back with you shortly.
Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, August 04, 2008 9:19 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: salt used for various principal types
I can't find any reference in either MS-ADTS or MS-KILE regarding the salt used for for the different types of principals in the kerberos protocol. (A salt is used as a confounded in string2key operations in
kerberos)
I know there are different salt calculations for users and computers, and presumably again for interdomain trust accounts. See:
http://lists.samba.org/archive/samba-technical/2004-November/037976.html
In particular, as I am working on interdomain trusts, and so in addition to the information at that URL, I need to know if there is a different salt used on the domain$ principal as compared to the krbtgt/my.realm at other.realm principal?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the cifs-protocol
mailing list