[cifs-protocol] Response: SRX080909600334: [MS-APDS] Backing store
and policy application information
billwe at microsoft.com
Thu Sep 25 09:14:43 GMT 2008
Good morning Andrew. I have completed my preliminary investigation concerning your questions about password policy, validation and concrete backing store for user and trust account attributes.
The information is presented in detail in the attached document (PasswordPolicyAndValidation.pdf, summary below).
What would you like the document to read as?
I have listed several suppositions where I think references may be helpful.
The following document sections should have cross references to:
[MS-SAMR] 5.2 Index of Security Parameters
a. [MS-ADTS] 18.104.22.168.1.5 Password Modify Operations
b. [MS-APDS] 22.214.171.124 NTLM Interactive Logon
c. [MS-NRPC] 3.1.1 Abstract Data Model (SharedSecret:)
1. The document contains a detailed table of the member derivations for the
NETLOGON_VALIDATION_SAM_INFO4 structure shown in [MS-NRPC] 126.96.36.199.13.
2. The document also contains a table that combines information concerning
password policy checks, derived from the list below. The table includes
additional document cross references ([MS-SAMR], [MS-KILE], etc.).
188.8.131.52 UF_FLAG Codes
184.108.40.206.2 userAccountControl Mapping Table
3. The document also provides references to information concerning password
validation attributes, as discussed in various sections in [MS-ADTS],
[MS-NRPC] and [MS-SAMR]. The best description of vailidation with respect
to the dbcsPwd and unicodePwd are in the following references:
220.127.116.11.1 SamrChangePasswordUser (Opnum 38)
I have previously asked for information to be added to MS-NRPC to detail the
currently abstract backing store for user and trust accounts.
However, it happens that the normal SamLogon processing is mostly described
What I'm looking for is a specific description of what attributes (unicodePwd,
dbcsPwd) are used for validating the password, what attributes (pwdLastSet,
userAccountControl etc) are used (and how they are used) to check policy and
then what attributes are used to construct the NETLOGON_VALIDATION_SAM_INFO4.
I need this because I must construct the same reply as a Microsoft DC that I
might share a domain using DRS replication with.
The current text in [MS-APDS] 18.104.22.168 is:
The domain controller MUST compare the local copy of the password to the
one sent in the request.
If there is a successful match, the domain controller MUST return data
with ValidationInformation containing either a reference to
NETLOGON_VALIDATION_SAM_INFO4 ([MS-NRPC] section 22.214.171.124.1), if the
ValidationLevel in the request is NetlogonValidationSamInfo4 or a
reference to NETLOGON_VALIDATION_SAM_INFO2 ([MS-NRPC] section 126.96.36.199.1),
if the ValidationLevel in the request is NetlogonValidationSamInfo2).
If there is not a match, the DC MUST return the failure error code
STATUS_WRONG_PASSWORD (section 2.2) with no response data.<15>
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: +1(980) 776-8200
CELL: +1(704) 661-5438
FAX: +1(704) 665-9606
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the cifs-protocol