[cifs-protocol] [REG:110011157366122] Initial Response
hongweis at microsoft.com
Mon Jan 11 10:13:47 MST 2010
Thanks for your question. We will investigate it and let you know if we need any additional clarification.
Email: hongweis at microsoft.com
Phone: +1 (469) 7757027
Time zone: (UTC-06:00) Central Time (US and Canada)
From: Matthieu Patou [mailto:mat+Informatique.Samba at matws.net]
Sent: Monday, January 11, 2010 6:54 AM
To: Interoperability Documentation Help; cifs-protocol at samba.org; pfif at tridgell.net
Subject: DPAPI interaction with Active Directory
In this page http://msdn.microsoft.com/en-us/library/ms995355.aspx it is
"When a computer is a member of a domain, DPAPI has a backup mechanism
to allow unprotection of the data. When a MasterKey is generated, DPAPI
talks to a Domain Controller. Domain Controllers have a domain-wide
public/private key pair, associated solely with DPAPI. The local DPAPI
client gets the Domain Controller public key from a Domain Controller
via a mutually authenticated and privacy protected RPC call. The client
encrypts the MasterKey with the Domain Controller public key. It then
stores this backup MasterKey along with the MasterKey protected by the
While unprotecting data, if DPAPI cannot use the MasterKey protected by
the user's password, it sends the backup MasterKey to a Domain
Controller via a mutually authenticated and privacy protected RPC call.
The Domain Controller then decrypts the MasterKey with its private key
and sends it back to the client via the same protected RPC call. This
protected RPC call is used to ensure that no one listening on the
network can get the MasterKey."
My question is: is there any kind of more technical documentation about
this explaining the dialogs between a workstation and a DC when
masterkey is generated and when the backup is sent to the server ?
Microsoft is committed to protecting your privacy. Please read the Microsoft Privacy Statement<http://privacy.microsoft.com/en-us/default.mspx> for more information.
The above is an email for a support case from Microsoft Corp.
REPLY ALL TO THIS MESSAGE or INCLUDE casemail at microsoft.com<mailto:casemail at microsoft.com>
IN YOUR REPLY if you want your response added to the case automatically.
For technical assistance, please include the Support Engineer on the TO: line.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cifs-protocol