[cifs-protocol] [REG: 111083054067588] RE: Handling of passwords in LSA CreateTrustedDomainInfoEx2

Hongwei Sun hongweis at microsoft.com
Wed Aug 31 14:37:00 MDT 2011


Hi, Andrew,

>Is the element stored 'as sent', or is it processed to add a version field?  

ANS:    After code review, I confirmed that AuthenticationInformation is decrypted into LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION (as specified in 2.2.7.11), then is just copied straightforwardly into the TrustAuthIncoming and TrustAuthOutgoing properties as specified 7.1.6.9.1 MS-ADTS.   As you know, the   LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION is a structure and TrustAuthIncoming and TrustAuthOutgoing properties are String(Octet),  there are certainly some calculation for offsets required as per the layout of the properties,  but there is no new field added when marshaling the structure to the octet string saved in the properties.   

>Can the client send the previousAuthentication details, or is that maintained by the server?

ANS:  Yes, the client can send the  previousAuthentication for both incoming and outgoing AuthticationInformation through LsarCreateTrustedDomainEx2.  If it is send, the server will save it to the  previousAuthenticationInformation part of the property (7.1.6.9.1 MS-ADTS).  If it is not send,  the previousAuthenticationInformation in the property will be the same as current AuthenticationInformation since this is a new TDO created and there is no previous information available.


>In LsarSetInformationTrustedDomain
>http://msdn.microsoft.com/en-us/library/cc234385%28v=PROT.13%29.aspx
>Does the client or the server maintain the previous password and version information in the blob in the "trustAuthIncoming"?

ANS:   The server will be responsible for updating the previous authentication information in  "TrustAuthIncoming" property.  When server receives this call, it will first query the information about the trusted domain object (TDO) identified by the TrustedDomainHandle passed into LsarSetInformationTrustedDomain.  Then the server will  save the returned trusted domain information as previousAuthentication and  the passed authenticationInformation as new AuthticationInformation in TrustAuthIncoming property. 

  Please let me know if you have more questions.

  Thanks!

Hongwei

  
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, August 30, 2011 7:54 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at cifs.org
Subject: Handling of passwords in LSA CreateTrustedDomainInfoEx2

In CreateTrustedDomainInfoEx2

http://msdn.microsoft.com/en-us/library/cc234380%28v=PROT.13%29.aspx

I'm wondering if I could get an expansion on:

AuthenticationInformation: A structure containing authentication information for the trusted domain. The server first MUST decrypt this data structure using an algorithm (as specified in section 5.1.1) with the key being the session key negotiated by the transport. The server then MUST unmarshal the data inside this structure and then store it into a structure whose format is specified in section 2.2.7.11. This structure MUST then be stored on Trust Incoming and Outgoing Password properties.

In particular, what elements become assigned to "trustAuthIncoming" and "trustAuthOutgoing"

Is the element stored 'as sent', or is it processed to add a version field?  

Can the client send the previousAuthentication details, or is that maintained by the server?

In LsarSetInformationTrustedDomain
http://msdn.microsoft.com/en-us/library/cc234385%28v=PROT.13%29.aspx

Does the client or the server maintain the previous password and version information in the blob in the "trustAuthIncoming"?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the cifs-protocol mailing list