[cifs-protocol] [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId attribute - TrackingID#2311210040001007
Joseph Sutton
jsutton at samba.org
Tue Dec 12 04:40:18 UTC 2023
Hi,
Here’s what I see in the msDS-ManagedPasswordId attribute of a Group
Managed Service Account created on Windows:
version : 0x00000001 (1)
magic : 0x4b53444b (1263748171)
flags : 0x00000002 (2)
0: ENVELOPE_FLAG_TRANSPORTING_PUBLIC_KEY
1: ENVELOPE_FLAG_KEY_MAY_ENCRYPT_NEW_DATA
l0_index : 0x0000016a (362)
l1_index : 0x00000001 (1)
l2_index : 0x0000000e (14)
root_key_id : 9d922231-af27-b73b-1056-aeb18eeca71a
unknown : 0x00000000 (0)
domain_name_len : 0x00000018 (24)
forest_name_len : 0x00000018 (24)
domain_name : 'example.com'
forest_name : 'example.com'
This data is structured similarly to Group Key Envelope, which is
described here:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/192c061c-e740-4aa0-ab1d-6954fb3e58f7
However, the two structures evidently are not the same. Some of the
fields present in Group Key Envelope are missing from
msDS-ManagedPasswordId (notably the ones relating to algorithms and
keys). And immediately following the root key identifier in
msDS-ManagedPasswordId is a 32‐bit field the purpose of which I have not
been able to determine.
Regards,
Joseph
On 9/12/23 9:40 am, Sreekanth Nadendla wrote:
>
> Hello Joseph, the attribute msDS-ManagedPasswordId is expected to
> contain two fields 'Size' and 'Data'. Representing a byte array along
> with its size. The Size member indicates the length of the byte array,
> and the Data member is a pointer to the actual array of bytes.
>
> Data field holds the pointer to GmsaKeyId buffer while Size is set to
> total number of bytes of the GmsaKeyId buffer.
>
> Are you saying that the contents inside the Data field don't appear to
> be GmsaKey related ?
>
> Regards,
>
> Sreekanth Nadendla
>
> Microsoft Windows Open Specifications
>
>
> ------------------------------------------------------------------------
> *From:* Joseph Sutton <jsutton at samba.org>
> *Sent:* Monday, November 20, 2023 7:05 PM
> *To:* cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>;
> Interoperability Documentation Help <dochelp at microsoft.com>
> *Subject:* [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId
> attribute
> Hi dochelp,
>
> [MS-ADTS] 3.1.1.4.5.39, “msDS-ManagedPassword”, makes reference to the
> attribute ‘msDS-ManagedPasswordId’, which (it states) contains a key ID
> that is involved in the computation of the managed password. I’m trying
> to work out the format of this attribute.
>
> A couple of times that document mentions that the key ID identifies a
> Group Key Envelope data structure, defined in section 2.2.4 of
> [MS-GKDI]. Now I have obtained some samples of ‘msDS-ManagedPasswordId’
> attributes from Group Managed Service Accounts created by Windows. While
> these samples appear to be superficially similar to Group Key Envelope
> format, they have a few notable differences: the fields from
> ‘cbKDFAlgorithm’ to ‘cbL2Key’ are missing, replaced by a single 32‐bit
> field containing I don’t know what; and the fields from ‘KDF Algorithm’
> to ‘Secret Agreement Parameters’, and both ‘L1 Key’ and ‘L2 Key’, are
> similarly missing.
>
> Also mysterious is the field ‘isPublicKey’, which according to [MS-GKDI]
> must contain either 0 or 1, but in my samples has the value 2 !
>
> Can you provide me with some details on the format of the
> ‘msDS-ManagedPasswordId’ attribute, and on how it resembles or differs
> from the Group Key Envelope structure?
>
> Regards,
> Joseph
More information about the cifs-protocol
mailing list