[cifs-protocol] [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId attribute - TrackingID#2311210040001007
Joseph Sutton
jsutton at samba.org
Mon Dec 18 07:08:24 UTC 2023
Thank you. So, if I understand correctly, the msDS-ManagedPasswordId
attribute comprises this SID_KEY_ID_HEADER, a DWORD parameter containing
the length (?) of an ephemeral public key or a random number, and
finally the DNS names of the domain and forest, preceded by their
respective lengths?
Regards,
Joseph
On 16/12/23 7:58 am, Sreekanth Nadendla wrote:
> Hello Joseph, Section 3.1.4.1 GetKey (Opnum 0) from MS-GKDI specifies
>
> HRESULT GetKey( [in] handle_t hBinding, [in] ULONG cbTargetSD, [in]
> [size_is(cbTargetSD)] [ref] char* pbTargetSD, [in] [unique] GUID*
> pRootKeyID, [in] LONG L0KeyID, [in] LONG L1KeyID, [in] LONG L2KeyID,
> [out] unsigned long* pcbOut, [out] [size_is(, *pcbOut)] byte** ppbOut);
>
> Call this function and use ppbOut to access SID_KEY_HEADER which has the
> algorithm info (see below)
>
> struct _SID_KEY_HEADER
> {
> SID_KEY_ID_HEADER sidKeyID;
> DWORD cbKDFAlgorithmName; //length of the KDF
> algorithm name.
> DWORD cbKDFParameters; //length of the KDF
> parameters.
> DWORD cbSecAgrAlgorithmName; //length of secret
> agreement algorithm name
> DWORD cbSecAgrAlgorithmParam;//length of the secret
> agreement algorithm param
> DWORD cbPrivateKeyLen; //length of the secret
> agreement private key
> DWORD cbPublicKeyLen; //length of the secret
> agreement public key
> DWORD cbL1KeyLen; //Length of L1 key
> DWORD cbL2KeyLen; //Length of L2 Key (public
> key blob or private key material)
> DWORD cbSourceDomainName; //length of domain DNS name
> DWORD cbSourceForestName; //length of forest DNS name
> // KDF algorithm Name
> // KDF parameters
> // Secret agreement algorithm name
> // Secret agreement parameters
> // DNS name of the domain which generated the key
> // DNS name of the forest
> // SID L1 key data
> // SID L2 key data
> } SID_KEY_HEADER;
>
>
> The 'unknown' field you've mentioned is the Ephemeral public key or
> random number used in derive symmetric key.
>
> Most importantly, there is an errata published for MS-GKDI. It can be
> found here
> <https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-GKDI/%5bMS-GKDI%5d-210625-errata.pdf>
>
> "dwFlags (4 bytes): A 32-bit unsigned integer. Bit 31 (LSB) MUST be set
> to 1 when this structure is being used to transport a public key, and
> otherwise set to 0. Bit 30, when set to 1, indicates that this key can
> be used for encrypting new data. This field is encoded using
> little-endian format."
>
> This explains why you are seeing value 2 for dwFlags i.e. flags (as it
> was defined previously in the older version of the specification). We
> will work with our documentation team to get these updated in the
> specification. Just wanted to share these with you to unblock your
> development asap. Plus, you may still notice other ambiguous portions
> and let us know. Let us know your thoughts.
>
>
> Regards,
>
> Sreekanth Nadendla
>
> Microsoft Windows Open Specifications
>
> ------------------------------------------------------------------------
> *From:* Joseph Sutton <jsutton at samba.org>
> *Sent:* Monday, December 11, 2023 11:40 PM
> *To:* Sreekanth Nadendla <srenaden at microsoft.com>
> *Cc:* cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
> *Subject:* Re: [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId
> attribute - TrackingID#2311210040001007
> [You don't often get email from jsutton at samba.org. Learn why this is
> important at https://aka.ms/LearnAboutSenderIdentification
> <https://aka.ms/LearnAboutSenderIdentification> ]
>
> Hi,
>
> Here’s what I see in the msDS-ManagedPasswordId attribute of a Group
> Managed Service Account created on Windows:
>
> version : 0x00000001 (1)
> magic : 0x4b53444b (1263748171)
> flags : 0x00000002 (2)
> 0: ENVELOPE_FLAG_TRANSPORTING_PUBLIC_KEY
> 1: ENVELOPE_FLAG_KEY_MAY_ENCRYPT_NEW_DATA
> l0_index : 0x0000016a (362)
> l1_index : 0x00000001 (1)
> l2_index : 0x0000000e (14)
> root_key_id : 9d922231-af27-b73b-1056-aeb18eeca71a
> unknown : 0x00000000 (0)
> domain_name_len : 0x00000018 (24)
> forest_name_len : 0x00000018 (24)
> domain_name : 'example.com'
> forest_name : 'example.com'
>
> This data is structured similarly to Group Key Envelope, which is
> described here:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-gkdi%2F192c061c-e740-4aa0-ab1d-6954fb3e58f7&data=05%7C02%7Csrenaden%40microsoft.com%7C9462dc0f331646a88de508dbfacc75cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638379528294828193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aoIS%2B0N5mL52uY6DjYIFM0a6lkaMsWniSRSPaUmOcRk%3D&reserved=0 <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/192c061c-e740-4aa0-ab1d-6954fb3e58f7>
>
> However, the two structures evidently are not the same. Some of the
> fields present in Group Key Envelope are missing from
> msDS-ManagedPasswordId (notably the ones relating to algorithms and
> keys). And immediately following the root key identifier in
> msDS-ManagedPasswordId is a 32‐bit field the purpose of which I have not
> been able to determine.
>
> Regards,
> Joseph
>
> On 9/12/23 9:40 am, Sreekanth Nadendla wrote:
>>
>> Hello Joseph, the attribute msDS-ManagedPasswordId is expected to
>> contain two fields 'Size' and 'Data'. Representing a byte array along
>> with its size. The Size member indicates the length of the byte array,
>> and the Data member is a pointer to the actual array of bytes.
>>
>> Data field holds the pointer to GmsaKeyId buffer while Size is set to
>> total number of bytes of the GmsaKeyId buffer.
>>
>> Are you saying that the contents inside the Data field don't appear to
>> be GmsaKey related ?
>>
>> Regards,
>>
>> Sreekanth Nadendla
>>
>> Microsoft Windows Open Specifications
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Joseph Sutton <jsutton at samba.org>
>> *Sent:* Monday, November 20, 2023 7:05 PM
>> *To:* cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>;
>> Interoperability Documentation Help <dochelp at microsoft.com>
>> *Subject:* [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId
>> attribute
>> Hi dochelp,
>>
>> [MS-ADTS] 3.1.1.4.5.39, “msDS-ManagedPassword”, makes reference to the
>> attribute ‘msDS-ManagedPasswordId’, which (it states) contains a key ID
>> that is involved in the computation of the managed password. I’m trying
>> to work out the format of this attribute.
>>
>> A couple of times that document mentions that the key ID identifies a
>> Group Key Envelope data structure, defined in section 2.2.4 of
>> [MS-GKDI]. Now I have obtained some samples of ‘msDS-ManagedPasswordId’
>> attributes from Group Managed Service Accounts created by Windows. While
>> these samples appear to be superficially similar to Group Key Envelope
>> format, they have a few notable differences: the fields from
>> ‘cbKDFAlgorithm’ to ‘cbL2Key’ are missing, replaced by a single 32‐bit
>> field containing I don’t know what; and the fields from ‘KDF Algorithm’
>> to ‘Secret Agreement Parameters’, and both ‘L1 Key’ and ‘L2 Key’, are
>> similarly missing.
>>
>> Also mysterious is the field ‘isPublicKey’, which according to [MS-GKDI]
>> must contain either 0 or 1, but in my samples has the value 2 !
>>
>> Can you provide me with some details on the format of the
>> ‘msDS-ManagedPasswordId’ attribute, and on how it resembles or differs
>> from the Group Key Envelope structure?
>>
>> Regards,
>> Joseph
More information about the cifs-protocol
mailing list