[cifs-protocol] [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId attribute - TrackingID#2311210040001007

Jeff McCashland (He/him) jeffm at microsoft.com
Tue Nov 21 03:10:16 UTC 2023

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Joseph,

Thank you for your question. We have created SR 2311210040001007 to address this issue. 

Please note the errata for [MS-GKDI] that redefines isPublicKey:

One of our engineers will respond soon. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Joseph Sutton <jsutton at samba.org> 
Sent: Monday, November 20, 2023 4:05 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId attribute

Hi dochelp,

[MS-ADTS], “msDS-ManagedPassword”, makes reference to the attribute ‘msDS-ManagedPasswordId’, which (it states) contains a key ID that is involved in the computation of the managed password. I’m trying to work out the format of this attribute.

A couple of times that document mentions that the key ID identifies a Group Key Envelope data structure, defined in section 2.2.4 of [MS-GKDI]. Now I have obtained some samples of ‘msDS-ManagedPasswordId’ 
attributes from Group Managed Service Accounts created by Windows. While these samples appear to be superficially similar to Group Key Envelope format, they have a few notable differences: the fields from ‘cbKDFAlgorithm’ to ‘cbL2Key’ are missing, replaced by a single 32‐bit field containing I don’t know what; and the fields from ‘KDF Algorithm’ 
to ‘Secret Agreement Parameters’, and both ‘L1 Key’ and ‘L2 Key’, are similarly missing.

Also mysterious is the field ‘isPublicKey’, which according to [MS-GKDI] must contain either 0 or 1, but in my samples has the value 2 !

Can you provide me with some details on the format of the ‘msDS-ManagedPasswordId’ attribute, and on how it resembles or differs from the Group Key Envelope structure?


More information about the cifs-protocol mailing list