[cifs-protocol] [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId attribute - TrackingID#2311210040001007
Jeff McCashland (He/him)
jeffm at microsoft.com
Tue Nov 21 03:10:16 UTC 2023
[DocHelp to BCC, support on CC, SR ID on Subject]
Hi Joseph,
Thank you for your question. We have created SR 2311210040001007 to address this issue.
Please note the errata for [MS-GKDI] that redefines isPublicKey:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-winerrata/02262788-19d0-4859-9a9a-2f46be167703
One of our engineers will respond soon.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Joseph Sutton <jsutton at samba.org>
Sent: Monday, November 20, 2023 4:05 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-ADTS] Format of the msDS-ManagedPasswordId attribute
Hi dochelp,
[MS-ADTS] 3.1.1.4.5.39, “msDS-ManagedPassword”, makes reference to the attribute ‘msDS-ManagedPasswordId’, which (it states) contains a key ID that is involved in the computation of the managed password. I’m trying to work out the format of this attribute.
A couple of times that document mentions that the key ID identifies a Group Key Envelope data structure, defined in section 2.2.4 of [MS-GKDI]. Now I have obtained some samples of ‘msDS-ManagedPasswordId’
attributes from Group Managed Service Accounts created by Windows. While these samples appear to be superficially similar to Group Key Envelope format, they have a few notable differences: the fields from ‘cbKDFAlgorithm’ to ‘cbL2Key’ are missing, replaced by a single 32‐bit field containing I don’t know what; and the fields from ‘KDF Algorithm’
to ‘Secret Agreement Parameters’, and both ‘L1 Key’ and ‘L2 Key’, are similarly missing.
Also mysterious is the field ‘isPublicKey’, which according to [MS-GKDI] must contain either 0 or 1, but in my samples has the value 2 !
Can you provide me with some details on the format of the ‘msDS-ManagedPasswordId’ attribute, and on how it resembles or differs from the Group Key Envelope structure?
Regards,
Joseph
More information about the cifs-protocol
mailing list