[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    [cifs-protocol] [MS-ADTS] Format of the msDS-ManagedPasswordId attribute
From:       Joseph Sutton via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date:       2023-11-21 0:05:23
Message-ID: ea03f0a5-b8cc-46e1-8b6c-6f77b643e719 () samba ! org
[Download RAW message or body]

Hi dochelp,

[MS-ADTS] 3.1.1.4.5.39, "msDS-ManagedPassword", makes reference to the 
attribute ‘msDS-ManagedPasswordId', which (it states) contains a key ID 
that is involved in the computation of the managed password. I'm trying 
to work out the format of this attribute.

A couple of times that document mentions that the key ID identifies a 
Group Key Envelope data structure, defined in section 2.2.4 of 
[MS-GKDI]. Now I have obtained some samples of ‘msDS-ManagedPasswordId' 
attributes from Group Managed Service Accounts created by Windows. While 
these samples appear to be superficially similar to Group Key Envelope 
format, they have a few notable differences: the fields from 
‘cbKDFAlgorithm' to ‘cbL2Key' are missing, replaced by a single 32-bit 
field containing I don't know what; and the fields from ‘KDF Algorithm' 
to ‘Secret Agreement Parameters', and both ‘L1 Key' and ‘L2 Key', are 
similarly missing.

Also mysterious is the field ‘isPublicKey', which according to [MS-GKDI] 
must contain either 0 or 1, but in my samples has the value 2 !

Can you provide me with some details on the format of the 
‘msDS-ManagedPasswordId' attribute, and on how it resembles or differs 
from the Group Key Envelope structure?

Regards,
Joseph

_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

[prev in list] [next in list] [prev in thread] [next in thread]