Andrew Microsoft does use different methods of calculating the salt value used in encryption depending on the type account that is submitted to the salt calculation implementation. For example, in the case of interdomain trust accounts, "krbtgt" is appended. In the case of machine accounts, "host" is appended to the start of the salt value.
Implementers are free to implement a salt algorithm of their choice, without affecting interoperability. In the case of the implementation acting as a KDC, the KDC that changes a password also stores that salt value in Active Directory in the supplementalCredentials field. In the case of a client using a salt value the KDC does not know how to interpret, the KDC will tell the client which salt value to use. We also have a related issue we are working together, where we have documented what the salt value structure stored in AD looks as part of the work we are currently doing on the supplementalCredentials structure. This value is stored as a UNICODE_STRING as per the documentation on KERB_STORED_CREDENTIAL (section 2.2.10.4 Primary:Kerberos - KERB_STORED_CREDENTIAL) and KERB_STORED_CREDENTIAL_NEW (Section 2.2.10.6 Primary:Kerberos-Newer-Keys - KERB_STORED_CREDENTIAL_NEW). Please let us know if you have further questions. Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM Tel: +1 (469) 775-7794 E-mail: [EMAIL PROTECTED] We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted -----Original Message----- From: Richard Guthrie Sent: Tuesday, August 05, 2008 11:27 AM To: 'Andrew Bartlett' Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: 600634 - RE: salt used for various principal types Andrew, I will be working with you to resolve this issue. I will conduct my research and get back with you shortly. Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2" Tel: +1 469 775 7794 E-mail: [EMAIL PROTECTED] We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted -----Original Message----- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2008 9:19 PM To: Interoperability Documentation Help Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: salt used for various principal types I can't find any reference in either MS-ADTS or MS-KILE regarding the salt used for for the different types of principals in the kerberos protocol. (A salt is used as a confounded in string2key operations in kerberos) I know there are different salt calculations for users and computers, and presumably again for interdomain trust accounts. See: http://lists.samba.org/archive/samba-technical/2004-November/037976.html In particular, as I am working on interdomain trusts, and so in addition to the information at that URL, I need to know if there is a different salt used on the domain$ principal as compared to the krbtgt/[EMAIL PROTECTED] principal? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
