Re: [cifs-protocol] [REG:210011157366122001] [MS-ADTS] PFIF DPAPI interaction with Active Directory

Thu, 14 Jan 2010 08:56:55 -0800 

Hello Hongwei,

Thanks for the pointers.
I have to read it and try to implement it which will of course take some times. 


I think that your mail answered my question although I might have new 
ones following the reading and the implementation of the thing.


Matthieu.


On 14/01/2010 03:00, Hongwei Sun wrote:

Matthieu,

   This process is described in one of the open protocol document ([MS-BKRP]: 
BackupKey Remote Protocol Specification 
http://msdn.microsoft.com/en-us/library/cc224123(PROT.13).aspx ).
The following KB article might be useful for understanding DPAPI too 
(http://support.microsoft.com/kb/309408).

   Please let me know if you need any more information.

Thanks!

Hongwei


-----Original Message-----
From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net]
Sent: Monday, January 11, 2010 6:54 AM
To: Interoperability Documentation Help; cifs-proto...@samba.org; 
p...@tridgell.net
Subject: DPAPI interaction with Active Directory

Hello,

In this page http://msdn.microsoft.com/en-us/library/ms995355.aspx it is
stated:

"When a computer is a member of a domain, DPAPI has a backup mechanism
to allow unprotection of the data. When a MasterKey is generated, DPAPI
talks to a Domain Controller. Domain Controllers have a domain-wide
public/private key pair, associated solely with DPAPI. The local DPAPI
client gets the Domain Controller public key from a Domain Controller
via a mutually authenticated and privacy protected RPC call. The client
encrypts the MasterKey with the Domain Controller public key. It then
stores this backup MasterKey along with the MasterKey protected by the
user's password.

While unprotecting data, if DPAPI cannot use the MasterKey protected by
the user's password, it sends the backup MasterKey to a Domain
Controller via a mutually authenticated and privacy protected RPC call.
The Domain Controller then decrypts the MasterKey with its private key
and sends it back to the client via the same protected RPC call. This
protected RPC call is used to ensure that no one listening on the
network can get the MasterKey."

My question is: is there any kind of more technical documentation about
this explaining the dialogs between a workstation and a DC when
masterkey is generated and when the backup is sent to the server ?

Regards.

Matthieu Patou.


   


_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol






















					Reply via email to