protected bool SetAccountPassword(DatastoreObject targetObject, object targetObjectIdentifier, SecureString newPassword, byte[] bootKey, bool skipMetaUpdate)
{
// Validate input
Validator.AssertNotNull(newPassword, "newPassword");
// Calculate NT hash
byte[] ntHash = NTHash.ComputeHash(newPassword);
// TODO TODO TODO: Change parameter to DSAccount from DatastoreObject
var account = this.GetAccount(targetObject, targetObjectIdentifier, bootKey);
var supplementalCredentials = new SupplementalCredentials(
newPassword,
account.SamAccountName,
account.UserPrincipalName,
this.context.DomainController.NetBIOSDomainName,
this.context.DomainController.Domain);
return(this.SetAccountPasswordHash(
targetObject,
targetObjectIdentifier,
ntHash,
supplementalCredentials,
bootKey,
skipMetaUpdate));
}
protected bool SetAccountPassword(DatastoreObject targetObject, object targetObjectIdentifier, SecureString newPassword, byte[] bootKey, bool skipMetaUpdate)
{
// Validate input
Validator.AssertNotNull(newPassword, "newPassword");
// Calculate NT hash
byte[] ntHash = NTHash.ComputeHash(newPassword);
// We need to read sAMAccountName and userPrincipalName to be able to generate the supplementalCredentials.
string samAccountName;
targetObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out samAccountName);
string userPrincipalName;
targetObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out userPrincipalName);
var supplementalCredentials = new SupplementalCredentials(
newPassword,
samAccountName,
userPrincipalName,
this.context.DomainController.NetBIOSDomainName,
this.context.DomainController.DomainName);
return(this.SetAccountPasswordHash(
targetObject,
targetObjectIdentifier,
ntHash,
supplementalCredentials,
bootKey,
skipMetaUpdate));
}
public void PasswordEncryptionKey_ReplicationSupplementalCredDecrypt()
{
byte[] sessionKey = "62a65b7b549b2bf5f5426feec9cf9536".HexToBinary();
var pek = new ReplicationSecretDecryptor(sessionKey);
var sb = new StringBuilder();
sb.Append("ba85a50b74cd4bf5dc44b0f475d0529b8a2f3952ad159b4cadfcd7708b0dd4d192afcac2d09f99608c65609efc7007c190f029d31583b821e7f36c94203d1");
sb.Append("ce5a9e975a16efed71e17886028ea898e9299a18a010394b080742ff520f7f160ed71898b1b4a2f21b9579645c66fe0c14a689");
sb.Append("c05651fe81c01c3fcd86a7669ff2552fc94598ae53d2011c372054f1b30b4a48fbdf466fb51c7e0a96db5d025144470d2a79fb20dd86dbaad6745929d4a1335e0920b4b4fa200cad");
sb.Append("866390adf148e7e0c13d586b35478650dce0c6297842f4c81c8cad3446600c4d8be60a657a17b6191f5894e04f695faee579acdc0e7adc40bf1c7efadaffd3eaf1ccaf98b862d3a25e1cd0670cec56a3e46b88b606e949cf2f96e442cb9268f038a4795");
sb.Append("1d261a86a9c4298af7c5b7cf9905961e52ac1796dc48c54bc3c454b952738c581b92a6a1c14d56c3f1bbe167d2783cf944ae10fb6e59ba58022259e750daeb0deec376670790d35b4db851e025c898950df33f16b9abfb9b15804d54a4e7d7c9a63193dba2327341abdbae78a8cb6614b9bc3f48968153b1e10ad493b8855001d95a25eda8beee35b972249a1cfb6f07485959175a72d79756b6413a4e6e0b5129b909c57fb75f828571ea692f1cb213db0e60fcc728da1a91ea8f9415fdfcc6348a60156ef785cbea8d87b36869305bb381db661009b287ae8371448606b2aa874882d3534a454933f4c806dc3f059c12736a9c176feea59c8e45bc7c0a1e7f1b3e608625feede0f6f6b0e89ad7419bb27718f276486068c7aeaa78c1b3d9cdf81330a970e7e3d2e41c88d1abeb53315a676d051a25e17480de55b2eb65e8ec6bf521d4471a55ff0efbb515568f57ec60afe283f1a6b7cc852a5aac0e9d9d94190d437c948b3feba26841cfe0b1b8d694bfc1b06a920e1cb8fa45fba4fa15c11b56dd6d6119b43553f9dd51b5cce619699824381b5c22b90a71a0dc712e5850e52bbab94cd1c6ab5eb496ac92a36deed84bf5a95c36ab31e752e60a3f239255bff07aa5c4a05210fac255808fc8e723e6f8492c286198b55a1ac7438e17f39129f883c63868b9b57a74ce8d208819bc2990c2ab9d98f580429814d0b66b0e11a04e7ef179397dc3af2d5bb1f072f11d4053e32bc91cc48049553e6c6e03ee8d6d619875943ec5aa9a1c079d50f09db3ae8b61ad945e811dcd23462152e2f21753a2c24435332ca87be7e2378270fe48e5a5dd7460f9b01c16a9e20278f5affa4ac16a082cfb8f25350e5f774465e615a125b5818f2cf19474736662ad81248a8132711105bb8e87c35fc04847a4f9b2ee59151f1482f0864a06e233579d5e53cc331e702d51de656af4826a39f2386110a09ce0c497d8c8bb7c430d3a77894511fa5d41bb2073efa016adb121cb1d95bc62b3e0654c5ab7ce8dce14ed8242739d6c3a15473b3fe5766d76e658556debb86c8981c520a725bbe3655ba4bf482e327983bc0f116fbe53fcf29ec7e6c5f5b23a11a459fe55c7b9a0f51808e4396624c56a8435d95b73cf13f9cfc35229b1750975c654fc61a779d634e4e3da67544a319be55028e4934a38e5df5ab4b554a0ac37969da37045f8884862ac1a16e54b6662cb30dcc25bb891cdc1d62c173532c5be6b9597cb45c32dc3b67f355b4c01ad272176af5f047149e0f9d1e29747a63de553e0bb7a70a198087e331e1e18323e50f761b28662a7a7b9a0a12e6789e10895d86764d8f3c5bf62f91434fce62ecca03f7969801d776aa9ae8fda2bf9ae0bd120f186e5f0fb0a60dc304c4038f065f9b742788dbe8d2a88d5054e6ce1d79e95c2ae65fb4d9b7045d2a4e69819eb55c9cc7bb46735ef7a06d00948f8682ef845523c4d30bb5c3e29ff5db529fbd6accc288e7880df6cc422ba00a56fe7ec5094547d0cf12b042aec506f6a1fa353e260c85942000ea847720f4c64870ed3c6defbdbb860bbd13d9f990f6cce99adc89f151d7693e4ed544512d5eb2cc6cebfe82525f9266c055dd73c989e7a959af3587da4699282b5b035a0464e73c79b3df27a6dbf34de2b507a471be9e606b7815e259e3cde3e80e3db3ed9203720cefe9435d05bf72a04d76dd321047617ccf66e538885688f94a5247830f69a653788a209be12631c7bcece66375cfa2775af919d266d00650d080b47165cba5748347d748282a1aa332cdc6571444e00f1a4aa747e922812d09e883b5ad2c4272ba4b5773bb98b44c2b35b4c924827002251a8f0b7917da3272b9cb5b8ed424e22a6a3c914b512bc95888672a5fbfedc068f462db928aec7ede46520ce22337486f2a0b292228a4deff106b665302da8b78d0b30c019a5e5a0084fce3058738d1fd758c03d9a460133e0a12fe1909c7945");
sb.Append("3ded595ae19a329e2dba6e8e528fac60a5f1bb121ede721c26856e31aa9e90897f4931c8a701b676280bc41e9524819238b7be4f01c270af7b4ab96259d189fddfba3454c342a1790157f8f18535c475c9d52ac79464dbf3a520d06db58177868fa11f003bd55d5b0ca1b621d12a61ce053a8e96447f78b72d742567b7f0009ffeacc609728d1fc9211923f0d54c3022cb96f6bd494bfc72a2c9651e46963c992c9ea785dfcdd21b7fc5bdc54494857d7aa17f2af08276caef60df05ffedd86694e3ff3f6c8838317a9780f70b7f5874d6fea8a82761188b757fd8f7e722ddaa490a0420f6dcb4473dcce341f04236913fe87192b5bb448e1a0adcdc56b5553dce1e193e4e8ca16ba3b17d436f5222e6c20f445a7d45f5085c2a0862e6adab1fea0434f8898bdb50c59d08bbec85b4c1973b1a2ab0411c752a5c6585302489c17a801231b479f9856eeca150ade6b137775a8bb43e194f749a7f85169ec1e60b348c42ff13feba7cd3a0b8faac2aee8055e843458c1f7ef35a1a4c38cd599e6b72df2e78791f5929866d53a728d216548e38e14a5caf9f960827d90f0317bdc9f131cef726faa1664aa6f2972bbf59a55a9106a487fb155fed111269fd5652c6dcb465c020546eec4bccae4515b668e047029b7c1bc44d7b681f77e7e391a2f8f76dcc111a5b25943c82c8c07922390d0370f119e9d681461225dba0e67271844ab79d81f4bac4d4d0c991b61db5034c00259d8309cd1330f75bdc5e9fd3dfc2de708c8a96efc0afa7427ed093f779d344fee9d53489d1ccc9e61124646f9520ed614f8d5f5d7b22417d5f37d4531cbf2ef7e62ad57232edab974d7065c64c752ee184f0037e0dc86fce1a406f5de7972afc27716b9fd655a5c03e5b79c5d8b4bb91aa43ccc1093a6057e136edfa0bc4cab1f6216191a730b223693149d041879d1fedc19dc9e92111f939ebc294e6c2c685dc0633fd48ea0c5c09a1c32afee5c3d7f334ac498592eb8f41fc5c701718cfe58a63b10cb7030d021afe9a7a925baf449825a7279e0530df5737fddc484ed2f5b76e4bc7a5dd238e4bf6f43229cea7823e2aede3382b2e4b11abce8486fd419323e8186f0cd3455c2a201723b1507fe0a0f5c0e94ec96de79a85dc8f1df7bfe1e7da90a86b5c35fad66e7f48ce0ed3610454b7ef57cd8e8c323b452d311ee96617866d9c7ea51401f10137ccd9a64d0ef77c7da4a4171701a6ab93377ba5f8583ce6deaae91f5bdb5cdbe9e74e3806efc812a64e3437402f2ac83cab47");
sb.Append("4c5376e8e03acf07ba84b73a1c454201a6436e79cf039617c4ccbc4fe46286c6a9ce21991a378bb27952e10f6be13fc4478ce6f9110b88");
sb.Append("3cfe615b72c70466a2d79d8d3b66dbd421");
byte[] blob = sb.ToString().HexToBinary();
var decryptedBlob = pek.DecryptSecret(blob);
var cred = new SupplementalCredentials(decryptedBlob);
// Check properties
Assert.AreEqual(@"Pa$$w0rd3", cred.ClearText);
Assert.AreEqual(29, cred.WDigest.Length);
Assert.AreEqual(1, cred.Kerberos.Credentials.Length);
Assert.AreEqual(3, cred.KerberosNew.Credentials.Length);
Assert.AreEqual(4096, cred.KerberosNew.DefaultIterationCount);
}
public void SupplementalCredentials_Create_Empty()
{
var result = new SupplementalCredentials();
string emptyCredentials = "000000006200000000000000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000500000";
Assert.AreEqual(emptyCredentials, result.ToByteArray().ToHex());
}
public void SupplementalCredentials_Parse_ADAM()
{
// AD LDS / ADAM has a slightly different structure of supplemental credentials
byte[] input = "0100000001000000e80100000600000001000000e00100003100011d000000000000000000000000af4156909297baece4e553b731d9d552da58c12e5880cad54a3f909c07b0792eec9d262783c811ad9cc7aeb1ab019fe0af4156909297baece4e553b731d9d552af4156909297baece4e553b731d9d552ec9d262783c811ad9cc7aeb1ab019fe0da58c12e5880cad54a3f909c07b0792e95e11e920c7405ca6639d932888cc11c53d9e953141b322f29eb1a02798c299042eea90067734b2a81abbc79618cc1519d9aac28e63107a495266e755f7a2babac6b5dfb3bfa3b7039058310d5b36ccc7c97824dd59b9a6a053b5fae3d8603f20a5e2bc3111c759efb3a91e3740633e83b12daad09e83cb92477ac59993c5a843b12daad09e83cb92477ac59993c5a843b12daad09e83cb92477ac59993c5a8471e7228faba51df979beef06b34f791820aa1475f40540f0db59f9d2d93fc3da5f88f6d82d185741a82c7fa79e801c6d8eae592a0ce55271a17de0b39cf1e5e9923354fb99887724cf2b10e88108776b427804b8a6d6ed92c11ecb94e40da72c0c997bc1906b1f0092d61bd0efee428b0c997bc1906b1f0092d61bd0efee428b0c997bc1906b1f0092d61bd0efee428bd93e9a9a7452dff036a67a5d5d333d7c4effe21b0afc142382943ef26024649aaa6a6a95c237f2b8efa2f13ecb0cb220".HexToBinary();
throw new AssertInconclusiveException("ADAM SupplementalCredentials parser is not yet implemented.");
var result = new SupplementalCredentials(input);
}
public void SupplementalCredentials_Parse_W2k16_Vector5()
{
byte[] blob = "00000000b00a000000000000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000500004003600e00301005000720069006d006100720079003a004b00650072006200650072006f0073002d004e0065007700650072002d004b0065007900730030343030303030303033303030303030303330303033303034303030343030303038303130303030303031303030303030303030303030303030303030303030303031303030303031323030303030303230303030303030343830313030303030303030303030303030303030303030303031303030303031313030303030303130303030303030363830313030303030303030303030303030303030303030303031303030303030333030303030303038303030303030373830313030303030303030303030303030303030303030303031303030303031323030303030303230303030303030383030313030303030303030303030303030303030303030303031303030303031313030303030303130303030303030613030313030303030303030303030303030303030303030303031303030303030333030303030303038303030303030623030313030303030303030303030303030303030303030303031303030303031323030303030303230303030303030623830313030303030303030303030303030303030303030303031303030303031313030303030303130303030303030643830313030303030303030303030303030303030303030303031303030303030333030303030303038303030303030653830313030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303034313030343430303431303035343030353530303464303032653030343330303466303034643030363830303666303037333030373430303663303036663030366530303264303036343030363330303331303032653030363130303634303036313030373430303735303036643030326530303633303036663030366430303833643563663533353265393033356565366539666266373832663630626333393866353233643263306130646538616438366262613733313932643664353130303435663633353064393462616462383332666436333162336633663938633730393163653835343536313364333165396163646531313539323530316561333839643564646161353832656133363562356238366133363163336235333239333632323330656266366464303065393836653333663338356538363661636334333663623938633132363930306461346364353765613062336434303461613335363436643936316261386539346535326165303266366631383135613530663961613061346261656337623138356166386665623333383834636533333938636635633866376430653637613366643466393730333861373431383465646131306137326166383763316630312000380101005000720069006d006100720079003a004b00650072006200650072006f0073003033303030303030303130303031303034303030343030303463303030303030303030303030303030303030303030303033303030303030303830303030303038633030303030303030303030303030303030303030303030333030303030303038303030303030393430303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030343130303434303034313030353430303535303034643030326530303433303034663030346430303638303036663030373330303734303036633030366630303665303032643030363430303633303033313030326530303631303036343030363130303734303037353030366430303265303036333030366630303664303037303931636538353435363133643331613463643537656130623364343034611000d80002005000610063006b0061006700650073003465303035343030346330303464303032643030353330303734303037323030366630303665303036373030326430303465303035343030346630303537303034363030303030303462303036353030373230303632303036353030373230303666303037333030326430303465303036353030373730303635303037323030326430303462303036353030373930303733303030303030346230303635303037323030363230303635303037323030366630303733303030303030353730303434303036393030363730303635303037333030373430301e00c00301005000720069006d006100720079003a00570044006900670065007300740033313030303131643030303030303030303030303030303030303030303030306438363437393236653065653832353832626262613132396238656237613166323434383964613765646439313735343838343734373930343766623666313864383634373932366530656538323538326262626131323962386562376131666438363437393236653065653832353832626262613132396238656237613166656535383833633133306131303930353032633030363436356465323663616365653538383363313330613130393035303263303036343635646532366361633333333530393334333839303064386238303365643061616566646162373363303763626232323739656439386539663436376564653031636164636564386530306664623765333137393837343566303637626437366232346535663732336362346134646639366438363065303430623238313431353936663734373163636234613464663936643836306530343062323831343135393666373437316362346161643963303962656362303865313834646632643162303430396130326234616164396330396265636230386531383464663264316230343039613032656537373831323230303463316239343966363364373839313133643839366333336537386333653938326633333038373764353534323038373336383431396565356133383663376462373361633836366230636432353237323763303162613339343663346562666435653762303662616461303830393336313163323932393534353537386136656163376262366234383136366231626535666538346335393364643562643666366239666435633366643133336236333536613763323935343535373861366561633762623662343831363662316265356665383466623366636165323434333861303463393765363731306234353763333061383132613237623538646238366438633433346130313365663736303863656536666233666361653234343338613034633937653637313062343537633330613832353736323134653635323131626462336632656465656633336234346634333364353539616633653431646666383261343338646234613433643533613637363138353362353134333636313137643566323133313066633164343266396662626535363966663137616564666666326632396465333836633863623366386532343761343630346432346237303136656162303135323231663762313136626265353639666631376165646666663266323964653338366338636233663800".HexToBinary();
var credentials = new SupplementalCredentials(blob);
byte[] blob2 = credentials.ToByteArray();
// Note that we do not test the serialized value for equality, because unlike Windows Server 2016, our implementation does not put the NTLM-Strong-NTOWF property name to the Properties list if this package is not actually present.
}
public void SupplementalCredentials_Parse_W2k3_Vector2()
{
byte[] blob = "00000000a806000000000000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000500003002000e40101005000720069006d006100720079003a004b00650072006200650072006f007300303330303030303030323030303230303461303034613030373830303030303030303030303030303030303030303030303330303030303030383030303030306332303030303030303030303030303030303030303030303031303030303030303830303030303063613030303030303030303030303030303030303030303030333030303030303038303030303030643230303030303030303030303030303030303030303030303130303030303030383030303030306461303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030343330303466303034653030353430303466303035333030346630303265303034333030346630303464303036383030366630303733303037343030373730303639303036653030333230303662303033333030373230303332303036353030363530303265303036333030366630303665303037343030366630303733303036663030326530303633303036663030366430306439623333656230363465333835646664396233336562303634653338356466663139316539613762353631353235646631393165396137623536313532356430303030303030303030303030303030303030303030303030303030303030301000400002005000610063006b006100670065007300346230303635303037323030363230303635303037323030366630303733303030303030353730303434303036393030363730303635303037333030373430301e00c00301005000720069006d006100720079003a00570044006900670065007300740033313030303131643030303030303030303030303030303030303030303030303962643638616265363465383266666264376639393666343736633161613663363565623965326331386363363961306233633031326136353763323264623739626436386162653634653832666662643766393936663437366331616136633962643638616265363465383266666264376639393666343736633161613663626133343231303165303331653165653630366439633436313535366538623662613334323130316530333165316565363036643963343631353536653862366237336338396333346532643661643162353335333362393733383538653165633133373331393034373534393966616261633636343336656234643966343235633232633233393532643432643565393531396335303361326235303832386135333838393633656234386136663466386231623734393361323262366631613533383839363365623438613666346638623162373439336132326236663163313337333139303437353439396661626163363634333665623464396634326331333733313930343735343939666162616336363433366562346439663432313534313936313665323663383738623363666439356366653030306266666663363261333366336136613135356562363339393531356535363638623863653936643964336137373739383633393037386433306365623539633538376365306662626363633833643237373739336630633331313637353366306535653534376234663561336638336666383439636433656661633863343761333637313335386234656239393732393434633235636432663631613565616133626631343762346635613366383366663834396364336566616338633437613336373161343632323165626135623463623930323731343933333831663934353935333334636261613034616238386634326562613536376135636134393837623936613436323231656261356234636239303237313439333338316639343539353333383432393939353465303561613636366233646665353138313164626466373762636536313366376264383437656465643232386335343137303664376633396533376339333533613133656563396666633439663665386634653639613563393932353633663566363631396665303537326234336532663066373934363630303363303631636634666437623836346461356535316165346365623465633939323536336635663636313966653035373262343365326630663739343672".HexToBinary();
var credentials = new SupplementalCredentials(blob);
byte[] blob2 = credentials.ToByteArray();
// Note that we do not test the serialized value for equality, because Windows Server 2003 uses different credential paddings.
}
public void SupplementalCredentials_Parse_W2k16_Vector5()
{
byte[] blob = "00000000b00a000000000000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000500004003600e00301005000720069006d006100720079003a004b00650072006200650072006f0073002d004e0065007700650072002d004b0065007900730030343030303030303033303030303030303330303033303034303030343030303038303130303030303031303030303030303030303030303030303030303030303031303030303031323030303030303230303030303030343830313030303030303030303030303030303030303030303031303030303031313030303030303130303030303030363830313030303030303030303030303030303030303030303031303030303030333030303030303038303030303030373830313030303030303030303030303030303030303030303031303030303031323030303030303230303030303030383030313030303030303030303030303030303030303030303031303030303031313030303030303130303030303030613030313030303030303030303030303030303030303030303031303030303030333030303030303038303030303030623030313030303030303030303030303030303030303030303031303030303031323030303030303230303030303030623830313030303030303030303030303030303030303030303031303030303031313030303030303130303030303030643830313030303030303030303030303030303030303030303031303030303030333030303030303038303030303030653830313030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303034313030343430303431303035343030353530303464303032653030343330303466303034643030363830303666303037333030373430303663303036663030366530303264303036343030363330303331303032653030363130303634303036313030373430303735303036643030326530303633303036663030366430303833643563663533353265393033356565366539666266373832663630626333393866353233643263306130646538616438366262613733313932643664353130303435663633353064393462616462383332666436333162336633663938633730393163653835343536313364333165396163646531313539323530316561333839643564646161353832656133363562356238366133363163336235333239333632323330656266366464303065393836653333663338356538363661636334333663623938633132363930306461346364353765613062336434303461613335363436643936316261386539346535326165303266366631383135613530663961613061346261656337623138356166386665623333383834636533333938636635633866376430653637613366643466393730333861373431383465646131306137326166383763316630312000380101005000720069006d006100720079003a004b00650072006200650072006f0073003033303030303030303130303031303034303030343030303463303030303030303030303030303030303030303030303033303030303030303830303030303038633030303030303030303030303030303030303030303030333030303030303038303030303030393430303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030343130303434303034313030353430303535303034643030326530303433303034663030346430303638303036663030373330303734303036633030366630303665303032643030363430303633303033313030326530303631303036343030363130303734303037353030366430303265303036333030366630303664303037303931636538353435363133643331613463643537656130623364343034611000d80002005000610063006b0061006700650073003465303035343030346330303464303032643030353330303734303037323030366630303665303036373030326430303465303035343030346630303537303034363030303030303462303036353030373230303632303036353030373230303666303037333030326430303465303036353030373730303635303037323030326430303462303036353030373930303733303030303030346230303635303037323030363230303635303037323030366630303733303030303030353730303434303036393030363730303635303037333030373430301e00c00301005000720069006d006100720079003a00570044006900670065007300740033313030303131643030303030303030303030303030303030303030303030306438363437393236653065653832353832626262613132396238656237613166323434383964613765646439313735343838343734373930343766623666313864383634373932366530656538323538326262626131323962386562376131666438363437393236653065653832353832626262613132396238656237613166656535383833633133306131303930353032633030363436356465323663616365653538383363313330613130393035303263303036343635646532366361633333333530393334333839303064386238303365643061616566646162373363303763626232323739656439386539663436376564653031636164636564386530306664623765333137393837343566303637626437366232346535663732336362346134646639366438363065303430623238313431353936663734373163636234613464663936643836306530343062323831343135393666373437316362346161643963303962656362303865313834646632643162303430396130326234616164396330396265636230386531383464663264316230343039613032656537373831323230303463316239343966363364373839313133643839366333336537386333653938326633333038373764353534323038373336383431396565356133383663376462373361633836366230636432353237323763303162613339343663346562666435653762303662616461303830393336313163323932393534353537386136656163376262366234383136366231626535666538346335393364643562643666366239666435633366643133336236333536613763323935343535373861366561633762623662343831363662316265356665383466623366636165323434333861303463393765363731306234353763333061383132613237623538646238366438633433346130313365663736303863656536666233666361653234343338613034633937653637313062343537633330613832353736323134653635323131626462336632656465656633336234346634333364353539616633653431646666383261343338646234613433643533613637363138353362353134333636313137643566323133313066633164343266396662626535363966663137616564666666326632396465333836633863623366386532343761343630346432346237303136656162303135323231663762313136626265353639666631376165646666663266323964653338366338636233663800".HexToBinary();
var credentials = new SupplementalCredentials(blob);
byte[] blob2 = credentials.ToByteArray();
Assert.AreEqual(blob.ToHex(), blob2.ToHex());
}
public void SupplementalCredentials_Generate1()
{
var credentials = new SupplementalCredentials(@"Pa$$w0rd".ToSecureString(), "Administrator", "*****@*****.**", "ADATUM", "Adatum.com");
byte[] blob = credentials.ToByteArray();
var credentials2 = new SupplementalCredentials(blob);
// Test integrity
Assert.AreEqual(credentials2.ClearText, credentials.ClearText);
Assert.AreEqual(credentials2.NTLMStrongHash.Length, credentials.NTLMStrongHash.Length);
Assert.AreEqual(credentials2.WDigest.Length, credentials.WDigest.Length);
Assert.AreEqual(credentials2.Kerberos.ToByteArray().ToHex(), credentials.Kerberos.ToByteArray().ToHex());
Assert.AreEqual(credentials2.KerberosNew.ToByteArray().ToHex(), credentials.KerberosNew.ToByteArray().ToHex());
}
public void SupplementalCredentials_Generate2()
{
var credentials = new SupplementalCredentials(@"Pa$$w0rd".ToSecureString(), "user02", null, "ADATUM", "Adatum.com");
byte[] blob = credentials.ToByteArray();
byte[] expectedBlob = "000000005008000000000000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000500005003200200001005000720069006d006100720079003a004e0054004c004d002d005300740072006f006e0067002d004e0054004f005700460031643638373531326339333534646365653233376665613930643139356363373600a00101005000720069006d006100720079003a004b00650072006200650072006f0073002d004e0065007700650072002d004b0065007900730030343030303030303033303030303030303030303030303032303030323030303738303030303030303031303030303030303030303030303030303030303030303031303030303031323030303030303230303030303030393830303030303030303030303030303030303030303030303031303030303031313030303030303130303030303030623830303030303030303030303030303030303030303030303031303030303030333030303030303038303030303030633830303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303034313030343430303431303035343030353530303464303032653030343330303466303034643030373530303733303036353030373230303330303033323030363232666361316431326465316466363565383430616664356633623938343462313861373261383261656436653365353863333932353737353366646661383330363636393734636237323965663662643434663865616233323936653563313366386664333764353537613430312000c00001005000720069006d006100720079003a004b00650072006200650072006f0073003033303030303030303130303030303032303030323030303338303030303030303030303030303030303030303030303033303030303030303830303030303035383030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303034313030343430303431303035343030353530303464303032653030343330303466303034643030373530303733303036353030373230303330303033323030313366386664333764353537613430311000d80002005000610063006b0061006700650073003465303035343030346330303464303032643030353330303734303037323030366630303665303036373030326430303465303035343030346630303537303034363030303030303462303036353030373230303632303036353030373230303666303037333030326430303465303036353030373730303635303037323030326430303462303036353030373930303733303030303030346230303635303037323030363230303635303037323030366630303733303030303030353730303434303036393030363730303635303037333030373430301e00c00301005000720069006d006100720079003a00570044006900670065007300740033313030303131643030303030303030303030303030303030303030303030303963333836656664383134663734396365653066326139653665643765633633326438343535393963346266623533333732303730623362666132646339323235633063353839333430356536353138333432323132663864393564363837643963333836656664383134663734396365653066326139653665643765633633326438343535393963346266623533333732303730623362666132646339323238353037393131323334326532363433303162636566643232376536663166663963333836656664383134663734396365653066326139653665643765633633323338383064366134316161336163333730313565383262653066623033363063633634383439353232643735313239303264653236313230303431303230623934666234646333646230386133663935343731366436643264366563363062633333393036653139623034323263376638366463363866326536356165323863633634383439353232643735313239303264653236313230303431303230623536663030336262343532616633666634643163373464363464643035363139633333393036653139623034323263376638366463363866326536356165323861666437346463366633376132373732663038396364636166326436663961626366333139366136383137313439363066366463393237646137363864666263323237386336656533643064336438613261343635336666306562396630623039333962666432656338623131656262386531326563636363613766356131393538613934613463326134633262343839373230313831346235626238666230363763663335336665636232343335356466353538653837626534353432386261336634346233613037346334666364636261623934653635303533363166376133663434623361303734633466636463626162393465363530353336316637393265633665646235336238366139326634363965326339336433356135616430633331313966636536386133653331353134323131363739366531396638353462333938616139326536663633333163353630633662633939333264386436363163316136653930373937306434313662353538626563366164373736383937653439356362306334376130356661646130626638656362656130316634333965356436353337383164343366323734346535343838663762623762323838633066623339303139343864393837303766316161653436346165643563343001".HexToBinary();
var expectedCredentials = new SupplementalCredentials(expectedBlob);
// Test integrity
Assert.AreEqual(expectedCredentials.ClearText, credentials.ClearText);
Assert.AreEqual(expectedCredentials.NTLMStrongHash.Length, credentials.NTLMStrongHash.Length);
Assert.AreEqual(WDigestHash.Encode(expectedCredentials.WDigest).ToHex(), WDigestHash.Encode(credentials.WDigest).ToHex());
Assert.AreEqual(expectedCredentials.Kerberos.ToByteArray().ToHex(), credentials.Kerberos.ToByteArray().ToHex());
Assert.AreEqual(expectedCredentials.KerberosNew.ToByteArray().ToHex(), credentials.KerberosNew.ToByteArray().ToHex());
}
public void PasswordEncryptionKey_DataStoreSupplementalCredentials_W2016_Decrypt()
{
byte[] binaryPek = "56d98148ec91d111905a00c04fc2d4cfd02cd74ef843d1010000000001000000000000006a35d3fc0e9949135463ab766cac7dbb0c0c0c0c0c0c0c0c0c0c0c0ca93445b678ce5fbe02de23c3c71ff800".HexToBinary();
var pek = new DataStoreSecretDecryptor(binaryPek, PekListVersion.W2016);
byte[] blob = "13000000000000005069FBE8174A02F0873427FB1833E2B2850A0000D45F588B425E3233B92471509BE80A8611FC334C3570A5FCC9CDFE36B71E15C3C80BF99979648122A0E23C733B99B79305E2BA4C1498D4D3E504AF131ECCF97149E173566DC48786AC9126E7A408703ED727E72F870FE27F7FAD392B8DA77AB05373DABF0D65D9B8732837B6703F0CB5B160E7700C2BC06E87484348DA494FE71160B222A7D42F7567B284FFC20E043447573CEB5B896F8F600AB1484F5F6736190849F8B9ACDE10539D9A9771314155FCD95DC7EFCED13C21662B5967C0486046764E7EEC993D96090AF44DD510C0845688C3D36CA9578FEF978072E60A2DCE3F84EA09B38D3AA0571853918733900640228A505FE8A58F77CB914DA34035807D7CF7E30C2EF58A6692ADA2D986C8B7479D2B77312F1B6B1DC848EF4CD215F2D5503B0DFE24B53B0B29ED3FF4D7FB9541E4B8E3F26014405FFD84CDE063279695E9BFF28CD3AF90163FEFA0ECF26800C77CCF7DE50F0078FF01F4A4D3AA4BC5CC49DFB0DE2E33A16214B171DF8DC854A2BA32DF60143D2B9AA0BDCD7FBD0E3CA0D2859590A924380A395FA6EBB6DF0D41D76A020A7C383058D4DEC14587DAC5999E81693729F41F83EAE4CAE60979508DF56B3E17484977DE52DA4542EB2664639156DF87E89B91DFB888B9DDE6873928B9C87693FFF14982D75B1F7D6D2AF9A880C31F1EA6F71C0D650E187149E8F03DF30EF2B3B63502BC953E33F4196DA57E26DDC35B1953FE7D51347FE94171E1B4B920C3A200164171C3CE67884850766CD965CD3965DBB042DF61927211B118A741E062DBDECA5B098AAFE6AE998F5ACFBA8F2CD0CA40C4EE99CD7962491A4F7C4665F99768CD6BD4B54EDC377431E74558CA4416CA184C04807FFD2E3038E46C8BD5EF69850B1139C0CBB2B4FBEF4022A9489E33F159CCBB10461C314959ECDDF6258E9DA5B621758FC32744C6C1595A4664DF03538FB3ED3269D0B2ED603F4748726523B9D301D4FFCC294BE19E22137EFF42B0B0C5B29E416C168E91AEC61FF069D661F0A91400F16043F3A382E8B54BEB2CB2713F7A886C0C2F90AEFAE144198FF49F3137212DDAD029A6CB9AD4DF782F3D0DEA441070B3DAD7107CEE99C9255DA0A086363F4C570E88384C9876825105CB6FDA9533DEFD3E39CD11490DC8EF81592039648766351D3991FAD430B6B4A86FBAE311E1CC3A3A3526E8A39AAA63DC97AD54BF36066D8520FA83F64F7DB96710B01CA759BACF242C0FC711693CEA7A0C3B42FB60555E429DF6169D1C1E9695FDCF46E372F6FB321474B9B232DD64BCD7CD034381D7DBEC57D0E1005401345B486A6830163C68839B2351BB2AF9FB7430C66DA3C7B921D3CF4368D5490D54571A868F4FAB058768F1A0885D2D94D4CCD1E5DD2B773591D88B2A3047EB6D63C624C215C1DCA5F82358E2300DEB6BF7A284A0CEEF1B82296200E0CE922662CAB1F546E455A4C52F7F0ABE0033E7BFAE4DA3BFE67C3D456CCD2687BC9DDA419723B2A4071C65660483B5787C42599AB6D8E05523F711C1F73D1BA4EE6F4255CE53DD739F3F11D737740CAF3F4DC01615E9D1389C79748FE1DF2EAC833B31456AD236EE1D2D5399E9826C93872A6C8BDAD3D6205C592EC73D2A8B463A0C5AD7DFC07AB8395AD76620E76131D8254233E7ED3858392AC86C2057AFCC1426891D1EC94B9C9F338629C8F58B05F6A26BC7D3D472D33F5020B0FE160F674EAF95EEE9FF59FE7129C07AB0F551DF16A675B32B0487EE08402A9E541EEF6B5FADCB96EDEA51C3AAB392A534DD95F98E94F6B0EDBDFF12D49B936DDD1B092836147D5420709EC00819AE4C97A8C464CABB0C958CFC3199A5C2AC2BC51E82316B568ED4FCACC2518E6F837878AA9022337D4989A061674801887278EB2BC38007D9EE1E9745E841B96E48D04BDAD51612513EB196FED7A6442D73728FD6AC3A7106E16F75823668AEC2A22BC24A8D40B620DC37952B8D2B358749AAA26BB304B1F0D46AF6C370C5B89D0CC817BFAB5CD73F5E117BFB22C39ED012EFF05E5CDC87D67227B4285E10D5475AFA3A387DA9AAD12FB968DC35D091A918C6C33B6850565DEDB3C2172D3CCEE9002AB7F04AD1172AE2E92B1DD9561385E17B360A66D5ED1E47B125EA497A5BBDC63D99493E03043DE36CAEBDBDF8CE10A0635CBF1955088B59FAD69A8ECF0C4A5707E02CA00239C6B1C7AD5F574FE073A10976D3703622220E61ED0A134EB0754AE1F56FE9474153260CB97C2E29E8D58D7E6BC76643F8C46BDD434E408A64AF06906B99648DA98CD0021C2D1095ED10A70C691ADBCC4FD5CBE8AE7C5A2B39FE75F468CB948EE9EAFA2149B34C27367559301D51CFBD957F80F0BA4CC6BFA10D7A2961002359FF1EC477B35225BA5B5C81B391C145B55261A9F3BA2F989433FDEE3D6007F6571F2EB48875014904743F01AFB810F68A5C307112EA2CC538D74C2AA16710EA74F36864A76D943803AE3826577F5EEB5A9A5A76F500382B56A8C78445B51C0E375403A7E46235E5143C1B82C1118BEE6E0D6886204C1F70611EDF88077E2E1D686635FA4670150A6871A205CCBC258A3148E4D95E01E17AFFEA84147555237D499A6D0BFB18F501A8A84589DCE60BAF6026D373D531D5908ADB9AC51F90EACBE3276B2B55B61DDB0AA89869A28C72265593B135C62969DEFF3ABF8223A5BF262E555EEC842534C9DC0C48344FE087B4327F7E5668C5C722D8384B75DC00A82F490ED70779990E634A04C45306F76F875BD75BE87C620830A16CCD49A3906C5F7096FA78F7652E452A5F738DA7F76A5447936B9144135B39727D89FDD49E3777D848B0A1FA0500CE48FB5E85A50A2B4482A7C54AFE92EB59626D5206EAA486E5D39FF2E46054647AED72DA4FD41F63E7AEF2FC0B2C1041A2BBA7F47EFAE8E36AB4DA1F11393C59102455270DD622E500B39657194A05FFC8F4EE0664AA178D52608C7947FD0AD704B3615C2FFD1861FB484B8A3DFAE884315F4AB3716D6B2230C6E2003420B5A8D5E813098CED354E27BF41BDDE67BE6F3AE314EB0A324B229C5EAD1A5E65D9B0164312F19D06A94721AE589D6D80A4FCFEFA62D388E8673A2CB29D9177F8BDB5C1D3F277FEA954161244DB89B3B7026E0279DF92230A69C34C4662DCFD777CF1FF4CF3F8DE7A5B591FD72191EBE91B65E778F2FAF1C734BA55C5905D511066EB5B5784CC62738C787FC0A62FFE18E758D0FCC61FAE32BD12C8B5C8BA97C555D8649A9179C8D010F0E3E0855C6F7B14433FA637BD5563488EA8A39F0F5CB28B7428EFE8F15D3AC05D25E71D54B89E04B1DF6F3D458A141AF116EC951CBBE2A7DCE480499DE172A4D999E3512CD22E95DF314B53EBFF166714DE65F56A7929BBAB952F38421AA0BAF15319BCA77AB1410DC5CF8776911D2CD227363182FFF95772498A33FD2695DF05FBE83BCCB15A8BC0F3D667BA30BA1999A0538D8E680C7637764CEBAC51E933302A530F91D83A33A88F92363D6008732B0CFFBE2B7244ACDB1A4CAE551FB80D8B720CE5AFA51374A51296C4FB6517E002FB90382F26DF8B5144D02C3BA97DFF823C6112B7EF7E35878714318A88C966C7F225E71AA0CEB2465D839CBBB86382672F8197A45B82E8EDACD0C021899BF1F832C9FD2DCFE772C8AC9B81F5C95D57CCC1D47D3B62015174BD3F4DB152A8EE1967FE3EED65BE10E86FE751A5E1FFA2B378897F9AE347CD0E6C1D5A090F88EBF8A972742827B80832B5F2808E62BEB7C56933A63B321474E64384DE793E58A91D27A149C5A80F2C3423736D27A5445E0BED3E71C3174FF1BBF2BCF85A2170EF4C323B1F77E5".HexToBinary();
var decryptedBlob = pek.DecryptSecret(blob);
var cred = new SupplementalCredentials(decryptedBlob);
// Check properties
Assert.AreEqual("90545eb4cae416368f019e59e77e8551", cred.NTLMStrongHash.ToHex());
Assert.AreEqual(29, cred.WDigest.Length);
Assert.AreEqual(1, cred.Kerberos.Credentials.Length);
Assert.AreEqual(3, cred.KerberosNew.Credentials.Length);
Assert.AreEqual(4096, cred.KerberosNew.DefaultIterationCount);
}
protected bool SetAccountPasswordHash(DatastoreObject targetObject, object targetObjectIdentifier, byte[] newNtHash, SupplementalCredentials newSupplementalCredentials, byte[] bootKey, bool skipMetaUpdate)
{
// Validate input
Validator.AssertLength(newNtHash, NTHash.HashSize, "newNtHash");
Validator.AssertNotNull(bootKey, "bootKey");
if (!targetObject.IsAccount)
{
throw new DirectoryObjectOperationException(Resources.ObjectNotSecurityPrincipalMessage, targetObjectIdentifier);
}
if (newSupplementalCredentials == null)
{
// Create empty supplemental credentials structure, beca
newSupplementalCredentials = new SupplementalCredentials();
}
// Load the password encryption key
var pek = this.GetSecretDecryptor(bootKey);
// Calculate LM hash
// Note that AD uses a random value in LM hash history since 2003.
byte[] lmHash = new byte[LMHash.HashSize];
new Random().NextBytes(lmHash);
// Write the data
using (var transaction = this.context.BeginTransaction())
{
// Load account RID as it is used in the key derivation process
SecurityIdentifier sid;
targetObject.ReadAttribute(CommonDirectoryAttributes.ObjectSid, out sid);
int rid = sid.GetRid();
// Start a database transaction
this.dataTableCursor.BeginEditForUpdate();
// Encrypt and set NT hash
byte[] encryptedNtHash = pek.EncryptHash(newNtHash, rid);
targetObject.SetAttribute(CommonDirectoryAttributes.NTHash, encryptedNtHash);
// Clear the LM hash (Default behavior since 2003)
byte[] clear = null;
targetObject.SetAttribute(CommonDirectoryAttributes.LMHash, clear);
// Encrypt and set NT hash history
byte[] encryptedNtHashHistory = pek.EncryptHashHistory(new byte[][] { newNtHash }, rid);
targetObject.SetAttribute(CommonDirectoryAttributes.NTHashHistory, encryptedNtHashHistory);
// Encrypt and set LM hash history.
byte[] encryptedLmHashHistory = pek.EncryptHashHistory(new byte[][] { lmHash }, rid);
targetObject.SetAttribute(CommonDirectoryAttributes.LMHashHistory, encryptedLmHashHistory);
// Encrypt and set Supplemental Credentials
byte[] encryptedSupplementalCredentials = pek.EncryptSecret(newSupplementalCredentials.ToByteArray());
targetObject.SetAttribute(CommonDirectoryAttributes.SupplementalCredentials, encryptedSupplementalCredentials);
// Set the pwdLastSet attribute
if (!skipMetaUpdate)
{
targetObject.SetAttribute(CommonDirectoryAttributes.PasswordLastSet, DateTime.Now);
}
// As supplementalCredentials contains salted values, we will always presume that the values of password attributes have changed.
bool passwordHasChanged = true;
string[] passwordAttributes =
{
CommonDirectoryAttributes.NTHash,
CommonDirectoryAttributes.NTHashHistory,
CommonDirectoryAttributes.LMHash,
CommonDirectoryAttributes.LMHashHistory,
CommonDirectoryAttributes.SupplementalCredentials,
CommonDirectoryAttributes.PasswordLastSet
};
this.CommitAttributeUpdate(targetObject, passwordAttributes, transaction, passwordHasChanged, skipMetaUpdate);
return(passwordHasChanged);
}
}
public bool SetAccountPasswordHash(string samAccountName, byte[] newNtHash, SupplementalCredentials newSupplementalCredentials, byte[] bootKey, bool skipMetaUpdate)
{
var obj = this.FindObject(samAccountName);
return(this.SetAccountPasswordHash(obj, samAccountName, newNtHash, newSupplementalCredentials, bootKey, skipMetaUpdate));
}
public void SupplementalCredentials_Parse_Null()
{
byte[] input = null;
var result = new SupplementalCredentials(input);
}
public bool SetAccountPasswordHash(DistinguishedName dn, byte[] newNtHash, SupplementalCredentials newSupplementalCredentials, byte[] bootKey, bool skipMetaUpdate)
{
var obj = this.FindObject(dn);
return(this.SetAccountPasswordHash(obj, dn, newNtHash, newSupplementalCredentials, bootKey, skipMetaUpdate));
}
public bool SetAccountPasswordHash(SecurityIdentifier objectSid, byte[] newNtHash, SupplementalCredentials newSupplementalCredentials, byte[] bootKey, bool skipMetaUpdate)
{
var obj = this.FindObject(objectSid);
return(this.SetAccountPasswordHash(obj, objectSid, newNtHash, newSupplementalCredentials, bootKey, skipMetaUpdate));
}
public void SupplementalCredentials_Parse_Empty1()
{
// Test 13B empty structure
byte[] input = "00000000000000000000000000".HexToBinary();
var result = new SupplementalCredentials(input);
}
public void SupplementalCredentials_Parse_Empty2()
{
// Test 111B empty structure
byte[] emptyCredentials = "000000006200000000000000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000500000".HexToBinary();
var result = new SupplementalCredentials(emptyCredentials);
}
public void SupplementalCredentials_Empty1()
{
byte[] input = "00000000000000000000000000".HexToBinary();
var result = new SupplementalCredentials(input);
}
