none
RPC over SMB - how to use the session key for SAMR protocol. RRS feed

  • Question

  • Hi,

    I am building an application that uses RPC over SMB to configure machine accounts on domain controllers through the SAMR protocol.

    I am using RpcBindingFromStringBinding and RpcBindingSetAuthInfo to create and authenticate the connection.

    I am also using SamrSetInformationUser2 with UserInternal4InformationNew to set the desired machine account password, yet, since the authentication is done by the underlying authentication protocol i don't have the session key which is required to encrypt the new password.

    How can i get the session key from the RPC/SSPI layers ?

    or alternativly, how can i use the underlying authentication protocol to encrypt the new password ?

     

    Any help will be much appreciated,

    Thank you,

    Gal Kaplan

    Monday, August 2, 2010 11:56 AM

Answers

  • Hi Gal:

    We have finished our investigation on your question regarding the retrieval of session key that was established by SMB.

    [MS-SAMR] is a document that describes the Security Account Manager (SAM) Remote Protocol Specification (Client-to-Server) protocol. As a technical specification of a protocol, it does not address the implementation related details.

    Windows SDK does not expose an API to retrieve the user-session-key, nor is there any way to use the underlying protocol to encrypt the password using Windows SDK.

    Since Windows SDK does not expose an API to retrieve the user-session-key, you will need a custom implementation of MS-SMB/MS-SMB2 and MS-RPCE first to implement MS-SAMR. Once the session is established with the custom implementations of the protocols, it would be an implementation detail of the custom implementation as to how the session key is exposed to the caller. For details about session key in SMB/SMB2, please consult section 3.2.5.3 of MS-SMB or 3.2.5.3.1 of MS-SMB2 and linked documents.

    Please let me know it answers your question. If it does, I’ll consider this issue resolved.

     


    Regards, Obaid Farooqi
    Friday, August 20, 2010 4:44 PM
    Owner

All replies


  • Hi, Gal,

     

    Thank you for your question.  A member of the Protocols team will respond and will work on your issue.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team
    Monday, August 2, 2010 8:49 PM
    Moderator
  • Hi Gal:

    I will be helping you with this issue regarding session key. I'll be in touch through this thread as soon as I have something concrete.


    Regards, Obaid Farooqi
    Monday, August 2, 2010 9:35 PM
    Owner
  • Hi Gal:

    I am still working on this issue and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi
    Friday, August 13, 2010 4:31 PM
    Owner
  • Hi Gal:

    We have finished our investigation on your question regarding the retrieval of session key that was established by SMB.

    [MS-SAMR] is a document that describes the Security Account Manager (SAM) Remote Protocol Specification (Client-to-Server) protocol. As a technical specification of a protocol, it does not address the implementation related details.

    Windows SDK does not expose an API to retrieve the user-session-key, nor is there any way to use the underlying protocol to encrypt the password using Windows SDK.

    Since Windows SDK does not expose an API to retrieve the user-session-key, you will need a custom implementation of MS-SMB/MS-SMB2 and MS-RPCE first to implement MS-SAMR. Once the session is established with the custom implementations of the protocols, it would be an implementation detail of the custom implementation as to how the session key is exposed to the caller. For details about session key in SMB/SMB2, please consult section 3.2.5.3 of MS-SMB or 3.2.5.3.1 of MS-SMB2 and linked documents.

    Please let me know it answers your question. If it does, I’ll consider this issue resolved.

     


    Regards, Obaid Farooqi
    Friday, August 20, 2010 4:44 PM
    Owner
  • Hi Obaid,

    I understand there is no API in windows SDK that can assist me with this issue.

    Thank you very much for your help,

    Gal

    Tuesday, August 24, 2010 8:13 AM