locked
[MS-SECO] Windows Security Overview Update for Windows 8 Microsoft Accounts RRS feed

  • Question

  • Hi,

    I would like to see [MS-SECO] Windows Security Overview:

    http://msdn.microsoft.com/en-us/library/cc246013.aspx

    Or the relevant specification updated with information regarding the new Windows 8 "Microsoft Account", also known as a Windows Live Id. MS-SECO provides an overview of Windows security, account names, domain names, authentication protocols, authorization, etc. 

    Section 2.2.1 User Accounts describes the user account formats and the conditions for validity. For instance, the UPN notation is described along with the meaning of the @ symbol.

    I would like to see at least a paragraph added to explain Microsoft Accounts, their format, and what is considered a valid Microsoft Account. I'm suspecting that validity is checked by authenticating with Microsoft: when disconnected from the network, one cannot authenticate with a Microsoft Account, at least from my experience. Are Microsoft Accounts only usable by Microsoft products, or can they be used by third parties? Certain things are synchronized along with the Microsoft Account like themes, backgrounds, etc. Is it possible for an application developer to store custom settings and associate them with a Microsoft Account? Basically, how is it different from regular accounts, and a few words on how it is used.

    There is another thing I have noticed with Microsoft Accounts: when using them on a Windows 8 machine, the user folder is not of the same name as the username itself. For instance, my Microsoft Account is marcandre.moreau@live.ca, and on one of my machines the local user folder is "marca_000", as if there was some generic way of taking part of the microsoft account and append a number to it. With remote desktop, I can successfully use either "marcandre.moreau@live.ca", "marca_000", or "MicrosoftAccount\marcandre.moreau@live.ca" to connect.

    The part which is the most intriguing is how can both marca_000 and marcandre.moreau@live.ca be used interchangeably. How does this work exactly? Is there mapping done on the server? How come authentication does not fail with NTLM, since using the wrong username should cause the wrong hashes to be computed?

    As you can see, there are many different mysteries that would be worth clarifications in a specification like MS-SECO.

    Best regards,

    - Marc-Andre

    Wednesday, February 13, 2013 3:19 AM

Answers

  • Hi Marc-Andre,

    You raised quite a few good points and we are looking for a vehicle to explore this further (blog post, etc.).  However, we don’t believe [MS-SECO] is the right place for this discussion as it describes communications between Windows and a Service (Live), which is out of scope for this document set.

    From your post, it doesn’t appear that you are actually blocked, but rather offering up the discussion as a helpful suggestion to improve [MS-SECO].  Is that correct?

    As we discussed in the previous forum thread, the Microsoft account credentials flow through RDP as the “MicrosoftAccount” portion is marshalled into the Domain field of the Client Info PDU and everything following “MicrosoftAccount\” is transmitted as the Username.  At the server side, the entire string is re-constituted as “MicrosoftAccount\marcandre.moreau@live.ca” by concatenating Domain, “\\” and Username.  RDP is unaware that something special is happening; it obtains the current user’s ID on one end, transmits it and presents it for authentication on the server-side.

    “marca_000” is a local machine account that is created during the Windows out-of-box experience.

    In researching this, the IETF draft document “MSN Messenger Service 1.0 Protocol” was brought to my attention at http://tools.ietf.org/html/draft-movva-msn-messenger-protocol-00.  In particular, section 7.3 Authentication.

    Again, we are exploring appropriate avenues to describe this, be it a blog or MSDN Whitepaper, but we don’t believe that it belongs in [MS-SECO].  As for your current work, please let me know if you are blocked.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Tuesday, February 26, 2013 7:15 PM

All replies

  • Hi Marc-Andre,

    Thank you for your question.  I can look into to this for you.  For reference, it appears that this question is an offshoot of the thread http://social.msdn.microsoft.com/Forums/en-US/os_windowsprotocols/thread/8e911fdf-1fcb-43e1-9dfa-095b96c5ebab


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Wednesday, February 13, 2013 5:50 AM
  • Hi Bryan,

    Yes, my other question is a good reference for this one. Thank you for looking into this.

    Thursday, February 14, 2013 9:53 PM
  • Hi Marc-Andre,

    You raised quite a few good points and we are looking for a vehicle to explore this further (blog post, etc.).  However, we don’t believe [MS-SECO] is the right place for this discussion as it describes communications between Windows and a Service (Live), which is out of scope for this document set.

    From your post, it doesn’t appear that you are actually blocked, but rather offering up the discussion as a helpful suggestion to improve [MS-SECO].  Is that correct?

    As we discussed in the previous forum thread, the Microsoft account credentials flow through RDP as the “MicrosoftAccount” portion is marshalled into the Domain field of the Client Info PDU and everything following “MicrosoftAccount\” is transmitted as the Username.  At the server side, the entire string is re-constituted as “MicrosoftAccount\marcandre.moreau@live.ca” by concatenating Domain, “\\” and Username.  RDP is unaware that something special is happening; it obtains the current user’s ID on one end, transmits it and presents it for authentication on the server-side.

    “marca_000” is a local machine account that is created during the Windows out-of-box experience.

    In researching this, the IETF draft document “MSN Messenger Service 1.0 Protocol” was brought to my attention at http://tools.ietf.org/html/draft-movva-msn-messenger-protocol-00.  In particular, section 7.3 Authentication.

    Again, we are exploring appropriate avenues to describe this, be it a blog or MSDN Whitepaper, but we don’t believe that it belongs in [MS-SECO].  As for your current work, please let me know if you are blocked.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Tuesday, February 26, 2013 7:15 PM