This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 4%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
An outside audit of our on-premise environment has dinged us for not using SALT in our on-premise Active Directory environment in conjunction with the normal encryption/hash used by AD. I have not been able to find a suitable answer about this, most posts are from 10 or more years ago with regards to AD user password storage. We are currently running a functional level of 2012.
If AD can not use SALT, are there any good answers I can provide? I feel like it is not needed, we do not allow Domain Admins, etc.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
You want the Windows technical documentation.
Two important points:
Neither the NT hash nor the LM hash is salted
the NT hash is used in a Kerberos logon against the Key Distribution Center
That document is for up to Windows 7, but a Windows 8/Server 2012 document has - "There are no changes in functionality for NTLM for Windows Server 2012."
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Something here may help.
https://www.microsoft.com/security/blog/2019/05/30/demystifying-password-hash-sync/
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
--please don't forget to Accept as answer if the reply is helpful--
While we do have uses of ADFS on our local server farm, we do not use Azure AD for anything more than Office365. Our accounts are all sync'd from our local AD domain.
If I read this correctly though, I can tell the auditors that whenever someone uses our ADFS to connect to their O365 email and services, there is a salt added in the process?
Hi,
Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
Best Regards,
Vicky
Thanks, at least I have something that we can provide that is official.
