Share via

[MS-ADTS] 6.1.6.9.3.1 Record

Vincent Le Toux 0 Reputation points
Jan 31, 2024, 2:57 PM

Hello,

I am writing to inquire about the specification for the attribute msDS-TrustForestTrustInfo of a forest trust object, specifically identified as 6.1.6.9.3.1 Record.

Previously, I successfully implemented a parser for all record types, with the exception of ForestTrustScannerInfo (type=4). I am currently working on integrating the latest data.

The record of type 4 closely resembles that of type 2, with the addition of the fields binaryData and subRecordType at the beginning, each representing 8 bytes.

During parsing of data from the production environment, the new fields added at the beginning of the structure parse correctly. However, I encountered difficulties with SID extraction.

Upon closer examination of several records, I discovered that no SID is defined within them. Furthermore, when the SIDLenght is 1 byte (instead of the specified 4 bytes in the documentation), the DNS and NetBIOS data translate perfectly into a string.

My question is as follows:

Is there an error in the documentation regarding the length of the field SidLen specifically within the structure identified as recordtype=4, where the length is specified as 1 byte instead of 4 bytes?

Thank you for your assistance and feedback.

Vincent LE TOUX

Windows Open Specifications
Windows Open Specifications
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Open Specifications: Technical documents for protocols, computer languages, standards support, and data portability. The goal with Open Specifications is to help developers open new opportunities to interoperate with Windows, SQL, Office, and SharePoint.
42 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Vincent Le Toux 0 Reputation points
    Feb 1, 2024, 3:18 PM

    Another interpretation would be that SID is an ANSSI string. The 1 byte data would be the null terminator then.

    0 comments No comments

  2. Vincent Le Toux 0 Reputation points
    Feb 1, 2024, 3:43 PM

    Also looking at https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/1b5fa90f-5d6d-4193-830c-1a53cd518fdb#Appendix_A_Target_16 some flags may be missing such as LSA_SCANNER_INFO_DISABLE_AUTH_TARGET_VALIDATION Indeed, flags are defined globally or for struct = 0, 1, 2 but not 4

    0 comments No comments

  3. Obaid Farooqi MSFT 591 Reputation points Microsoft Employee
    Feb 19, 2024, 9:02 PM

    Hi @Vincent Le Toux I looked consulted MS-DRSR and I found that the value of SidLen is irrelevant for Windows. It is always 28 bytes, as state in section 5.50:

    "Sid: The value of the object's objectSid attribute, its security identifier, specified as a SID structure, which is defined in [MS-DTYP] section 2.4.2. The size of this field is exactly 28 bytes, regardless of the value of SidLen, which specifies how many bytes in this field are used. Note that this is smaller than the theoretical size limit of a SID, which is 68 bytes. While Windows publishes a general SID format, Windows never uses that format in its full generality. 28 bytes is sufficient for a Windows SID. "

    Does this help?

    I'll file a bug to add LSA_SCANNER_INFO_DISABLE_AUTH_TARGET_VALIDATION

    Regards,

    Obaid Farooqi - MSFT


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.