Another interpretation would be that SID is an ANSSI string. The 1 byte data would be the null terminator then.
[MS-ADTS] 6.1.6.9.3.1 Record
Hello,
I am writing to inquire about the specification for the attribute msDS-TrustForestTrustInfo of a forest trust object, specifically identified as 6.1.6.9.3.1 Record.
Previously, I successfully implemented a parser for all record types, with the exception of ForestTrustScannerInfo (type=4). I am currently working on integrating the latest data.
The record of type 4 closely resembles that of type 2, with the addition of the fields binaryData and subRecordType at the beginning, each representing 8 bytes.
During parsing of data from the production environment, the new fields added at the beginning of the structure parse correctly. However, I encountered difficulties with SID extraction.
Upon closer examination of several records, I discovered that no SID is defined within them. Furthermore, when the SIDLenght is 1 byte (instead of the specified 4 bytes in the documentation), the DNS and NetBIOS data translate perfectly into a string.
My question is as follows:
Is there an error in the documentation regarding the length of the field SidLen specifically within the structure identified as recordtype=4, where the length is specified as 1 byte instead of 4 bytes?
Thank you for your assistance and feedback.
Vincent LE TOUX
3 answers
Sort by: Most helpful
-
-
Vincent Le Toux 0 Reputation points
Feb 1, 2024, 3:43 PM Also looking at https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/1b5fa90f-5d6d-4193-830c-1a53cd518fdb#Appendix_A_Target_16 some flags may be missing such as LSA_SCANNER_INFO_DISABLE_AUTH_TARGET_VALIDATION Indeed, flags are defined globally or for struct = 0, 1, 2 but not 4
-
Obaid Farooqi MSFT 591 Reputation points Microsoft Employee
Feb 19, 2024, 9:02 PM Hi @Vincent Le Toux I looked consulted MS-DRSR and I found that the value of SidLen is irrelevant for Windows. It is always 28 bytes, as state in section 5.50:
"Sid: The value of the object's objectSid attribute, its security identifier, specified as a SID structure, which is defined in [MS-DTYP] section 2.4.2. The size of this field is exactly 28 bytes, regardless of the value of SidLen, which specifies how many bytes in this field are used. Note that this is smaller than the theoretical size limit of a SID, which is 68 bytes. While Windows publishes a general SID format, Windows never uses that format in its full generality. 28 bytes is sufficient for a Windows SID. "
Does this help?
I'll file a bug to add LSA_SCANNER_INFO_DISABLE_AUTH_TARGET_VALIDATION
Regards,
Obaid Farooqi - MSFT