question

AlexDanilov-7975 avatar image
0 Votes"
AlexDanilov-7975 asked CarlFan-MSFT answered

Cannot decrypt Unicode password, passed from RDP (need plain password for credential provider)

When RDP passes the password to destination PC it is in protected form, something like "@@D...."
We are using following code in order to get plain text password from it:

if (CredIsProtectedW(szPasswordFromRDP, &protectionType))
{
if(protectionType == CredProtected)
{
CredUnprotectW(FALSE, szPasswordFromRDP,...);
// use plain text password in our own Credential provider
}
}

That code works perfectly well when user has ASCII password.
But when there is Unicode password CredIsProtectedW returns CredUnprotected...
Even when we try to "force" conversion with CredUnprotectW by supplying correct plain text length (we know from original password) - it still doesn't work!
Is it some kind of limitation? Or bug? Or it doesn't support all Unicode characters?
Or destination PC should have language installed?

Internally, they look pretty much the same.
ASCII password in protected form: @@D�� gAAAAAnPAAAAAAAAAE1g99rdJVRbxrnfZUZt2eC#VpTLhcq1H
Unicode in protected form: @@D\x07\x08\x0c\n\roAAAAAnPAAAAAAAAgJtBMDyNE3hzbN0ZfPFpvgndNZinjVbLzxsosyvaRNeD

Just in case - specific Unicode plain text password I've used (Japanese Katakana) アセアセアセアセアセ
2 letters repeated 5 times: U+30A2 and U+30BB

windows-10-generalwindows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

Hi,
According to your description, the issue is about decrypt password with Script or API. Please post the issue to script forum.
https://social.msdn.microsoft.com/Forums/office/en-US/home?forum=csharpgeneral
Based on my search, the wincred.h header defines CredIsProtected as an alias which automatically selects the ANSI or Unicode version of this function based on the definition of the UNICODE preprocessor constant. Mixing usage of the encoding-neutral alias with code that not encoding-neutral can lead to mismatches that result in compilation or runtime errors. For more information, see Conventions for Function Prototypes
https://docs.microsoft.com/en-us/windows/win32/intl/conventions-for-function-prototypes
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.