This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 20%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
In order to start using group managed service accounts I went to create the KDS key only to find it had already been created, so I wanted to investigate how it was configured. There seems to be very little published information on what the various KDS root key configuration options are. Get-kdsconfiguration returns info, but I'm having no luck in finding out what the acceptable options are, or what might be considered best practice. Example, my output is this:
AttributeOfWrongFormat :
KdfParameters : {0, 0, 0, 0...}
SecretAgreementParameters : {12, 2, 0, 0...}
IsValidFormat : True
SecretAgreementAlgorithm : DH
KdfAlgorithm : SP800_108_CTR_HMAC
SecretAgreementPublicKeyLength : 2048
SecretAgreementPrivateKeyLength : 512
VersionNumber : 1
I have no idea if the SecretAgreementAlgorithm being "DH" is OK or should be something else, and no idea what those values in the SecretAgreementParameters map to. If there is an article somewhere that details what the options are here that could be referenced that'd be much appreciated!
Answer accepted by question author
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
I found an article for this, for your reference:
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-GKDI/%5BMS-GKDI%5D-170601.pdf
Hope it will be helpful.
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
Fan
I'll mark this as the accepted answer as I think it is buried in there. This doc requires some pretty indepth crypto knowledge to decipher, all i was able to get out of it is my settings are related to the cypher in use so i'll have to assume its fine. I was really hoping to get some guidance on best practice but this technically answers the question so hopefully it helps someone who actually can read that doc. I appreciate you taking the time to look this up though!
