6.1.6.9.1 trustAuthInfo Attributes
Domain peers share a password in order to validate protocol messages flowing between the trusted domains. The password is only good in one direction of the trust. Each direction is stored in its own attribute: the trustAuthIncoming and trustAuthOutgoing attributes. These are both secret attributes ([MS-DRSR] section 4.1.10.3.11, IsSecretAttribute), and are not readable outside of the context of the LSA on a DC.
Both trustAuthIncoming and trustAuthOutgoing are stored as a String(Octet). The storage of this information in a TDO is described in the following diagram.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Count of auth infos |
|||||||||||||||||||||||||||||||
|
Byte offset to AuthenticationInformation |
|||||||||||||||||||||||||||||||
|
Byte offset to PreviousAuthenticationInformation |
|||||||||||||||||||||||||||||||
|
AuthenticationInformation (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
PreviousAuthenticationInformation (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Count of auth infos (4 bytes): A ULONG count of the pairs of LSAPR_AUTH_INFORMATION structures. Each current Authentication Information structure is accompanied by a previous Authentication Information structure (even if it is marked as invalid), and the count of the pairs of elements is stored in this field.
Byte offset to AuthenticationInformation (4 bytes): The BYTE offset from the base of the structure to the array of LSAPR_AUTH_INFORMATION structures representing the current authentication information.
Byte offset to PreviousAuthenticationInformation (4 bytes): The BYTE offset from the base of the structure to the array of LSAPR_AUTH_INFORMATION structures representing the previous authentication information.
AuthenticationInformation (variable): Array of LSAPR_AUTH_INFORMATION [1...Count].
-
Following the byte offset to PreviousAuthenticationInformation is an array of LSAPR_AUTH_INFORMATION structures representing the current authentication information.
PreviousAuthenticationInformation (variable): Array of LSAPR_AUTH_INFORMATION [1...Count].
-
Following the current authentication information is an array of LSAPR_AUTH_INFORMATION structures representing the previous authentication information. If authentication information has not been previously stored, then the previous Authentication Information structure is an exact copy of the current Authentication Information structure.