3.1.5.10.4 SamrUnicodeChangePasswordUser4 (Opnum 73)

  • Article

Use the SamrUnicodeChangePasswordUser4 method to change a user account password.

 NTSTATUS
 SamrUnicodeChangePasswordUser4(
     [in]         handle_t BindingHandle,
     [in,unique]  PRPC_UNICODE_STRING  ServerName,
     [in]         PRPC_UNICODE_STRING  UserName,
     [in]         PSAMPR_ENCRYPTED_PASSWORD_AES   EncryptedPassword
     );

BindingHandle: An RPC binding handle parameter as specified in [C706] section 1.

ServerName: A null-terminated string containing the NETBIOS name of the server<67>.

UserName: The name of the user. The processing instructions that follow describe how this value is used as a database key to locate the account that is the target of this password change operation.

EncryptedPassword: A cleartext password encrypted to the specification of SAMPR_ENCRYPTED_PASSWORD_AES (section 3.2.2.4), where the key is derived using the PBKDF2 algorithm and the NT-hash of the users existing password, the EncryptedPassword.Salt, and EncryptedPassword.PBKDF2 Iteration count.

EncryptedPassword.PBKDFIterations MUST be present and MUST be between 5000 and 1,000,000 inclusive.

Upon receiving this message, the server MUST process the data from the message subject to the following constraints:

  1. On a DC (1) configuration, if Active Directory is not running, the server MUST abort the request and return an error status.

  2. All database operations MUST occur in a single transaction.

  3. Let ‘U’ be the user account with the sAMAccountName attribute value of UserName. The server MUST return STATUS_WRONG_PASSWORD (section 2.2.1.15) if no such account exists.

  4. Let Stored-NT-Hash be the value of the unicodePwd attribute from the database decrypted using the algorithm specified in section 2.2.11.1, using U's RelativeId (section 3.1.5.11.2) as the key. If the attribute does not exist, let Stored-NT-Hash be "NULL".

  5. If Stored-NT-Hash is NULL, the server MUST abort processing and return STATUS_WRONG_PASSWORD.

  6. If EncryptedPassword.PBKDF2Iterations is not present or not valid, the server will return STATUS_WRONG_PASSWORD and abort processing.

  7. If Stored-NT-Hash is not NULL and EncryptedPassword.PBKDF2Iterations is valid, the server will decrypt EncryptedPassword as follows:

  • Let CEK be a 16-byte encryption key derived with PBKDF2 from the Stored-NT-Hash, EncryptedPassword.PBKDF2Iterations, and EncryptedPassword.Salt.

  • Compute a MAC as specified in AES Cipher Usage (section 3.2.2.4) and verify whether EncryptedPassword.AuthData matches this MAC.

  • Decrypt the EncryptedPassword per the AES Cipher Usage specifications using the CEK.

  • Let Presented-Clear-Text be the cleartext value sent by the client, obtained by decrypting EncryptedPassword according to the specifications of SAMPR_ENCRYPTED_PASSWORD_AES and AES Cipher Usage, using a 16-byte CEK derived from the Stored-NT-Hash using PBKDF2, EncryptedPassword.PBKDF2Iterations, and EncryptedPassword.Salt.

  1. The following conditions MUST be true; otherwise, the server MUST satisfy the constraints in section 3.1.5.14.6 and return STATUS_WRONG_PASSWORD:

  • Stored-NT-Hash is non-NULL.

  • EncryptedPassword.PBKDFIterations MUST be between 5000 and 1,000,000 inclusive.

  • MAC computed by the Server according to the AES Cipher Usage specifications (section 3.2.2.4), with CEK matching the AuthData presented by the client.

  • Decrypting the EncryptedPasswork.Ciphertext succeeds.

  1. The server MUST update the clearTextPassword attribute with Presented-Clear-Text.