AD LDS password security

  • 480 Views
  • Last Post 26 August 2016
minwar posted this 23 August 2016

Does anyone know if LDS uses a hash algorithim for passwords?  Or is it simply Base64 encoding?  I am finding there is a real lack of published content on LDS which is proving frustarting at times.  Any info appreciated. Thanks

Order By: Standard | Newest | Votes
dloder posted this 23 August 2016

For bindable objects it uses the exact same methodology as AD; a one way hash of the password.




show

minwar posted this 24 August 2016

Thanks.  Do you know what hash algorithm is used?  Is it just NT-OWF hashed format?

BrianB posted this 24 August 2016

What if the AD LDS server were not linked to AD but rather stand-alone. Does anyone know the encryption method for passwords stored directly in the AD LDS database?

 

Brian Britt

 

show

a-ko posted this 24 August 2016

Why would it be any different than the standard NT Hash (MD4-based)? 

show

chriss3 posted this 26 August 2016

They are not different, they are NTOWF hashes and additionally encrypted both on the DBLayer and on the wire.  

show

chriss3 posted this 26 August 2016

Yes RC4 with PEK as key, then DES with RID and you get the NTOWF hash.. same as a ADDS DIT. In Windows Server 2016 this changes. 

show

a-ko posted this 26 August 2016

What about this changes in 2016? Got any links? 

show

minwar posted this 26 August 2016

Yes RC4 with PEK as key, then DES with RID and you get the NTOWF hash.. same as a ADDS DIT. In Windows Server 2016 this changes. 

showThanks for that.  Perhaps my lack of understanding but I read serveral comment on technet etc that were fuleing my doubt that AD DS and LDS were the same beast as far as password hashing and enryption are concerned. One of them yours perhaps going by the name?

https://social.technet.microsoft.com/Forums/lync/en-US/161b6f2d-1eff-4ec0-b98d-6a518bbc32e8/how-users-password-is-hashed-and-checked?forum=winserverDS  

 

chriss3 posted this 26 August 2016

Sorry I was too quick there, the following applies “ADAM/ADLDS does NOT apply the additional RID encryption” so the link https://social.technet.microsoft.com/Forums/lync/en-US/161b6f2d-1eff-4ec0-b98d-6a518bbc32e8/how-users-password-is-hashed-and-checked?forum=winserverDS applies Too summary, on DBLayer just RC4 with PEK in ADAM/ADLDS. Sorry for the confusion.  

show

chriss3 posted this 26 August 2016

No this is something that Microsoft would not publish I guess, they never really published the current setup, but try with a Windows Server 2016 TP4 or later NTDS.dit 

show

Close