3.4.5.2.7 Calling NetrServerPasswordSet

The client MUST do the following:

  • Have a secure channel established with a DC in the domain identified by domain-name and pass its name as the PrimaryName parameter.

  • Pass the encrypted new password:

    1. Compute the NTOWFv1 ([MS-NLMP] section 3.3.1) of the new password.

    2. Encrypt ([MS-SAMR] section 2.2.11.1.1) the result of step 1 using the Session-Key for the secure channel as the specified key.

    3. Pass the result of step 2 as the UasNewPassword parameter.

  • Pass a valid client Netlogon authenticator as the Authenticator parameter.

After the method returns, the client MUST verify the ReturnAuthenticator, as defined in section 3.1.4.5.

On receiving STATUS_ACCESS_DENIED, the client SHOULD<103> re-establish the secure channel with the domain controller.