3.5.4.4.8 NetrServerPasswordGet (Opnum 31)

The NetrServerPasswordGet method SHOULD<187> allow a BDC to get a machine account password from the DC with the PDC role in the domain.

 NTSTATUS NetrServerPasswordGet(
   [in, unique, string] LOGONSRV_HANDLE PrimaryName,
   [in, string] wchar_t* AccountName,
   [in] NETLOGON_SECURE_CHANNEL_TYPE AccountType,
   [in, string] wchar_t* ComputerName,
   [in] PNETLOGON_AUTHENTICATOR Authenticator,
   [out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [out] PENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword
 );

PrimaryName: The custom binding handle, as defined in section 3.5.4.1.

AccountName: A null-terminated Unicode string that contains the name of the account to retrieve the password for.<188>

AccountType: A NETLOGON_SECURE_CHANNEL_TYPE enumerated value, as specified in section 2.2.1.3.13, that defines the secure channel to be used for authentication.

ComputerName: A null-terminated Unicode string that contains the NetBIOS name of the DC making the call.

Authenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the encrypted logon credential and a time stamp.

ReturnAuthenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the server return authenticator.

EncryptedNtOwfPassword: A pointer to an ENCRYPTED_NT_OWF_PASSWORD structure, as specified in [MS-SAMR] section 2.2.7.3, that contains the OWF password of the account.

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

On receiving this call, the server MUST perform the following validation steps:

  • Verify that the caller of this method is not an RODC or PDC; otherwise, the server MUST return STATUS_ACCESS_DENIED.

  • Verify that AccountName is not NULL and AccountType flags are valid; otherwise, the server MUST return STATUS_INVALID_PARAMETER.

  • Apply Common Error Processing Rule A, specified in section 3.

  • Apply Common Error Processing Rule B, specified in section 3, to the PrimaryName parameter.

  • The server uses the server name passed in the PrimaryName parameter to look up the domain that the server hosts. If the name is not found, the server MUST return STATUS_INVALID_COMPUTER_NAME.

  • Using the ComputerName for the secure channel to find the corresponding record in the ClientSessionInfo table, verify the Authenticator parameter (section 3.1.4.5). If the Authenticator parameter is valid, compute the ReturnAuthenticator parameter returned (section 3.1.4.5). Otherwise, the server MUST return STATUS_ACCESS_DENIED.

The server MUST retrieve the current OWF of the password for the account identified by the AccountName and AccountType parameters. If the AccountType is TrustedDnsDomainSecureChannel or TrustedDomainSecureChannel, then the SharedSecret of the trust will be used. All other types of SecureChannelType that can be used require that the SharedSecret of the computer account is used.

The server MUST retrieve the current OWF of the client password and encrypt it with the key that is derived by using the session key as the specified 16-byte key. The specified 16-byte key uses the 16-byte value process, as specified in [MS-SAMR] section 2.2.11.1.4. The encrypted version of the password MUST be returned in the EncryptedNtOwfPassword parameter.

This method SHOULD only be called by a machine that has established a secure channel with the server.