3.5.4.8.2 NetrLogonComputeServerDigest (Opnum 24)

The NetrLogonComputeServerDigest method computes a cryptographic digest of a message by using the MD5 message-digest algorithm, as specified in [RFC1321]. This method SHOULD<236> be called by a client computer against a server and is used to compute a message digest, as specified in this section. The client then calls the NetrLogonComputeClientDigest method (as specified in section 3.4.5.6.3) and compare the digests to ensure that the server that it communicates with knows the shared secret between the client machine and the domain.

 NET_API_STATUS NetrLogonComputeServerDigest(
   [in, unique, string] LOGONSRV_HANDLE ServerName,
   [in] ULONG Rid,
   [in, size_is(MessageSize)] UCHAR * Message,
   [in] ULONG MessageSize,
   [out] CHAR NewMessageDigest[16],
   [out] CHAR OldMessageDigest[16]
 );

ServerName: The custom binding handle, as defined in section 3.5.4.1.

Rid: The RID of the machine account for which the digest is to be computed. The NetrLogonGetTrustRid method, as specified in section 3.5.4.8.1, is used to obtain the RID.

Message: A pointer to buffer that contains the message to compute the digest.

MessageSize: The length of the data referenced by the Message parameter, in bytes.

NewMessageDigest: A 128-bit MD5 digest of the current machine account password and the message in the Message buffer. The machine account is identified by the Rid parameter.

OldMessageDigest: A 128-bit MD5 digest of the previous machine account password, if present, and the message in the Message buffer. If no previous machine account password exists, then the current password is used. The machine account is identified by the Rid parameter.

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

The server uses the server name passed in the ServerName parameter to look up the domain for the request. If the name is not found, the server MUST return ERROR_INVALID_COMPUTERNAME.

If the client does not have sufficient privilege, the server MUST return ERROR_ACCESS_DENIED.

The server MUST construct the machine account SID using the Rid parameter and the current domain with the format S-1-5-current domain-Rid parameter.

The server MUST compute or retrieve the NTOWFv1 of the current password, retrieve lmPwdHistory ([MS-ADA1] section 2.363), and the NTOWFv1 of the previous password (if it exists) for the machine account whose security identifier ([MS-ADA3] section 2.237) corresponds to the generated SID. If the machine account cannot be found, or the machine account does not correspond to a machine, or the machine account is disabled, the server MUST return ERROR_NO_SUCH_USER. When the server is an RODC and the NTOWFv1 of the current password cannot be retrieved, the server MUST return ERROR_NO_TRUST_LSA_SECRET.

The digest of the Message parameter MUST be calculated with the following algorithm, using this one-way function (OWF) of the password.

  1. CALL MD5Init(md5context)

  2. IF OWF of password is present:

    1. CALL MD5Update(md5context, OWF of password, length of OWF of password)

  3. CALL MD5Update(md5context, Message, MessageSize)

  4. CALL MD5Final(md5context)

  5. SET digest to md5context.digest

The NewMessageDigest parameter MUST be computed by using the current password. The OldMessageDigest parameter MUST be computed by using the previous password, if it exists. If the previous password is not present, the new password MAY<237> be used to compute the OldMessageDigest.

Creating a message digest for the previous password allows the possibility of password replication latency to be accounted for. If the machine account password was recently changed, but the change has not propagated to the server processing this method, the server keeps the old password.