3.5.4.4.7 NetrServerPasswordSet (Opnum 6)

The NetrServerPasswordSet method SHOULD<185> set a new one-way function (OWF) of a password for an account used by the domain controller for setting up the secure channel from the client.

 NTSTATUS NetrServerPasswordSet(
   [in, unique, string] LOGONSRV_HANDLE PrimaryName,
   [in, string] wchar_t* AccountName,
   [in] NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType,
   [in, string] wchar_t* ComputerName,
   [in] PNETLOGON_AUTHENTICATOR Authenticator,
   [out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [in] PENCRYPTED_NT_OWF_PASSWORD UasNewPassword
 );

PrimaryName: The custom binding handle, as defined in section 3.5.4.1.

AccountName: The null-terminated Unicode string that contains the name of the account whose password is being changed.<186>

SecureChannelType: An enumerated value (specified in section 2.2.1.3.13) that indicates the type of secure channel used by the client.

ComputerName: A null-terminated Unicode string that contains the NetBIOS name of the client computer calling this method.

Authenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the client authenticator.

ReturnAuthenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the server return authenticator.

UasNewPassword: A pointer to an ENCRYPTED_NT_OWF_PASSWORD structure, as specified in [MS-SAMR] section 2.2.7.3 and encrypted by the algorithm specified in section 3.4.5.2.7.

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

On receiving this call, the server MUST perform the following validation steps:

  • Apply Common Error Processing Rule A, specified in section 3.

  • Using the ComputerName for the secure channel to find the corresponding record in the ClientSessionInfo table, verify the Authenticator parameter (section 3.1.4.5). If the Authenticator parameter is valid, compute the ReturnAuthenticator parameter returned (section 3.1.4.5). Otherwise, the server MUST return STATUS_ACCESS_DENIED.

If the RefusePasswordChange variable (section 3.5.1) is set and the SecureChannelType is WorkstationSecureChannel, the server MUST return STATUS_WRONG_PASSWORD.

The server MUST decrypt the new password that is supplied in the UasNewPassword parameter by using the inverse to the encryption algorithm that is specified in [MS-SAMR] section 2.2.11.1.1, Encrypt an NT Hash or LM Hash Value with a specified key. The session key is the specified key input, and the decryption keys are derived using the 16-byte value process, as specified in [MS-SAMR] section 2.2.11.1.4.

The server MUST compute or retrieve the NTOWFv1 (as specified in NTLM v1 Authentication in [MS-NLMP] section 3.3.1) of the current client machine password, which is stored as an OWF of the clear-text password for the account.

The server MUST compute or retrieve the NTOWFv1 of the old client machine password and compare it to the NTOWFv1 of the new password supplied in the UasNewPassword parameter; if they match, the server MUST return STATUS_ACCESS_DENIED.

This method SHOULD only be called by a machine that has established a secure channel with the server.

This method also returns errors based on Common Error Processing Rule D, specified in section 3.