3.5.4.8.3 NetrLogonComputeClientDigest (Opnum 25)

The NetrLogonComputeClientDigest method is used by a client to compute a cryptographic digest of a message by using the MD5 message-digest algorithm, as specified in [RFC1321]. This method is called by a client to compute a message digest, as specified in this section. The client SHOULD<238> use this digest to compare against one that is returned by a call to NetrLogonComputeServerDigest. This comparison allows the client to ensure that the server that it communicates with knows the shared secret between the client machine and the domain.

 NET_API_STATUS NetrLogonComputeClientDigest(
   [in, unique, string] LOGONSRV_HANDLE ServerName,
   [in, string, unique] wchar_t* DomainName,
   [in, size_is(MessageSize)] UCHAR * Message,
   [in] ULONG MessageSize,
   [out] CHAR NewMessageDigest[16],
   [out] CHAR OldMessageDigest[16]
 );

ServerName: The custom binding handle, as defined in section 3.5.4.1.

DomainName: A pointer to a null-terminated Unicode string that contains the DNS or NetBIOS name of the trusted domain. If this parameter is NULL, the domain of which the client computer is a member is used.

Message: A pointer to a buffer that contains the message for which the digest is to be computed.

MessageSize: The length, in bytes, of the Message parameter.

NewMessageDigest: A 128-bit MD5 digest of the current computer account password and the message in the Message buffer.

OldMessageDigest: A 128-bit MD5 digest of the previous machine account password and the message in the Message buffer. If no previous computer account password exists, the current password is used.

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

If the client does not have sufficient privilege, the server MUST return ERROR_ACCESS_DENIED.

The server MUST compute or retrieve the NTOWFv1 of the current machine password and the NTOWFv1 of the previous machine password, if it exists. If the password cannot be found, the server MUST return ERROR_NO_TRUST_LSA_SECRET.

The server MUST compute the NTOWFv1 (as specified in [MS-NLMP] section 3.3.1) of each password, if present. The digest of the Message parameter MUST be calculated using this OWF of the password, as follows.

  1. CALL MD5Init(md5context)

  2. IF OWF of password is present:

    1. CALL MD5Update(md5context, OWF of password, length of OWF of password)

    2. CALL MD5Update(md5context, Message, MessageSize)

    3. CALL MD5Final(md5context)

    4. SET digest to md5context.digest

The NewMessageDigest parameter MUST be computed by using the current password. The OldMessageDigest parameter MUST be computed by using the previous password, if it exists. If the previous password is not present, the new password MUST be used to compute the OldMessageDigest.

Creating a message digest for the previous password allows the possibility of password replication latency to be accounted for. If the client computer password was recently changed, but the change has not propagated to the server processing this method, the client and the server will have two different passwords.