3.1.1.8.11.6 Primary:Kerberos-Newer-Keys Property

When an update to supplementalCredentials occurs, and the current domain functional level is DS_BEHAVIOR_WIN2008 or greater, the server MUST create a KERB_STORED_CREDENTIAL_NEW-structured value as specified in section 2.2.10.6. This value MUST then be placed in a USER_PROPERTY structure along with the property name "Primary:Kerberos-Newer-Keys". Finally, the resulting USER_PROPERTY-structured value MUST be added to the list of properties within supplementalCredentials according to section 3.1.1.8.11.1.1.

Revision, Flags, DefaultSaltLength, DefaultSaltMaximumLength, and DefaultSaltOffset MUST be set as specified in section 2.2.10.6. DefaultSaltOffset, for example, is the offset of the "DefaultSalt value" section from the start of the Revision field.

The server MUST calculate four hash forms of the cleartext password, as specified in [RFC3961] sections 6.2.1 and 6.2.3, and as specified in [RFC3962] section 6. Call these values Key1, Key2, Key3, and Key4.

The Credentials field MUST be set to hold Key1, Key2, Key3, and Key4. If there are existing keys in the Credentials field, they MUST be moved to the OldCredentials field. If there are existing keys in the OldCredentials field, they MUST be moved to the OlderCredentials field. Any existing keys in the OlderCredentials field MUST be discarded.<36>