Idea ID: 2876199

DPAPI support for DSFW - To prevent users from losing access to their stored Chrome passwords after changing their domain password

Don2 Don2
Status : Waiting for Votes

Windows has a security API called DPAPI (https://en.wikipedia.org/wiki/Data_Protection_API) that is used by Chrome and other applications to encrypt stored credentials.

When changing the password on a Windows machine itself, Windows will re encrypt the stored credentials with the new password (since it knows both the old an new password).

When changing the password outside of the machine (through iManager, LDAP, VMware Horizon View Client, MMC, etc), Windows will need to contact the domain to ask the domain to decrypt the stored credentials (since it does not know the old password anymore).

However, it turns out that DSFW does not currently support DPAPI (Micro Focus SR 02598323). Therefore when a user gets prompted to change their password by (for example) the VMware Horizon View client, they will lose all of their passwords stored by Chrome and multiple other applications get signed out. This is causing a lot of issues for us when implementing a password policy.

Samba however, does have this feature implemented (since 2011): https://git.samba.org/?p=samba.git;a=blob_plain;f=source4/rpc_server/backupkey/dcesrv_backupkey.c;hb=HEAD

DSFW however, is missing these BCKUPKEY objects that are required for this functionality to work:

  •  

    Hi   excellent workaround! Thanks for that.

    Only a question abuot it. There could be any security caveats?

    Thanks,

    Have a nice day!

    Cristiano

  • As a workaround until DPAPI support gets implemented in DSFW, the registry keys below can be added on the Windows clients.

    Windows will then store the DPAPI data in a way that enables it to remain accessible even when the user password gets changed within the domain.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]

"MasterKeyLegacyCompliance"=dword:00000001

"MasterKeyLegacyNT4Domain"=dword:00000001

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.