Idea ID: 2876199

DPAPI support for DSFW - To prevent users from losing access to their stored Chrome passwords after changing their domain password

Don2 Don2
Status : Waiting for Votes

Windows has a security API called DPAPI ( that is used by Chrome and other applications to encrypt stored credentials.

When changing the password on a Windows machine itself, Windows will re encrypt the stored credentials with the new password (since it knows both the old an new password).

When changing the password outside of the machine (through iManager, LDAP, VMware Horizon View Client, MMC, etc), Windows will need to contact the domain to ask the domain to decrypt the stored credentials (since it does not know the old password anymore).

However, it turns out that DSFW does not currently support DPAPI (Micro Focus SR 02598323). Therefore when a user gets prompted to change their password by (for example) the VMware Horizon View client, they will lose all of their passwords stored by Chrome and multiple other applications get signed out. This is causing a lot of issues for us when implementing a password policy.

Samba however, does have this feature implemented (since 2011):;a=blob_plain;f=source4/rpc_server/backupkey/dcesrv_backupkey.c;hb=HEAD

DSFW however, is missing these BCKUPKEY objects that are required for this functionality to work:


    Hi   excellent workaround! Thanks for that.

    Only a question abuot it. There could be any security caveats?


    Have a nice day!


  • As a workaround until DPAPI support gets implemented in DSFW, the registry keys below can be added on the Windows clients.

    Windows will then store the DPAPI data in a way that enables it to remain accessible even when the user password gets changed within the domain.