Archived from groups: microsoft.public.win2000.active_directory (
More info?)
"jgershater" <jgershater@discussions.microsoft.com> wrote in message
news:2481D97D-9145-4DBC-A68A-673AB5F1E575@microsoft.com...
> thank you that makes sense
> I have a similar thread in a development newsgroup and got a similar
answer
> this is my 1st posting to an MS newsgroup
No harm in posting here, my suggestions was only
so that you might find more help.
BTW, another suggestion, when you post to more
than one group, use Cross-posting instead of multiple
separate postings.
Crossposting means you will send to all newsgroups
with one message.
Reason: Answers by those who reply will all follow
the same thread so that everyone trying to help (or
learn) will see all of the answers and clarifications.
Also: You only have to look one place for your results.
--
Herb Martin
>
> "Herb Martin" wrote:
>
> >
> > "jgershater" <jgershater@discussions.microsoft.com> wrote in message
> > news:C930ED47-2C3E-4BD7-A26C-AFC3D0521C9E@microsoft.com...
> > > Herb, thanks for the answer but the confusion is not clarified.
> > >
> > > Question
> > > =====
> > > Can I read the user's password in plaintext from the unicodepwd
attribute,
> > > yes or no?
> >
> > No (not by default for sure.)
> >
> > > If no, then what does this webpage mean:
> > >
> >
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/505.asp
> > > because the wording of the above webpage IMPLIES that the password is
> > > READABLE in plain text.
> >
> > No it doesn't. It describes a storage format for passwords
> > which is NOT implemented by default.
> >
> > It also IS encrypted, but in a manner where the server (i.e.,
> > DC) is ABLE to decrypt and retrieve the actual password.
> >
> > The normal format is NOT ONLY encrypted but not even
> > recoverable (password attempts are checked by encrypting
> > the attempt and comparing the non-reversibly stored results.)
> >
> >
> >
> > > If it IS READABLE, then with what API can I READ it?
> >
> > Well, it is not readable in clear text.
> >
> > > Because this webpage:
> > >
> >
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q269/1/90.ASP&NoWebContent=1
> > > states that the password is not READABLE using LDAP (but can be
written).
> > Is
> > > it READABLE using another mechanism/API?
> >
> > Probably, because the DC itself reads it or at least compares
> > attempts to it (it might not even physically read it in this case),
> >
> > ....and because when
> > stored in reversible format it can be used for those systems
> > that require such access, e.g., RRAS servers using CHAP or
> > Macintosh authentication.
> >
> > You might try in one of the programming groups or ADSI
> > focused areas.
> >
> > Although some of us here are system programmers, most
> > of those here are not going to have the API on the tip of
> > our tongue.
> >
> > > Thank you
> >
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > "Herb Martin" wrote:
> > >
> > > > "jgershater" <jgershater@discussions.microsoft.com> wrote in message
> > > > news:144B59F0-ACDA-4720-843F-CA89435B94A3@microsoft.com...
> > > > > I have been able to connect to AD over SSL and read every
attribute,
> > > > EXCEPT
> > > > > unicodePwd.
> > > >
> > > > As it should be.
> > > >
> > > > > According to this:
> > > > >
> > > >
> >
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/505.asp
> > > > > passwords can be stored in plaintext.
> > > > > does this mean the password can be read by say a perl program
> > (assuming I
> > > > > connect to AD over SSL) ?
> > > >
> > > > Technically that should be "reversible encryption" format
> > > > but it is not the default.
> > > >
> > > >
> > > > > I ask because according to this, passwords cannot be read:
> > > > >
> > > >
> >
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q269/1/90.ASP&NoWebContent=1
> > > >
> > > > There is a property on each user for reversible encryption.
> > > >
> > > > --
> > > > Herb Martin
> > > >
> > > >
> > > > >
> > > > > Please help clarify the confusion!
> > > > >
> > > > > thank you
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >