Credential roaming schema changes

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The following schema attributes and attribute values will be used in Active Directory for storing user credentials and data relating to credential roaming:

  • ms-PKI-DPAPIMasterKey. This multivalued attribute contains master key files and information for DPAPI. The following objects will be roamed and contained within this attribute:

  • All master key files. There can be multiple master key files. New master key files can be created every 90 days by the domain. Master key files must be maintained and roamed in perpetuity.

  • The Preferred file that specifies the master key to be used for encryption. This attribute is updated every time a new master key is created.

  • ms-PKI-AccountCredentials. This multivalued attribute contains binary blobs of encrypted credential objects from the Stored User Names and Passwords store, private keys, certificates and requests. Each binary blob stored in Active Directory may contain a delete flag with a timestamp that persists for 60 days to ensure that all clients delete the object.

  • ms-PKI-RoamingTimeStamp. This attribute is used by credential roaming to record the time of the latest change to the user object in Active Directory.

These schema attributes and attribute values must be added to Active Directory before credential roaming is deployed. Copy the following text into Notepad and Save it as CredRoam.ldf (be sure to use the .ldf extension), then refer to Preparing Active Directory to store user certificates and keys in order to configure your schema extensions.

# -----------------------------------------------------------------------
#   Copyright 2004 Microsoft Corporation
#   MODULE:     credroam.ldf
#   ABSTRACT:   add key roaming Active Directory schemas & attributes
# -----------------------------------------------------------------------

#   define property set Private-Information
# -----------------------------------------------------------------------

dn: cn=Private-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
cn: Private-Information
objectClass: controlAccessRight
displayName: Private Information
appliesTo: 4828cc14-1437-45bc-9b07-ad6f015e5f28
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
rightsGUID: 91e647de-d96f-4b70-9557-d63ff4f3ccd8
validAccesses: 48

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# -----------------------------------------------------------------------
#   define schemas for:
#       ms-PKI-RoamingTimeStamp
#       ms-PKI-DPAPIMasterKeys
#       ms-PKI-AccountCredentials
#   NOTE: searchFlags 128 (CONFIDENTIAL_DATA) is implemented in an AD
#       server-side update such that the attributes having this bit
#       will not be readable except for SELF.
# -----------------------------------------------------------------------

dn: cn=ms-PKI-RoamingTimeStamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaadd
objectClass: attributeSchema
lDAPDisplayName: msPKIRoamingTimeStamp
adminDisplayName: MS-PKI-RoamingTimeStamp
adminDescription: Time stamp for last change to roaming tokens
attributeId: 1.2.840.113556.1.4.1892
attributeSyntax: 2.5.5.10
oMSyntax: 4
schemaIDGUID:: rOQXZvGiq0O2DBH70frPBQ==
attributeSecurityGUID:: 3kfmkW/ZcEuVV9Y/9PPM2A==
searchFlags: 128

dn: cn=ms-PKI-DPAPIMasterKeys,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaadd
objectClass: attributeSchema
lDAPDisplayName: msPKIDPAPIMasterKeys
adminDisplayName: MS-PKI-DPAPIMasterKeys
adminDescription: Storage of encrypted DPAPI Master Keys for user
attributeId: 1.2.840.113556.1.4.1893
attributeSyntax: 2.5.5.7
linkID: 2046
oMSyntax: 127
oMObjectClass:: KoZIhvcUAQEBCw==
schemaIDGUID:: IzD5szmSfE+5nGdF2Hrbwg==
attributeSecurityGUID:: 3kfmkW/ZcEuVV9Y/9PPM2A==
searchFlags: 128

dn: cn=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaadd
objectClass: attributeSchema
lDAPDisplayName: msPKIAccountCredentials
adminDisplayName: MS-PKI-AccountCredentials
adminDescription: Storage of encrypted user credential token blobs for roaming
attributeId: 1.2.840.113556.1.4.1894
attributeSyntax: 2.5.5.7
linkID: 2048
oMSyntax: 127
oMObjectClass:: KoZIhvcUAQEBCw==
schemaIDGUID:: RKffuNwx8U6sfIS69++dpw==
attributeSecurityGUID:: 3kfmkW/ZcEuVV9Y/9PPM2A==
searchFlags: 128

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# -----------------------------------------------------------------------
#   adding the attributes to User class.
# -----------------------------------------------------------------------

dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: mayContain
mayContain: msPKIRoamingTimeStamp
mayContain: msPKIDPAPIMasterKeys
mayContain: msPKIAccountCredentials
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

See Also

Concepts

Best practices for Active Directory Schema
LDIFDE

Other Resources

Restrictions on Schema Extension
How the Active Directory Schema Works