.png)
Credential roaming schema changes
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The following schema attributes and attribute values will be used in Active Directory for storing user credentials and data relating to credential roaming:
-
ms-PKI-DPAPIMasterKey. This multivalued attribute contains master key files and information for DPAPI. The following objects will be roamed and contained within this attribute:
-
All master key files. There can be multiple master key files. New master key files can be created every 90 days by the domain. Master key files must be maintained and roamed in perpetuity.
-
The Preferred file that specifies the master key to be used for encryption. This attribute is updated every time a new master key is created.
-
ms-PKI-AccountCredentials. This multivalued attribute contains binary blobs of encrypted credential objects from the Stored User Names and Passwords store, private keys, certificates and requests. Each binary blob stored in Active Directory may contain a delete flag with a timestamp that persists for 60 days to ensure that all clients delete the object.
-
ms-PKI-RoamingTimeStamp. This attribute is used by credential roaming to record the time of the latest change to the user object in Active Directory.
These schema attributes and attribute values must be added to Active Directory before credential roaming is deployed. Copy the following text into Notepad and Save it as CredRoam.ldf (be sure to use the .ldf extension), then refer to Preparing Active Directory to store user certificates and keys in order to configure your schema extensions.
# ----------------------------------------------------------------------- # Copyright 2004 Microsoft Corporation # # MODULE: credroam.ldf # ABSTRACT: add key roaming Active Directory schemas & attributes # ----------------------------------------------------------------------- # define property set Private-Information # ----------------------------------------------------------------------- dn: cn=Private-Information,CN=Extended-Rights,CN=Configuration,DC=X changetype: add cn: Private-Information objectClass: controlAccessRight displayName: Private Information appliesTo: 4828cc14-1437-45bc-9b07-ad6f015e5f28 appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2 rightsGUID: 91e647de-d96f-4b70-9557-d63ff4f3ccd8 validAccesses: 48 dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - # ----------------------------------------------------------------------- # define schemas for: # ms-PKI-RoamingTimeStamp # ms-PKI-DPAPIMasterKeys # ms-PKI-AccountCredentials # # NOTE: searchFlags 128 (CONFIDENTIAL_DATA) is implemented in an AD # server-side update such that the attributes having this bit # will not be readable except for SELF. # ----------------------------------------------------------------------- dn: cn=ms-PKI-RoamingTimeStamp,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaadd objectClass: attributeSchema lDAPDisplayName: msPKIRoamingTimeStamp adminDisplayName: MS-PKI-RoamingTimeStamp adminDescription: Time stamp for last change to roaming tokens attributeId: 1.2.840.113556.1.4.1892 attributeSyntax: 2.5.5.10 oMSyntax: 4 schemaIDGUID:: rOQXZvGiq0O2DBH70frPBQ== attributeSecurityGUID:: 3kfmkW/ZcEuVV9Y/9PPM2A== searchFlags: 128 dn: cn=ms-PKI-DPAPIMasterKeys,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaadd objectClass: attributeSchema lDAPDisplayName: msPKIDPAPIMasterKeys adminDisplayName: MS-PKI-DPAPIMasterKeys adminDescription: Storage of encrypted DPAPI Master Keys for user attributeId: 1.2.840.113556.1.4.1893 attributeSyntax: 2.5.5.7 linkID: 2046 oMSyntax: 127 oMObjectClass:: KoZIhvcUAQEBCw== schemaIDGUID:: IzD5szmSfE+5nGdF2Hrbwg== attributeSecurityGUID:: 3kfmkW/ZcEuVV9Y/9PPM2A== searchFlags: 128 dn: cn=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaadd objectClass: attributeSchema lDAPDisplayName: msPKIAccountCredentials adminDisplayName: MS-PKI-AccountCredentials adminDescription: Storage of encrypted user credential token blobs for roaming attributeId: 1.2.840.113556.1.4.1894 attributeSyntax: 2.5.5.7 linkID: 2048 oMSyntax: 127 oMObjectClass:: KoZIhvcUAQEBCw== schemaIDGUID:: RKffuNwx8U6sfIS69++dpw== attributeSecurityGUID:: 3kfmkW/ZcEuVV9Y/9PPM2A== searchFlags: 128 dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - # ----------------------------------------------------------------------- # adding the attributes to User class. # ----------------------------------------------------------------------- dn: CN=User,CN=Schema,CN=Configuration,DC=X changetype: modify add: mayContain mayContain: msPKIRoamingTimeStamp mayContain: msPKIDPAPIMasterKeys mayContain: msPKIAccountCredentials - dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 -
