What's the default hash format / algorithm of Active Directory?

security active-directory windows-server-2003 ldap

I'm wondering what format I need to put hashes in to write to userPassword via LDAP. Apache Directory Studio gives me several options, but I don't think any of them are it. Can anyone document the proper encoding and algorithms used by default for AD 2003r2?


You can't write password hashes into the Active Directory via LDAP. You can update the "unicodePwd" attribute via LDAP over SSL. (If you're not using SSL you'll get back a "The server is unwilling to process the request." error 0x80072035).

There's no "supported" mechanism for writing raw hashes into the Directory, though.


This KB article indicates that you can write the password as a unicode octet-string (of the plaintext password) to a user's unicodePwd attribute. It's described for Windows 2000, but as far as I know this hasn't changed.

This blog post includes a Perl script which implements the process, and which you can look to for more details. Here's another example in Java.

I think the userPassword attribute is an alias for unicodePwd, but I don't actually know if that's true.

Note: You must use an SSL connection to LDAP to update a user's password; AD will not permit password updates over an unencrypted channel.

Related

Hardware vendors to avoid
How do I add permissions to group to match user permissions?
Are 6Gb/s SAS drives compatible with 3Gb/s SAS interfaces?
How can I password prompt certain IPs and allow all others free access using Apache?
How to migrate Samba User Accounts to a new linux server?
hashicorp vault - load pre-existing CA certificate into PKI engine
How can I check if IP is a Tor exit node?
Automatic subdomain wildcard for DHCP-DDNS additions?
Is an MX-record required on a domain to send emails only?
nginx 404 instead of 403 for empty directory
Exchange Server 2010 to 2016 migration
How to setup Mosquitto MQTT Broker in Kubernetes