Spat's WebLog (Steve Patrick)

When things go wrong...

2003 SP1 - whats new? Digital Identity Management Service or (DIMS) !

2003 SP1 - whats new? Digital Identity Management Service or (DIMS) !

  • Comments 12

Continuing on my "neat SP1 list"....

There are a lot of new niftyola fixes\features, and one of them is the new Credential Roaming feature otherwise known as Digital Identity Management Service or (DIMS) 

One note here - it does require a schema extension, but it does not require a particular Forest functional level or Domain functional level. On the client side - only Windows 2003 SP1 clients are supported. DIMS may be ported to W2k and XP but for now it is 2k3 Sp1 only.

1. The LDF file  is on the link below - there is no LDF file in the service pack itself.

2. When you use the ldifde command to import you need to use the -c switch  like so:

         ldifde -i -f dimsroam.ldf -c "DC=X" "DC=SPatsDomain,DC=com" -v

Where DC=SPatsDomain,DC=com  is the name of my Forest.

 

Once you extended the schema and imported the ADM file (see the documentation) you can then manage your users via Group Policy.

 

NOTE: If you get some errors on ldif import or ADM import let me know  - there were some problems with the first ones posted but they should be fixed.

 

 

 

 

So then the real question is.. What does all that stuff  in the read box mean?

And why do we even care?

 

 

Lets tackle the second  question first:

 

 

Anyone who has tried to manage crypto data for users on multiple machines, will appreciate this new feature.

In order to understand why, we need to discuss DPAPI – or the data protection API’s, a little bit.

 

<whirlwind tour>

 

When the User (via some application like EFS etc..) calls into the crypto subsystem to encrypt data the first time, we will create what is called a Master Key. This master key is used to create a session key which is used to encrypt the private data as a result of our call to CryptProtectData (for example).  FYI the master key is encrypted via 3DES and a key derived from the users current password.

 

Now, we need some place to store this data and we chose to use the user’s profile.  This is still secure since all the data is had via knowing the users password.  It would be neat if we could use a smartcard to store it ..

 

Anyway, we will expire these Master keys and generate new ones every once in while – we never ever actually delete any of them or you would lose access to data encrypted (indirectly)  via that particular Master Key.

 

</whirlwind tour>

 

 

Lets take an common scenario for EFS.

 

Bob uses EFS  to encrypt confidential data on MachineA. The public key of the EFS cert is used to encrypt the data (actually the FEK) and then when he needs to decrypt the encrypted file we pull out our private key (which was indirectly encrypted via the users local master key) , decrypt the FEK,  use that to decrypt the file and we are good to go. Keep in mind that the users keys (Master , cert keys etc..)  are local  to that machine.

 

Now, he logs on to machine #2 and encrypts some data – he gets a NEW master key, new cert and a whole new profile to manage and make sure nothing happens to, or he loses access to his data forever (we wont touch the DRA or KRA stuff here)

 

There are also more complex scenarios,  like shared encrypted files between users, or remote EFS.

 

How would one prevent this? Well - before SP1 and DIMS one would have to use roaming profiles - but not anymore :o)

 

If he had had a roaming profile, then EFS would have used the same set of keys on both machine and we would be OK. But, many companies don’t use roaming profiles and honestly don’t even think of this scenario as a reason to start using them. Plus roaming profiles can create their own set of problems we won’t even get into.

 

So with this new feature called DIMS - our keys roam with the user.. this is great!

 

  

Lets look at some of the data we added to our schema and how it relates to what we have discussed.

 

NEW AD ATTRIBUTES:

  • ms-PKI-DPAPIMasterKey. This multivalued attribute contains master key files and information for DPAPI. The following objects will be roamed and contained within this attribute:

• All master key files. There can be multiple master key files. New master key files can be created every 90 days by the domain. Master key files must be maintained and roamed in perpetuity.

                  • The Preferred file that specifies the master key to be used for encryption. This attribute is updated every time a new master key is created.

 

  •  ms-PKI-AccountCredentials. This multivalued attribute contains binary blobs of encrypted credential objects from the Credential Manager store, private keys, certificates and requests. Each binary blob stored in Active Directory may contain a delete flag with a timestamp that persists for 60 days to ensure that all clients delete the object.

 

  •  ms-PKI-RoamingTimeStamp. This attribute is used by DIMS and credential roaming to record the time of the latest change to the user object in Active Directory. 

  

Looking over this post, it is a  bit long winded and I don’t have time to hit it all today.. so I’ll have to continue this in another post.

 

Until then – take a look at SP1 and http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/633d4258-557a-4bfc-86e1-bb30265f52b4.mspx

 

Spat

 

 

 

 

 

 

 

Leave a Comment
  • Please add 1 and 6 and type the answer here:
  • Post
  • Article is not available yet - but if you ask PSS for 907247 - that's the ticket in.
    If you need some...
  • &amp;nbsp;So when we left off, we were talking about DIMS as a new feature for 2003 SP1. The overview was...
  • Can you shoot me a link to the .adm template file that is used to configure roaming credentials in group policy.  The links that I have followed from Microsoft just take me to a search page.

    Thanks,

    Brian Bretz
    bbretz@kellerschroeder.com
  • Unfortunately during the recent changes and updates - see http://support.microsoft.com/?kbid=907247 - the ADM file was removed from the web and not placed in the article. The article is being updated ASAP. I will move to post it here as well  later today

    thx!

    spat
  • Here it is:


    CLASS USER
    CATEGORY  !!DIMS
    KEYNAME "Software\Policies\Microsoft\Cryptography\AutoEnrollment"
    POLICY !!DIMSCredentialRoaming

    EXPLAIN !!DIMSCredentialRoaming_Explain
    VALUENAME "DIMSRoaming"
    VALUEON NUMERIC 1

    PART !!DIMSCredentialRoaming_Vista TEXT
    END PART

    PART !!DIMSCredentialRoaming_Vista_Explain TEXT
    END PART

    PART !!DIMSCredentialRoaming_Box TEXT
    END PART

    PART !!DIMSCredentialRoaming_TombstoneValue NUMERIC REQUIRED
    VALUENAME "DIMSRoamingTombstoneDays"
    MIN 1 MAX 3650 DEFAULT 60 SPIN 30
    END PART

    PART !!DIMSCredentialRoaming_MaxNumTokens NUMERIC REQUIRED
    VALUENAME "DIMSRoamingMaxNumTokens"
    MIN 1 MAX 10000 DEFAULT 2000 SPIN 100
    END PART

    PART !!DIMSCredentialRoaming_MaxTokenSize NUMERIC REQUIRED
    VALUENAME "DIMSRoamingMaxTokenSize"
    MIN 1 MAX 100000 DEFAULT 65535 SPIN 1000
    END PART

    END POLICY
    END CATEGORY

    [strings]

    DIMS="Certificate Services Client"

    DIMSCredentialRoaming_Explain="NOTE: If you want to configure Credential Roaming on a Windows Vista client, then don't use this policy. Instead use the Group Policy that is natively included in Windows Vista. \n\nThis policy setting specifies the behavior for user Credential Roaming.\n\nUser certificates and keys will be roamed and synchronized between the local user profile on the desktop and the user object in Active Directory when a user logs on interactively.  \n\nIf you enable this policy setting, all X.509 certificates, keys, and enrollment requests will be uploaded and synchronized with the user object in Active Directory. You should also enable folder exclusion policies for roaming user profiles to avoid any conflicts in the use of multiple roaming technologies.\n\nIf this policy is enabled, then the Application Data folder should not be redirected using the Folder Redireciton technology. \n\nIf you disable this policy setting, all future synchronization and roaming will cease, but no keys or certificates will be deleted from the local user profile or Active Directory user object.\n\nIf you do not configure this policy setting, user certificate and key roaming will not be performed.\n\nNote: Folder exclusion policy settings may be configured in the user profiles section of the System administrative template.\n\n"

    DisableAll="None"

    DIMSCredentialRoaming="Credential Roaming"

    DIMSCredentialRoaming_Vista="NOTE: Not for environments with Vista clients."

    DIMSCredentialRoaming_Vista_Explain="See Explain tab for more details."

    DIMSCredentialRoaming_Box="Specific Credential Roaming settings:"

    DIMSCredentialRoaming_TombstoneValue="Maximum tombstone credentials lifetime in days:"

    DIMSCredentialRoaming_MaxNumTokens="Maximum number of roaming credentials per user:"

    DIMSCredentialRoaming_MaxTokenSize="Maximum size (in bytes) of a roaming credential:"
  • I have 2003 with SP II. I saved above contents as CredentialRoaming.adm using notepad. However when I add this as template an error is thrown at 2 line.

    Error 62 corresponding string was not found in the [strings] section

    found: !dms

    File cannot be loaded.

    any suggestion?

  • It has something to do with the carriage returns on the lines

    Go to the first 3 lines and delete the space at the end and hit return.

    Then also the lines:

    [strings]

    DIMS="Certificate Services Client"

    And do the same thing  - it should load then

    Spat

  • I have to decrypt the AD attribute ms-PKI-AccountCredentials contents. Do I need to always use DAPI calls or is there any other go? (Say some cryptographic algorithmic steps)

    My requirment is something like this:

    I would like to download user private keys/public kyes on a device and use. Device will contact AD server and get ms-PKI-DPAPIMasterKey and ms-PKI-AccountCredentials etc. How do I go about decrypting the binary blob to get private key of user?

  • Im not aware of any way to pull down those contents and use them directly - they are used via the internals of DPAPI. There may be a method - but ive never seen someone directly manipulate the Master Key(s)

  • That is the Shiznit SpatDSG!!! Works like a charm.

    No where on the Internet can that template be found!

  • Later more updated ADM :

    CLASS USER

    CATEGORY  !!DIMS

    KEYNAME "Software\Policies\Microsoft\Cryptography\AutoEnrollment"

    POLICY !!DIMSCredentialRoaming

    EXPLAIN !!DIMSCredentialRoaming_Explain

    VALUENAME "DIMSRoaming"

    VALUEON NUMERIC 1

    PART !!DIMSCredentialRoaming_Vista TEXT

    END PART

    PART !!DIMSCredentialRoaming_Vista_Explain TEXT

    END PART

    PART !!DIMSCredentialRoaming_Box TEXT

    END PART

    PART !!DIMSCredentialRoaming_TombstoneValue NUMERIC REQUIRED

    VALUENAME "DIMSRoamingTombstoneDays"

    MIN 1 MAX 3650 DEFAULT 60 SPIN 30

    END PART

    PART !!DIMSCredentialRoaming_MaxNumTokens NUMERIC REQUIRED

    VALUENAME "DIMSRoamingMaxNumTokens"

    MIN 1 MAX 10000 DEFAULT 2000 SPIN 100

    END PART

    PART !!DIMSCredentialRoaming_MaxTokenSize NUMERIC REQUIRED

    VALUENAME "DIMSRoamingMaxTokenSize"

    MIN 1 MAX 100000 DEFAULT 65535 SPIN 1000

    END PART

    END POLICY

    END CATEGORY

    [strings]

    DIMS="Certificate Services Client"

    DIMSCredentialRoaming_Explain="NOTE: If you want to configure Credential Roaming on a Windows Vista client, then don't use this policy. Instead use the Group Policy that is natively included in Windows Vista. \n\nThis policy setting specifies the behavior for user Credential Roaming.\n\nUser certificates and keys will be roamed and synchronized between the local user profile on the desktop and the user object in Active Directory when a user logs on interactively.  \n\nIf you enable this policy setting, all X.509 certificates, keys, and enrollment requests will be uploaded and synchronized with the user object in Active Directory. You should also enable folder exclusion policies for roaming user profiles to avoid any conflicts in the use of multiple roaming technologies.\n\nIf this policy is enabled, then the Application Data folder should not be redirected using the Folder Redireciton technology. \n\nIf you disable this policy setting, all future synchronization and roaming will cease, but no keys or certificates will be deleted from the local user profile or Active Directory user object.\n\nIf you do not configure this policy setting, user certificate and key roaming will not be performed.\n\nNote: Folder exclusion policy settings may be configured in the user profiles section of the System administrative template.\n\n"

    DisableAll="None"

    DIMSCredentialRoaming="Credential Roaming"

    DIMSCredentialRoaming_Vista="NOTE: Not for environments with Vista clients."

    DIMSCredentialRoaming_Vista_Explain="See Explain tab for more details."

    DIMSCredentialRoaming_Box="Specific Credential Roaming settings:"

    DIMSCredentialRoaming_TombstoneValue="Maximum tombstone credentials lifetime in days:"

    DIMSCredentialRoaming_MaxNumTokens="Maximum number of roaming credentials per user:"

    DIMSCredentialRoaming_MaxTokenSize="Maximum size (in bytes) of a roaming credential:"

  • I'm having a problem with DIMS on my XP SP3 computers that I'm trying to use a device called an NComputing X300.  What it does is extends the host machine to up to 3 more workstations per card you install (up to 2 cards per host computer).  DIMS causes Winlogon to terminate on every other logon, and so far the only solution to this problem has been to delete the dimsntfy key from the registry (if you really want to find this key, just find, don't want to post this and have people just randomly deleting stuff).

    So I thought, maybe using this ADM would be the alternative.  Here's my problem though, I can make the DIMS.adm file and import it into my Administrative Templates, but if you set it to Disabled, it just stays at Not Configured.  If you set it to Enabled, it properly changes its state, and then setting to Disabled again says Not Configured.  Never saw anything like this.

    Any ideas on what I should do?  I'd very much like to disable DIMS on these machines (or possibly fix the source of the problem!) but as of yet, deleting from the registry is the only "fix".

    Thanks!

Page 1 of 1 (12 items)