3.4.5.2.7 Calling NetrServerPasswordSet

The client MUST do the following:

• Have a secure channel established with a DC in the domain identified by domain-name and pass its name as the PrimaryName parameter.

• Pass the encrypted new password:

  1. Compute the NTOWFv1 ([MS-NLMP] section 3.3.1) of the new password.

  2. Encrypt ([MS-SAMR] section 2.2.11.1.1) the result of step 1 using the Session-Key for the secure channel as the specified key.

  3. Pass the result of step 2 as the UasNewPassword parameter.

• Pass a valid client Netlogon authenticator as the Authenticator parameter.

After the method returns, the client MUST verify the ReturnAuthenticator, as defined in section 3.1.4.5.

On receiving STATUS_ACCESS_DENIED, the client SHOULD<102> re-establish the secure channel with the domain controller.