共用方式為


2003 SP1 - whats new? Digital Identity Management Service or (DIMS) !

Continuing on my "neat SP1 list"....

There are a lot of new niftyola fixes\features, and one of them is the new Credential Roaming feature otherwise known as Digital Identity Management Service or (DIMS)

One note here - it does require a schema extension, but it does not require a particular Forest functional level or Domain functional level. On the client side - only Windows 2003 SP1 clients are supported. DIMS may be ported to W2k and XP but for now it is 2k3 Sp1 only.

1. The LDF file is on the link below - there is no LDF file in the service pack itself.

2. When you use the ldifde command to import you need to use the -c switch like so:

         ldifde -i -f dimsroam.ldf -c "DC=X" "DC=SPatsDomain,DC=com" -v

Where DC=SPatsDomain,DC=com is the name of my Forest.

Once you extended the schema and imported the ADM file (see the documentation) you can then manage your users via Group Policy.

NOTE: If you get some errors on ldif import or ADM import let me know - there were some problems with the first ones posted but they should be fixed.

So then the real question is.. What does all that stuff in the read box mean?

And why do we even care?

Lets tackle the second question first:

Anyone who has tried to manage crypto data for users on multiple machines, will appreciate this new feature.

In order to understand why, we need to discuss DPAPI – or the data protection API’s, a little bit.

<whirlwind tour>

When the User (via some application like EFS etc..) calls into the crypto subsystem to encrypt data the first time, we will create what is called a Master Key. This master key is used to create a session key which is used to encrypt the private data as a result of our call to CryptProtectData (for example). FYI the master key is encrypted via 3DES and a key derived from the users current password.

Now, we need some place to store this data and we chose to use the user’s profile. This is still secure since all the data is had via knowing the users password. It would be neat if we could use a smartcard to store it ..

Anyway, we will expire these Master keys and generate new ones every once in while – we never ever actually delete any of them or you would lose access to data encrypted (indirectly) via that particular Master Key.

</whirlwind tour>

Lets take an common scenario for EFS.

Bob uses EFS to encrypt confidential data on MachineA. The public key of the EFS cert is used to encrypt the data (actually the FEK) and then when he needs to decrypt the encrypted file we pull out our private key (which was indirectly encrypted via the users local master key) , decrypt the FEK, use that to decrypt the file and we are good to go. Keep in mind that the users keys (Master , cert keys etc..) are local to that machine.

Now, he logs on to machine #2 and encrypts some data – he gets a NEW master key, new cert and a whole new profile to manage and make sure nothing happens to, or he loses access to his data forever (we wont touch the DRA or KRA stuff here)

There are also more complex scenarios, like shared encrypted files between users, or remote EFS.

How would one prevent this? Well - before SP1 and DIMS one would have to use roaming profiles - but not anymore :o)

If he had had a roaming profile, then EFS would have used the same set of keys on both machine and we would be OK. But, many companies don’t use roaming profiles and honestly don’t even think of this scenario as a reason to start using them. Plus roaming profiles can create their own set of problems we won’t even get into.

So with this new feature called DIMS - our keys roam with the user.. this is great!

 

Lets look at some of the data we added to our schema and how it relates to what we have discussed.

NEW AD ATTRIBUTES:

  • ms-PKI-DPAPIMasterKey. This multivalued attribute contains master key files and information for DPAPI. The following objects will be roamed and contained within this attribute:

• All master key files. There can be multiple master key files. New master key files can be created every 90 days by the domain. Master key files must be maintained and roamed in perpetuity.

                  • The Preferred file that specifies the master key to be used for encryption. This attribute is updated every time a new master key is created.

 

  •  ms-PKI-AccountCredentials. This multivalued attribute contains binary blobs of encrypted credential objects from the Credential Manager store, private keys, certificates and requests. Each binary blob stored in Active Directory may contain a delete flag with a timestamp that persists for 60 days to ensure that all clients delete the object.

 

  •  ms-PKI-RoamingTimeStamp. This attribute is used by DIMS and credential roaming to record the time of the latest change to the user object in Active Directory.

Looking over this post, it is a bit long winded and I don’t have time to hit it all today.. so I’ll have to continue this in another post.

Until then – take a look at SP1 and https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/633d4258-557a-4bfc-86e1-bb30265f52b4.mspx

Spat

Comments

  • Anonymous
    May 24, 2006
    Article is not available yet - but if you ask PSS for 907247 - that's the ticket in.
    If you need some...

  • Anonymous
    May 24, 2006
    &amp;nbsp;So when we left off, we were talking about DIMS as a new feature for 2003 SP1. The overview was...

  • Anonymous
    July 10, 2006
    Can you shoot me a link to the .adm template file that is used to configure roaming credentials in group policy.  The links that I have followed from Microsoft just take me to a search page.

    Thanks,

    Brian Bretz
    bbretz@kellerschroeder.com

  • Anonymous
    July 11, 2006
    Unfortunately during the recent changes and updates - see http://support.microsoft.com/?kbid=907247 - the ADM file was removed from the web and not placed in the article. The article is being updated ASAP. I will move to post it here as well  later today

    thx!

    spat

  • Anonymous
    July 11, 2006
    Here it is:


    CLASS USER
    CATEGORY  !!DIMS
    KEYNAME "SoftwarePoliciesMicrosoftCryptographyAutoEnrollment"
    POLICY !!DIMSCredentialRoaming

    EXPLAIN !!DIMSCredentialRoaming_Explain
    VALUENAME "DIMSRoaming"
    VALUEON NUMERIC 1

    PART !!DIMSCredentialRoaming_Vista TEXT
    END PART

    PART !!DIMSCredentialRoaming_Vista_Explain TEXT
    END PART

    PART !!DIMSCredentialRoaming_Box TEXT
    END PART

    PART !!DIMSCredentialRoaming_TombstoneValue NUMERIC REQUIRED
    VALUENAME "DIMSRoamingTombstoneDays"
    MIN 1 MAX 3650 DEFAULT 60 SPIN 30
    END PART

    PART !!DIMSCredentialRoaming_MaxNumTokens NUMERIC REQUIRED
    VALUENAME "DIMSRoamingMaxNumTokens"
    MIN 1 MAX 10000 DEFAULT 2000 SPIN 100
    END PART

    PART !!DIMSCredentialRoaming_MaxTokenSize NUMERIC REQUIRED
    VALUENAME "DIMSRoamingMaxTokenSize"
    MIN 1 MAX 100000 DEFAULT 65535 SPIN 1000
    END PART

    END POLICY
    END CATEGORY

    [strings]

    DIMS="Certificate Services Client"

    DIMSCredentialRoaming_Explain="NOTE: If you want to configure Credential Roaming on a Windows Vista client, then don't use this policy. Instead use the Group Policy that is natively included in Windows Vista. nnThis policy setting specifies the behavior for user Credential Roaming.nnUser certificates and keys will be roamed and synchronized between the local user profile on the desktop and the user object in Active Directory when a user logs on interactively.  nnIf you enable this policy setting, all X.509 certificates, keys, and enrollment requests will be uploaded and synchronized with the user object in Active Directory. You should also enable folder exclusion policies for roaming user profiles to avoid any conflicts in the use of multiple roaming technologies.nnIf this policy is enabled, then the Application Data folder should not be redirected using the Folder Redireciton technology. nnIf you disable this policy setting, all future synchronization and roaming will cease, but no keys or certificates will be deleted from the local user profile or Active Directory user object.nnIf you do not configure this policy setting, user certificate and key roaming will not be performed.nnNote: Folder exclusion policy settings may be configured in the user profiles section of the System administrative template.nn"

    DisableAll="None"

    DIMSCredentialRoaming="Credential Roaming"

    DIMSCredentialRoaming_Vista="NOTE: Not for environments with Vista clients."

    DIMSCredentialRoaming_Vista_Explain="See Explain tab for more details."

    DIMSCredentialRoaming_Box="Specific Credential Roaming settings:"

    DIMSCredentialRoaming_TombstoneValue="Maximum tombstone credentials lifetime in days:"

    DIMSCredentialRoaming_MaxNumTokens="Maximum number of roaming credentials per user:"

    DIMSCredentialRoaming_MaxTokenSize="Maximum size (in bytes) of a roaming credential:"

  • Anonymous
    April 05, 2007
    The comment has been removed

  • Anonymous
    April 06, 2007
    It has something to do with the carriage returns on the lines Go to the first 3 lines and delete the space at the end and hit return. Then also the lines: [strings] DIMS="Certificate Services Client" And do the same thing  - it should load then Spat

  • Anonymous
    May 02, 2007
    I have to decrypt the AD attribute ms-PKI-AccountCredentials contents. Do I need to always use DAPI calls or is there any other go? (Say some cryptographic algorithmic steps) My requirment is something like this: I would like to download user private keys/public kyes on a device and use. Device will contact AD server and get ms-PKI-DPAPIMasterKey and ms-PKI-AccountCredentials etc. How do I go about decrypting the binary blob to get private key of user?

  • Anonymous
    May 03, 2007
    Im not aware of any way to pull down those contents and use them directly - they are used via the internals of DPAPI. There may be a method - but ive never seen someone directly manipulate the Master Key(s)

  • Anonymous
    August 21, 2007
    That is the Shiznit SpatDSG!!! Works like a charm. No where on the Internet can that template be found!

  • Anonymous
    December 07, 2007
    Later more updated ADM : CLASS USER CATEGORY  !!DIMS KEYNAME "SoftwarePoliciesMicrosoftCryptographyAutoEnrollment" POLICY !!DIMSCredentialRoaming EXPLAIN !!DIMSCredentialRoaming_Explain VALUENAME "DIMSRoaming" VALUEON NUMERIC 1 PART !!DIMSCredentialRoaming_Vista TEXT END PART PART !!DIMSCredentialRoaming_Vista_Explain TEXT END PART PART !!DIMSCredentialRoaming_Box TEXT END PART PART !!DIMSCredentialRoaming_TombstoneValue NUMERIC REQUIRED VALUENAME "DIMSRoamingTombstoneDays" MIN 1 MAX 3650 DEFAULT 60 SPIN 30 END PART PART !!DIMSCredentialRoaming_MaxNumTokens NUMERIC REQUIRED VALUENAME "DIMSRoamingMaxNumTokens" MIN 1 MAX 10000 DEFAULT 2000 SPIN 100 END PART PART !!DIMSCredentialRoaming_MaxTokenSize NUMERIC REQUIRED VALUENAME "DIMSRoamingMaxTokenSize" MIN 1 MAX 100000 DEFAULT 65535 SPIN 1000 END PART END POLICY END CATEGORY [strings] DIMS="Certificate Services Client" DIMSCredentialRoaming_Explain="NOTE: If you want to configure Credential Roaming on a Windows Vista client, then don't use this policy. Instead use the Group Policy that is natively included in Windows Vista. nnThis policy setting specifies the behavior for user Credential Roaming.nnUser certificates and keys will be roamed and synchronized between the local user profile on the desktop and the user object in Active Directory when a user logs on interactively.  nnIf you enable this policy setting, all X.509 certificates, keys, and enrollment requests will be uploaded and synchronized with the user object in Active Directory. You should also enable folder exclusion policies for roaming user profiles to avoid any conflicts in the use of multiple roaming technologies.nnIf this policy is enabled, then the Application Data folder should not be redirected using the Folder Redireciton technology. nnIf you disable this policy setting, all future synchronization and roaming will cease, but no keys or certificates will be deleted from the local user profile or Active Directory user object.nnIf you do not configure this policy setting, user certificate and key roaming will not be performed.nnNote: Folder exclusion policy settings may be configured in the user profiles section of the System administrative template.nn" DisableAll="None" DIMSCredentialRoaming="Credential Roaming" DIMSCredentialRoaming_Vista="NOTE: Not for environments with Vista clients." DIMSCredentialRoaming_Vista_Explain="See Explain tab for more details." DIMSCredentialRoaming_Box="Specific Credential Roaming settings:" DIMSCredentialRoaming_TombstoneValue="Maximum tombstone credentials lifetime in days:" DIMSCredentialRoaming_MaxNumTokens="Maximum number of roaming credentials per user:" DIMSCredentialRoaming_MaxTokenSize="Maximum size (in bytes) of a roaming credential:"

  • Anonymous
    July 17, 2008
    I'm having a problem with DIMS on my XP SP3 computers that I'm trying to use a device called an NComputing X300.  What it does is extends the host machine to up to 3 more workstations per card you install (up to 2 cards per host computer).  DIMS causes Winlogon to terminate on every other logon, and so far the only solution to this problem has been to delete the dimsntfy key from the registry (if you really want to find this key, just find, don't want to post this and have people just randomly deleting stuff). So I thought, maybe using this ADM would be the alternative.  Here's my problem though, I can make the DIMS.adm file and import it into my Administrative Templates, but if you set it to Disabled, it just stays at Not Configured.  If you set it to Enabled, it properly changes its state, and then setting to Disabled again says Not Configured.  Never saw anything like this. Any ideas on what I should do?  I'd very much like to disable DIMS on these machines (or possibly fix the source of the problem!) but as of yet, deleting from the registry is the only "fix". Thanks!