3.1.4.7.14 LsarSetInformationTrustedDomain (Opnum 27)

  • Article

The LsarSetInformationTrustedDomain method is invoked to set information on a trusted domain object.

 NTSTATUS LsarSetInformationTrustedDomain(
   [in] LSAPR_HANDLE TrustedDomainHandle,
   [in] TRUSTED_INFORMATION_CLASS InformationClass,
   [in, switch_is(InformationClass)] 
     PLSAPR_TRUSTED_DOMAIN_INFO TrustedDomainInformation
 );

TrustedDomainHandle: A handle to a trusted domain object.

InformationClass: A value indicating the type of information requested by the caller.

TrustedDomainInformation: Used to supply the information to be set.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC000000D

STATUS_INVALID_PARAMETER

One of the arguments supplied to the function was invalid.

0xC00000DD

STATUS_INVALID_DOMAIN_STATE

The domain is in the wrong state to perform the stated operation.

0xC0000008

STATUS_INVALID_HANDLE

TrustedDomainHandle is not a valid handle.

Processing:

This message takes three arguments:

TrustedDomainHandle: An open handle to a trusted domain object. If the handle is not a valid context handle to a trusted domain object or TrustedDomainHandle.HandleType does not equal "Trusted Domain", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that TrustedDomainHandle grants access as specified in section 3.1.4.2.2. The following table specifies the RequiredAccess value to use in this access check for each InformationClass value, or indicates if no processing is supported, regardless of access granted. There are several methods in the Local Security Authority (Domain Policy) Remote Protocol that set trusted domain information. All of them enforce the same rights assignments based on information class.

Value of InformationClass parameter

RequiredAccess value

TrustedPosixOffsetInformation

TrustedDomainInformationEx

TRUSTED_SET_POSIX

TrustedDomainFullInformation

TrustedDomainFullInformationInternal

TRUSTED_SET_POSIX | TRUSTED_SET_AUTH

TrustedDomainAuthInformation

TrustedDomainAuthInformationInternal

TRUSTED_SET_AUTH

TrustedDomainSupportedEncryptionTypes

TRUSTED_SET_POSIX

InformationClass: A value from the TRUSTED_INFORMATION_CLASS enumeration specifying what type of information the caller is setting. Not all values are valid. For values outside the TRUSTED_INFORMATION_CLASS range, the server MUST reject the request with STATUS_INVALID_PARAMETER. Information class values other than the following set SHOULD<107> be rejected with STATUS_INVALID_PARAMETER. The set of allowed information class values is:

  • TrustedPosixOffsetInformation

  • TrustedDomainInformationEx

  • TrustedDomainAuthInformation

  • TrustedDomainFullInformation

  • TrustedDomainAuthInformationInternal

  • TrustedDomainFullInformationInternal

  • TrustedDomainSupportedEncryptionTypes

TrustedDomainInformation: Contains information to be set, appropriate for the InformationClass parameter. The server MUST validate the TrustedDomainInformation parameter according to information class–specific rules. The rules for internal consistency checking of trusted domain objects are specified in [MS-ADTS] section 6.1.6.

Information in the abstract data model specified in section 3.1.1.5 MUST be updated using TrustedDomainInformation and InformationClass parameters as follows:

Value of InformationClass parameter

Information to set

TrustedPosixOffsetInformation

Posix Offset

TrustedDomainInformationEx

Trust Type

Trust Direction

Trust Attributes

Forest Trust Attributes MUST be set to 0 if new trust attributes do not contain TRUST_ATTRIBUTE_FOREST_TRANSITIVE flag.

TrustedDomainAuthInformation

TrustedDomainAuthInformationInternal

Trust Incoming Password

Trust Outgoing Password

TrustedDomainFullInformation

TrustedDomainFullInformationInternal

Posix Offset

Trust Type

Trust Direction

Trust Attributes

Trust Incoming Password

Trust Outgoing Password

Forest Trust Attributes MUST be set to 0 if new trust attributes do not contain TRUST_ATTRIBUTE_FOREST_TRANSITIVE flag.

TrustedDomainSupportedEncryptionTypes

Supported Encryption Types

Other values

Server MUST return STATUS_INVALID_PARAMETER.

The server MUST return STATUS_INVALID_DOMAIN_STATE in the following cases:

  • The TrustAttributes TRUST_ATTRIBUTE_FOREST_TRANSITIVE flag is set and the forestFunctionality specified in [MS-ADTS] section 3.1.1.3.2.27 is DS_BEHAVIOR_WIN2003 or higher.

  • The TrustAttributes TRUST_ATTRIBUTE_FOREST_TRANSITIVE flag is set and the DnsForestName and DnsDomainName fields in DNS Domain Information (see section 3.1.1.1) do not contain the same value.

  • The TrustAttributes TRUST_ATTRIBUTE_CROSS_ORGANIZATION flag is set and the forestFunctionality specified in [MS-ADTS] section 3.1.1.3.2.27 is DS_BEHAVIOR_WIN2003 or higher.

If the server is a read-only domain controller, it MUST return an error.<108>

If the trust direction is being set to incoming or bidirectional, then the server MUST create an interdomain trust account for this trust, if such an account does not yet exist, and populate it as specified in [MS-ADTS] section 6.1.6.8. The unicodePwd attribute of the account is updated (as specified in [MS-SAMR] section 3.1.1.8.7) with the clear text password (that is, the password value with AuthType being equal to 0x2) in the "Trust Incoming Passwords" information provided.