NetrServerPasswordSet2 (Opnum 30)

The NetrServerPasswordSet2 method<248> allows the client to set a new clear text password for an account used by the domain controller (as specified in section 1.5) for setting up the secure channel from the client.<249>

 NTSTATUS NetrServerPasswordSet2(
   [in, unique, string] LOGONSRV_HANDLE PrimaryName,
   [in, string] wchar_t* AccountName,
   [in, string] wchar_t* ComputerName,
   [in] PNETLOGON_AUTHENTICATOR Authenticator,
   [out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [in] PNL_TRUST_PASSWORD ClearNewPassword

PrimaryName: The custom RPC binding handle, as specified in section

AccountName: The null-terminated Unicode string that contains the name of the account whose password is being changed.<250>

SecureChannelType: An enumerated value that describes the secure channel to be used for authentication, as specified in section

ComputerName: The null-terminated Unicode string that contains the NetBIOS name of the computer making the request.

Authenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section, that contains the encrypted logon credential and a time stamp.

ReturnAuthenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section, that contains the server return authenticator.

ClearNewPassword: A pointer to an NL_TRUST_PASSWORD structure, as specified in section, that contains the new password encrypted as specified in Calling NetrServerPasswordSet2 (section

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

On receiving this call, the server MUST perform the following validation steps:

  • Apply Common Error Processing Rule A, specified in section 3.

  • Using the ComputerName for the secure channel to find the corresponding record in the ClientSessionInfo table, verify the Authenticator parameter (section If the Authenticator parameter is valid, compute the ReturnAuthenticator parameter returned (section Otherwise, the server MUST return STATUS_ACCESS_DENIED.

  • Apply Common Error Processing Rule B, specified in section 3, to the PrimaryName parameter.

If the server RefusePasswordChange variable (section 3.5.1) is set and the SecureChannelType is WorkstationSecureChannel, the server MUST return STATUS_WRONG_PASSWORD.

The server MUST decrypt the new password supplied in the ClearNewPassword parameter, by using the negotiated encryption algorithm (determined by bits C, O, or W, respectively, in the NegotiateFlags member of the ClientSessionInfo table entry for ComputerName) and the session key established as the decryption key. The NTOWFv1 (as specified in NTLM v1 Authentication in [MS-NLMP] section 3.3.1) of the cleartext password MUST be computed.

The server MUST compute or retrieve (see unicodePwd, [MS-ADA3] section 2.332) the NTOWFv1 of the current client machine password, which is stored as the result of the OWF on the clear text password for the AccountName. If the current password matches the new password, success is returned to the client, but no actual password change is performed.

The server MUST change the SharedSecret abstract value to the new password supplied in the ClearNewPassword parameter. If the value of the PasswordVersionPresent field of the ClearNewPassword.Buffer parameter is equal to 0x02231968, the server MUST change the TrustPasswordVersion abstract value to the value of the PasswordVersionNumber field of the ClearNewPassword.Buffer parameter. See section for more details about the type of the ClearNewPassword parameter.

This method can only be called by a machine that has established a secure channel with the server.

This method also returns errors based on Common Error Processing Rule D, specified in section 3.