2.2.4 PasswordUpdateForward Request Message

  • Article

The PasswordUpdateForward request message requests a change in password-related attributes for the directory object specified in the message. This message SHOULD be sent only from read-only domain controllers. Message processing details are specified in section 3.3.5.4.<4>

The layout of the PasswordUpdateForward request message is shown in the following diagram. This message MUST be carried in the Message field of the structure defined in section 2.2.1.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Flags

Size

AccountRid

PasswordExp

Reserved

OffsetLengthArray (variable)

...

Data (variable)

...

Flags (4 bytes): MUST be a bitmask with the following values defined.<5>


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

A N

C P

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

  • AN (FLAG_ACCOUNT_NAME): This bit MUST be set to one. The associated message data in the OffsetLengthArray and Data fields references a UTF-16 encoded string that represents the account name, represented as the value of the sAMAccountName attribute on the directory object for which the password is to be changed.

  • CP (FLAG_CLEAR_TEXT_PASSWORD): This bit MUST be set to one. The associated message data in the OffsetLengthArray and Data fields references a UTF-16 encoded string that represents the new password.

  • X (Reserved): These bits MUST be set to zero and MUST be ignored on receipt.

Size (4 bytes): A 32-bit, unsigned integer that MUST contain the number of bytes in the PasswordUpdateForward request message, starting (and including) the Flags field to (and including) the variable length of OffsetLengthArray. This information (the size) can be inferred on receipt from the bits set in the Flags field; for more information, see the description for OffsetLengthArray. This field is useful to determine quickly the start of the Data section.

AccountRid (4 bytes): This 32-bit field MUST be set to zero and MUST be ignored on receipt.

PasswordExp (1 byte): This byte MUST be set to zero and MUST be ignored on receipt.

Reserved (3 bytes): This portion of the message MUST be filled with zeros and MUST be ignored on receipt.

OffsetLengthArray (variable):  An array of 8-byte elements used as offset and length descriptors for the data associated with this request message. Elements in this array correspond to bits in the Flags field. The number of elements in this array MUST be equal to the position of the most significant bit that is set in the Flags field. The entries MUST be in the same order as the bits in the Flags field. For example, if just bit 1 (FLAG_CLEAR_TEXT_PASSWORD) is set, the length of the array is 2 (elements), or 16 bytes and the elements are ordered from least significant to most significant.

For an illustration of the relationship between the Flags field and the OffsetLengthArray element, see the protocol example in section 4.1.

Each OffsetLengthArray element contains two 32-bit unsigned integers that MUST consist of the following fields:

  • Offset: The offset, in bytes, from the start of the Data field to the first byte of the data that corresponds to this particular element. The offset is double-byte aligned.

  • Length: The length, in bytes, of the data that corresponds to this particular element. The length is double-byte aligned.

Data (variable): A variable-sized field that MUST hold the data associated with the request. The descriptors for this data are the (Offset, Length) fields that constitute each OffsetLengthArray element. The length of the Data section MUST be no less than the maximum of Offset + Length for all elements of the OffsetLengthArray. This field is double-byte aligned and each entry is ordered the same as the elements in OffsetLengthArray; any bytes added to achieve alignment MUST have no bits set.