Windows credential roaming - how are password protected keys sent to the AD server?

Question

I'm trying to figure out how to Windows credential roaming is implemented. I have found that it will roam certs that have been strongly protected with a password (optional entropy to CryptProtectData()).

I can't see how this could be done unless Windows keeps a copy of the password somewhere when the cert is imported. Copying the files in %APPDATA%/Crypto/RSA{UserSID} to another machine would not work as the keys are encrypted with the users DPAPI master key and optionally a password.

Other than using ProcMon and I have no idea what else to try or look at in order to figure this out. Any pointers to help figure this out would be much appreciated!

Answer 1

CryptProtectData does a little something more that makes the whole thing possible.

DPAPI will generate a key for encryption. The DPAPI key will then be encrypted with another key derived from your password.

What is sent in credential roaming is the DPAPI key, not your password.

It is the same thing that also allows DPAPI to keep working (locally) when you change your password. Otherwise, Windows would have to track DPAPI encrypted blobs stored everywhere (files, registry keys, etc.) to encrypt to the new password derived key. There is an infinite number of applications, making it impossible.

Instead, the key is in one well known and well hidden location, never seen by the user. Windows can easily rencrypt the DPAPI with the new password, shielding applications using it from password changes.

The same mechanism is also used by credential roaming to stay indenpendent of the user's password.

This website has code to extract the SYSTEM's account DPAPI key, and some information about the structure, it might help you debugging.