Can you calculate the password hash used by Active Directory?

Question

We currently store users of our web application in our database, along with hashes/salts of their passwords. The hashes are calculated when the user is created and sets their password and stored in a User table in a database.

Some time after the creation of the user account, we may want to create a windows account in our domain, and want to be able to set the domain user's password so that it's the same as the one the user uses to log into the web app. Since we don't save the plain text version of the password, we don't have a way to send it to AD when we created it.

One way I was thinking about getting around this issue, would be to calculate all the different password hashes that AD uses when the user first sets their password, and then somehow set the records in AD later when we create the user.

1. How would you create the hashes (I think they are MD4, MD5, and DES), using .Net?
2. Can you bypass the password creation on UserPrincpal.SetPassword, and make some other call in order to directly set the hashes stored by AD?

It seems like there should be a way to do this, since MS has tools for sync'ing passwords from AD to Azure users.

Answer 1

Trying to keep an AD password synchronized with a DB password is a bad idea for two reasons:

• It's a security weakness (comments have already pointed this out by mentioning salt)
• It's a maintenance problem. A password change initiated by the windows PC would leave the DB password unchanged.

Instead of creating a windows account with the same password, alter your web application's authentication to use both AD authentication and Windows Forms authentication. That way, their AD credentials (if they have them) will superseded the username/password prompt.