Issue 407513 in chromium: Windows Roaming Credentials and Chrome Passwords/Cookies
81 views
Skip to first unread message
chro...@googlecode.com
Aug 26, 2014, 4:43:36 AM8/26/14
to chromi...@chromium.org
Status: Unconfirmed
Owner: ----
Labels: Cr-Services-Sync Pri-2 Via-Wizard Type-Bug OS-Windows
New issue 407513 by e-me...@team.ksz.ch: Windows Roaming Credentials and
Chrome Passwords/Cookies
https://code.google.com/p/chromium/issues/detail?id=407513
UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101
Firefox/31.0
Steps to reproduce the problem:
1. Roaming Profiles, Folder Redirection per GPO Windows 7 active -
C:\Users\[username]\appdata\roaming redirected into homedrive "P:\"
2. Roaming Credentials activated / Hotfix installed on all devices -
http://support.microsoft.com/kb/2520487
3. Log in Windows 7
4. start Google Chrome
5. save a password on website / store a cookie
6. log off Windows
7. log on Windows
What is the expected behavior?
1) Passwords and Cookies should still exist - i should be logged in on
website
What went wrong?
1) Roaming Credentials didnt work correctly - Google Chrome stored
information in:
C:\Users\[username]\AppData\Roaming\Microsoft\Protect\[SID]\DPAPI Master
Key does not count as "used" credential.
Did this work before? No
Chrome version: 34.0.1847.116 Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 13.0 r0
After activation of a Windows roaming credential filter
called "RoamUnusedDpapiKeys" (set to DWORD 1) synchronisation works /
passwords and cookies etc are roamed.
Problem: By leaving this filter set to DWORD 1 we risk filling our Active
Directory.
Question / Wish: Why do google chrome credentials count as "unused". Is it
possible to fix chrome that DPAPI keys are associated with private key
binary large objects (BLOB), so that we can change filter not to roam
unsused dpapi keys?
Any other solutions approaches are welcome.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: ----
Labels: Cr-Services-Sync Pri-2 Via-Wizard Type-Bug OS-Windows
New issue 407513 by e-me...@team.ksz.ch: Windows Roaming Credentials and
Chrome Passwords/Cookies
https://code.google.com/p/chromium/issues/detail?id=407513
UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101
Firefox/31.0
Steps to reproduce the problem:
1. Roaming Profiles, Folder Redirection per GPO Windows 7 active -
C:\Users\[username]\appdata\roaming redirected into homedrive "P:\"
2. Roaming Credentials activated / Hotfix installed on all devices -
http://support.microsoft.com/kb/2520487
3. Log in Windows 7
4. start Google Chrome
5. save a password on website / store a cookie
6. log off Windows
7. log on Windows
What is the expected behavior?
1) Passwords and Cookies should still exist - i should be logged in on
website
What went wrong?
1) Roaming Credentials didnt work correctly - Google Chrome stored
information in:
C:\Users\[username]\AppData\Roaming\Microsoft\Protect\[SID]\DPAPI Master
Key does not count as "used" credential.
Did this work before? No
Chrome version: 34.0.1847.116 Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 13.0 r0
After activation of a Windows roaming credential filter
called "RoamUnusedDpapiKeys" (set to DWORD 1) synchronisation works /
passwords and cookies etc are roamed.
Problem: By leaving this filter set to DWORD 1 we risk filling our Active
Directory.
Question / Wish: Why do google chrome credentials count as "unused". Is it
possible to fix chrome that DPAPI keys are associated with private key
binary large objects (BLOB), so that we can change filter not to roam
unsused dpapi keys?
Any other solutions approaches are welcome.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
chro...@googlecode.com
Sep 11, 2014, 4:32:50 PM9/11/14
to chromi...@chromium.org
Updates:
Labels: -Cr-Services-Sync Cr-UI-Browser-Profiles
Comment #2 on issue 407513 by resetswi...@chromium.org: Windows Roaming
I expect this has to do with how Chrome is storing profile data locally,
not sync.
+profiles -sync
Labels: -Cr-Services-Sync Cr-UI-Browser-Profiles
Comment #2 on issue 407513 by resetswi...@chromium.org: Windows Roaming
I expect this has to do with how Chrome is storing profile data locally,
not sync.
+profiles -sync
chro...@googlecode.com
Sep 15, 2014, 1:49:31 PM9/15/14
to chromi...@chromium.org
Updates:
Status: WontFix
Comment #4 on issue 407513 by w...@chromium.org: Windows Roaming Credentials
Hi e-meier,
Thanks for your report. The KB article
http://support.microsoft.com/kb/2520487 is quite specific and says that
when applied then the following credentials won't be roamed:
"By default, the following items do not roam when you enable the Credential
Roaming feature after you install this hotfix:
* Smart card certificates
* DPAPI keys
* Other keys that are not associated with certificates"
Chrome stores saved passwords (and other sensitive data) encrypted
as "DPAPI keys" so these will not roam with the hotfix enabled.
The "unused" phrase MS use in the registry key override is slightly
misleading as these keys are certainly "used", they are just a different
type of data from a "roamed private key binary large object (BLOB)" which
is typically generated and stored using a different API (CryptGenKey) when
generating an exportable public/private keypair.
This keypair datatype would not be appropriate for how Chrome stores
sensitive data so we will not be changing the type of DPAPI credential
Chrome uses to store sensitive data.
I therefore recommend that you continue to set RoamUnusedDpapiKeys to DWORD
1 in order to roam these (and other) DPAPI keys. You still get the
fileserver storage space benefits of not roaming any unaffiliated keys or
smartcard certificates. Alternatively, if you must deactivate all DPAPI
credential roaming, and you are concerned that your users will get confused
when their credentials do not correctly roam, you could disable the
password manager entirely using the PasswordManagerEnabled policy - see
http://www.chromium.org/administrators/policy-list-3#PasswordManagerEnabled
to avoid confusion.
Status: WontFix
Comment #4 on issue 407513 by w...@chromium.org: Windows Roaming Credentials
Hi e-meier,
Thanks for your report. The KB article
http://support.microsoft.com/kb/2520487 is quite specific and says that
when applied then the following credentials won't be roamed:
"By default, the following items do not roam when you enable the Credential
Roaming feature after you install this hotfix:
* Smart card certificates
* DPAPI keys
* Other keys that are not associated with certificates"
Chrome stores saved passwords (and other sensitive data) encrypted
as "DPAPI keys" so these will not roam with the hotfix enabled.
The "unused" phrase MS use in the registry key override is slightly
misleading as these keys are certainly "used", they are just a different
type of data from a "roamed private key binary large object (BLOB)" which
is typically generated and stored using a different API (CryptGenKey) when
generating an exportable public/private keypair.
This keypair datatype would not be appropriate for how Chrome stores
sensitive data so we will not be changing the type of DPAPI credential
Chrome uses to store sensitive data.
I therefore recommend that you continue to set RoamUnusedDpapiKeys to DWORD
1 in order to roam these (and other) DPAPI keys. You still get the
fileserver storage space benefits of not roaming any unaffiliated keys or
smartcard certificates. Alternatively, if you must deactivate all DPAPI
credential roaming, and you are concerned that your users will get confused
when their credentials do not correctly roam, you could disable the
password manager entirely using the PasswordManagerEnabled policy - see
http://www.chromium.org/administrators/policy-list-3#PasswordManagerEnabled
to avoid confusion.
Reply all
Reply to author
Forward
0 new messages