Meeting the InCommon Assurance profile criteria using Active Directory

[Brian Arkills <>]

Ah, I stuck some of those links in the original InCommon AD cookbook:

1. http://technet.microsoft.com/en-us/library/cc784130(WS.10).aspx
2. http://users.tkk.fi/u/autikkan/kerberos/AIWSC03_kerberos_replay_attacks.pdf

 

 

But it looks like the 2nd link I had included--which describes how one could execute a MITM replay against Kerberos--is now dead. A replacement link for that is at: http://csis.bits-pilani.ac.in/faculty/sundarb/courses/old/spr06/netsec/evals/project/projrefs/kerb/AIWSC03_kerberos_replay_attacks.pdf

 

The paper suggests several possible mitigations. And note that the 1st link is one of the usual suggested mitigations, which the paper says is insufficient to protect against these attacks.

 

RFC 4120 describes a Kerberos pre-auth framework which can be used to protect the initial session key exchange. Microsoft implements this in WS12: http://technet.microsoft.com/en-us/library/hh831747.aspx, and conveniently turning that support on is required for many of the WS12 features.

 

From: Brian Arkills
Sent: Sunday, March 24, 2013 7:28 PM
To:
Subject: RE: Questions for Microsoft?

 

 

 

From: [] On Behalf Of Capehart,Jeffrey D
Sent: Thursday, March 21, 2013 12:19 PM
To:
Subject: [AD-Assurance] Questions for Microsoft?

 

Is there a list of questions for Microsoft prepared yet?

 

Kerberos Authentication for Microsoft Active Directory

http://technet.microsoft.com/en-us/library/cc780469(v=ws.10).aspx

·         Kerberos Authenticator Prevents Packet Replay

[BA] Windows domain controller issued Kerberos tickets can be subjected to man-in-the-middle replay attacks, unless you've deployed WS12 domain controllers and turned on the FAST feature, sometimes also called Kerberos armoring. Somewhere I've got a link that explains how to exploit this. And it should be easy enough to find the RFC and MS documentation that talks about this mitigating new feature/extension.