Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

When this subgroup was initially being discussed, I asked a question about eduRoam services vis-à-vis Silver certified AD services.

 

It’s my understanding that the MS-CHAP password is one of the lower-strength password hashes (NTLMv1/Unsalted MD4 IIRC). If so, then any eduRoam-authenticated account would inherently be non-Silver certifiable.

 

This isn’t entirely an AD issue (hence “Parking Lot Item”), as it would hold true for any account whose password is hashed for use in eduRoam. But it’s another one of those examples of “things that you may break by configuring to meet Silver”. I guess if we (or the parent AD Cookbook project) make a recommendation that could break the eduRoam model, I think it would be nice to at least notify and perhaps meet with the eduRoam folks to discuss first.

 

And as usual, please feel free to correct me if my assumptions about the underlying encryption are incorrect.

 

--- Eric