Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

I doubt this tells us much, but there’s a note up earlier in the doc stating:

 

“Active Directory Domain Services that are configured for FIPS are not compatible with the Password Sync feature.”

 

Again, not asserting this implies anything specific, but it may be worth adding to whatever mention we include.

 

--- Eric

 

From: [mailto:] On Behalf Of Brian Arkills
Sent: Tuesday, June 04, 2013 7:10 AM
To:
Subject: [AD-Assurance] Azure AD DirSync password sync

 

Yesterday, Microsoft released a new version of their DirSync tool. This new version supports password synchronization from your on-premise AD. This allows enterprises that don't want to use federated authentication nor manage two sets of passwords to have a single password for their users.

 

I think we've talked briefly about this possibility in the past, but my recollection is foggy. In any event, there's some detail at http://technet.microsoft.com/en-us/library/dn246918.aspx, where a key phrase is:

 

"When synchronizing passwords using the password sync feature, the plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services. Additionally, there is no requirement on the on-premises Active Directory to store the password in a reversibly encrypted format. A digest of the Windows Active Directory password hash is used for the transmission between the on-premises AD and Azure Active Directory. The digest of the password hash cannot be used to access resources in the customer's on-premises environment."

 

I don't think we should include this scenario in the core portion of the revised cookbook document, but I do think we should mention it and note that those who choose to use this option should consider the implications.

 

-B