Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

Agreed that this is out of scope for us, other than to note that it's just yet another place that an institution needs to assess and mitigate risk.  Jeff's observation that,

While it may be true that “The digest of the password hash cannot be used to access resources in the customer's on-premises environment”, I think our concern was whether or not the digest could be used in offline cracking attacks (as a result of eavesdropping to capture the hash) in a manner that could be considered “practical”.

is exactly right.  The sentence Eric found about configuration for FIPS does lead one to believe that this will definitely be an issue if cracking the hash/encryption algorithms becomes practical.

David

On Tue, 2013-06-04 at 15:45 +0000, Eric Goodman wrote:

I doubt this tells us much, but there’s a note up earlier in the doc stating:

 

“Active Directory Domain Services that are configured for FIPS are not compatible with the Password Sync feature.”

 

Again, not asserting this implies anything specific, but it may be worth adding to whatever mention we include.

 

--- Eric

 

From: [mailto:] On Behalf Of Brian Arkills
Sent: Tuesday, June 04, 2013 7:10 AM
To:
Subject: [AD-Assurance] Azure AD DirSync password sync

 

Yesterday, Microsoft released a new version of their DirSync tool. This new version supports password synchronization from your on-premise AD. This allows enterprises that don't want to use federated authentication nor manage two sets of passwords to have a single password for their users.

 

I think we've talked briefly about this possibility in the past, but my recollection is foggy. In any event, there's some detail at http://technet.microsoft.com/en-us/library/dn246918.aspx, where a key phrase is:

 

"When synchronizing passwords using the password sync feature, the plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services. Additionally, there is no requirement on the on-premises Active Directory to store the password in a reversibly encrypted format. A digest of the Windows Active Directory password hash is used for the transmission between the on-premises AD and Azure Active Directory. The digest of the password hash cannot be used to access resources in the customer's on-premises environment."

 

I don't think we should include this scenario in the core portion of the revised cookbook document, but I do think we should mention it and note that those who choose to use this option should consider the implications.

 

-B