ad-assurance - [AD-Assurance] Cookbook items - RC4-HMAC and Kerberos
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] Cookbook items - RC4-HMAC and Kerberos
- Date: Mon, 17 Jun 2013 19:02:55 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport05.merit.edu; dkim=neutral (message not signed) header.i=none
|
Some of the recommendations in the revised cookbook are for configuring to meet, and some require an alternative means proposal. We have been looking at the stored authentication secrets as not meeting the criteria because of no variable salting and not using approved algorithms. Although I don’t think it would be possible to eliminate the NTLM “hash” from Active Directory, the Kerberos V5 side of AD:DS seems capable of meeting the requirements. The Kerberos encryption types can be configured for AES, but the problem
comes in when the RC4-HMAC (or ARCFOUR-HMAC) encryption type is used. I don’t really know if it can be safely removed or if that would break something. See note at bottom for an example. There had been some discussion about doing a Kerberos section that could apply perhaps to both MIT-Kerberos V5 and AD:DS Kerberos V5 for both
Encrypting Passwords at Rest (4.2.3.4 etc.) and Securing Authentication Traffic (4.2.3.6 etc). According to the V5 protocol, each key is variable salted, and encryption types can be controlled to restrict
them to only approved algorithms. This would meet the stored authentication secrets requirement without requiring encrypting the hard drive with Bitlocker. For securing the authentication traffic, with sufficiently high entropy (at the Silver level) the
Kerberos protocol may be resistant to the eavesdropping and replay attacks. However, the cookbook says that Kerberos armoring is needed. As a side note, I am not sure AD:DS even complies with InCommon Bronze because 4.2.3.4 is applicable for Bronze AND Silver. However, we don’t mention anything about Bronze in the cookbook. - Jeff Vista and Windows Server 2008 clients are unable to access cluster names with AES-encrypted Kerberos tickets http://support.microsoft.com/kb/961302 ·
Windows Vista introduced support for AES-encrypted Kerberos tickets, 128-bit and 256-bit ·
AES encryption cannot be used for Kerberos negotiation with cluster names; only up to RC4-HMAC is supported. Jeff Capehart, CISA |
- [AD-Assurance] Cookbook items - RC4-HMAC and Kerberos, Capehart,Jeffrey D, 06/17/2013
- [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos, Eric Goodman, 06/17/2013
- [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos, Capehart,Jeffrey D, 06/17/2013
- [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos, Eric Goodman, 06/17/2013
- [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos, Capehart,Jeffrey D, 06/17/2013
- [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos, Eric Goodman, 06/17/2013
Archive powered by MHonArc 2.6.16.