Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] Cookbook items - RC4-HMAC and Kerberos

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] Cookbook items - RC4-HMAC and Kerberos

Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: [AD-Assurance] Cookbook items - RC4-HMAC and Kerberos
  • Date: Mon, 17 Jun 2013 19:02:55 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

Some of the recommendations in the revised cookbook are for configuring to meet, and some require an alternative means proposal.


We have been looking at the stored authentication secrets as not meeting the criteria because of no variable salting and not using approved algorithms.


Although I don’t think it would be possible to eliminate the NTLM “hash” from Active Directory, the Kerberos V5 side of AD:DS seems capable of meeting the requirements.  The Kerberos encryption types can be configured for AES, but the problem comes in when the RC4-HMAC (or ARCFOUR-HMAC) encryption type is used.  I don’t really know if it can be safely removed or if that would break something. See note at bottom for an example.


There had been some discussion about doing a Kerberos section that could apply perhaps to both MIT-Kerberos V5 and AD:DS Kerberos V5 for both Encrypting Passwords at Rest ( etc.) and Securing Authentication Traffic ( etc).  According to the V5 protocol, each key is variable salted, and encryption types can be controlled to restrict them to only approved algorithms.  This would meet the stored authentication secrets requirement without requiring encrypting the hard drive with Bitlocker.  For securing the authentication traffic, with sufficiently high entropy (at the Silver level) the Kerberos protocol may be resistant to the eavesdropping and replay attacks.  However, the cookbook says that Kerberos armoring is needed.


As a side note, I am not sure AD:DS even complies with InCommon Bronze because is applicable for Bronze AND Silver.  However, we don’t mention anything about Bronze in the cookbook.

- Jeff


Vista and Windows Server 2008 clients are unable to access cluster names with AES-encrypted Kerberos tickets

·         Windows Vista introduced support for AES-encrypted Kerberos tickets, 128-bit and 256-bit

·         AES encryption cannot be used for Kerberos negotiation with cluster names; only up to RC4-HMAC is supported.




Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882


Archive powered by MHonArc 2.6.16.

Top of Page