Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

Interesting comment about Azure Active Directory.  Ignoring what utility it may have for non-Windows platforms, I think many institutions will move in that direction.

There have been points in our discussion where we touched on AAD and decided that using it would be no different from outsourcing to any other third-party solution, so we put it out of scope.  I wonder, though, if it would be worth offering to help Microsoft make AAD into something that could be readily used by an IdPO for Silver certification?  It wouldn't surprise me at all if use of AAD right now would preclude Silver certification (for avoidable reasons).

Ann, what do you think?  Do we know if Net+ is having discussions with them?  That would provide leverage.

David

On Fri, 2013-06-21 at 18:17 +0000, Brian Arkills wrote:

Sorry I missed today's call--sounds like it was real interesting. :)


A couple things:

 

On the Microsoft front, I saw an email today from Dean Wells, which suggests to me that he's back from leave and we could re-engage with him.

 

With regard to David's note, I saw a tweet yesterday about a presentation for a step-by-step on how to get rid of AD-DS and convert it entirely to the cloud based Azure Active Directory. I don't know what that presentation said about the difference in functionality, but it's on my list to read at some point. While at the TechEd presentation for the AAD graph API, there were several audience members which had questions about features for entirely cloud based enterprises. So I think there is already a small but growing contingent of folks moving away from AD-DS. But there are a lot of applications whose lowest common denominator integration for identity is Active Directory. And that's because it's so ubiquitous. We have a couple dozen of them integrating with our AD. So I don't foresee a sudden shift, but rather a slow decline with a hybrid future until you finally ditch the on-premise AD-DS.

 

Finally, I want to thank Ron again for previously sharing that powershell script for NTLMv1 log scraping. We're planning on putting it to good use here as we try to make a reasoned case for turning off NTLMv1.

 

From: [mailto:] On Behalf Of David Walker
Sent: Friday, June 21, 2013 11:01 AM
To:
Subject: Re: [AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion

 

As long as we're waxing philosophic, I wonder how long it'll be before enterprises realize that they have diminishing reason for putting a PC on everyone's desk (and, therefore, for running AD).  Enterprise services are increasingly available on the web for BYOD mobile platforms.  At some point, people will use enterprise-provided PC for not much more than legacy Windows applications (which probably won't include Exchange or maybe even Office).  At that point, those legacy applications will start looking pretty expensive.

(Yes, yes.  I know there are significant risks to BYOD, but I think we're doing it anyway.  And AD can be used to manage non-Windows platforms, but its utility for that drops off.)

David

On Fri, 2013-06-21 at 17:33 +0000, Rank, Mark wrote:

Ron:

 

"This just reinforces my conviction that the world would be a much better place without Windows.  If only IBM had chosen CPM instead of MS-DOS back in the day."

 

I often wonder what would have happened if Ken Olsen would have hired a few more marketing and product strategy folks for DEC instead of all the engineers... ;)


Mark




--------------------------------------------------

Mark Rank
Project Manager - Identity & Access Mgt

UCSF Information Technology Services (ITS)
email:

phn:414-331-1476

--------------------------------------------------

---

From: [] on behalf of Ron Thielen []
Sent: Friday, June 21, 2013 10:13 AM
To:
Subject: [AD-Assurance] Sorry for the NTLMv1/v2 confusion



 

I apologize for nearly derailing the conversation.  While I still maintain that hash stealing attacks against NTLMv2 are irrelevant to Silver assertion if you can't use the hash to authenticate to a service that compromises the actual password (e.g. as long as Shib isn't using Windows authentication), the piece I confused was that NTLMv1 does actually pass the password.  So, a brute force attack on v1 does get you the actual password, not just a hash collision.

 

This just reinforces my conviction that the world would be a much better place without Windows.  If only IBM had chosen CPM instead of MS-DOS back in the day.  :-)

 

Ron