Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] 2 bits of relevant info

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] 2 bits of relevant info


Chronological Thread 
  • From: Brian Arkills <>
  • To: "" <>
  • Subject: [AD-Assurance] 2 bits of relevant info
  • Date: Wed, 31 Jul 2013 15:46:15 +0000
  • Accept-language: en-US

I've come across a couple pieces of info in the past couple days, and I don't recall that we've seen them previously.

 

First piece of info:

 

ADMT, a free domain migration utility provided by Microsoft, requires that you enable a "NT4Crypto" setting on your Domain Controllers for it to work correctly. That setting corresponds to the group policy setting at:

Administrative Templates/System/Net Logon/Allow cryptography algorithms compatible with Windows NT 4.0

 

We've been running with this setting ourselves because we still have over a hundred Windows domains on campus, who we'd like to see collapsed into our central AD via an ADMT migration service we provide.

 

Apparently, the details about the ADMT need for this DC configuration are more subtle than documented anywhere. The need for this configuration is apparently limited to an "untrusted" domain join operation that is only performed by the ADMT agent on Windows Vista RTM (SP1 and newer not included) or earlier versions of Windows workstation OSes or Windows Server 2003 R2 or earlier versions of Windows Server OSes. And there is a patch which fixes XP and Windows Server 2003 computers with regard to their need for this setting. http://support.microsoft.com/kb/944043 is that patch, although the article doesn't mention anything that might reveal this.

 

We'll be removing this setting in our domain, and telling anyone who needs to migrate these older OSes that they first need to apply the patch.

 

This information comes from a Microsoft Premier Field Engineer we had on site for 6 days.

 

Second piece of info:

 

We're days away from turning off NTLMv1 in our central AD.

 

One of our highly savvy customers passed this along to me: http://support.microsoft.com/kb/2811487.

 

It describes how to force MS-CHAPv2 to use NTLMv2, if you are using a Microsoft implementation.

 

-B




Archive powered by MHonArc 2.6.16.

Top of Page