Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

If anyone hasn’t read the alternative means proposal for Windows AD using NTLMv2 and RC4-HMAC, go check it out, but be sure to login to http://spaces.internet2.edu/ first.

 

Alternative Means for the Use of NTLMv2 and Kerberos with RC4-HMAC

https://spaces.internet2.edu/x/soB2Ag

 

An overall theme for the alternative means could probably be something like “Prefer Kerberos where possible; deploy NTLMv2 as the minimum authentication method.”

 

Here’s something recent that came out last week that may speak towards Microsoft updates to Windows, protocols, authentication, etc.

 

http://www.computerworld.com/s/article/9241622/Microsoft_moves_to_block_MD5_certificates_and_improve_RDP_authentication?taxonomyId=17

Microsoft moves to block MD5 certificates and improve RDP authentication

Windows optional security updates restrict use of MD5-based certificates and improve Remote Desktop Protocol network-level authentication

 

 

Also, it might be worth taking a look at this book or others similar for NTLM, syskey, and other details:

 

Mechanics of User Identification and Authentication:

Fundamentals of Identity Management (Google eBook, 2010)

http://books.google.com/books?id=eIPA4v0u05EC

 

 

Jeff C.

 

From: [mailto:] On Behalf Of Ann West
Sent: Thursday, August 22, 2013 2:07 PM
To:
Subject: [AD-Assurance] AD Assurance Call Tomorrow

 

Hi All,

 

Just catching up with folks on your schedule for tomorrow's call.

 

We haven't heard anything from MS yet other than they are working on our questions. Given that, would it still be helpful for us to regroup, review the cookbook and decide if there are areas where we can insert placeholders (if needed) and then develop a timeline for community review? Is there other progress we can make in the short term while MS is developing a response?

 

Many thanks,

Ann