Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: AD Assurance Call Tomorrow

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: AD Assurance Call Tomorrow

Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: AD Assurance Call Tomorrow
  • Date: Thu, 22 Aug 2013 19:44:30 +0000
  • Accept-language: en-US

If anyone hasn’t read the alternative means proposal for Windows AD using NTLMv2 and RC4-HMAC, go check it out, but be sure to login to first.


Alternative Means for the Use of NTLMv2 and Kerberos with RC4-HMAC


An overall theme for the alternative means could probably be something like “Prefer Kerberos where possible; deploy NTLMv2 as the minimum authentication method.”


Here’s something recent that came out last week that may speak towards Microsoft updates to Windows, protocols, authentication, etc.

Microsoft moves to block MD5 certificates and improve RDP authentication

Windows optional security updates restrict use of MD5-based certificates and improve Remote Desktop Protocol network-level authentication



Also, it might be worth taking a look at this book or others similar for NTLM, syskey, and other details:


Mechanics of User Identification and Authentication:

Fundamentals of Identity Management (Google eBook, 2010)



Jeff C.


From: [mailto:] On Behalf Of Ann West
Sent: Thursday, August 22, 2013 2:07 PM
Subject: [AD-Assurance] AD Assurance Call Tomorrow


Hi All,


Just catching up with folks on your schedule for tomorrow's call.


We haven't heard anything from MS yet other than they are working on our questions. Given that, would it still be helpful for us to regroup, review the cookbook and decide if there are areas where we can insert placeholders (if needed) and then develop a timeline for community review? Is there other progress we can make in the short term while MS is developing a response?


Many thanks,


Archive powered by MHonArc 2.6.16.

Top of Page