Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call

Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call
  • Date: Fri, 27 Sep 2013 17:42:25 +0000
  • Accept-language: en-US

Some info for Eric:


4.3.2. Section requirements


We recommend disabling all domain support of the LM and NTLMv1 protocols -- or at least disable them for InCommon Silver accounts (clarify; is this possible by user-specific policies?), as the security of these protocols has been shown to be weak enough for use to constitute being an unacceptable risk in most usage scenarios. instructions?


I think you can create group policies and apply them to the user’s machine.  But, it may be easier to apply it to everyone in the domain.  Also it may be best to apply policies to both the server and the client workstations.


Network security: LDAP client signing requirements


Network security: LAN Manager authentication level


Instructions were in original cookbook.



4.2.1 Section requirements


For Windows Server 2008 and later, AES is used for Kerberos encryption if properly configured. (We need to add how to make this configuration)


Network security: Configure encryption types allowed for Kerberos


The encryption type options include:






• Future encryption types


As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented.


From: [mailto:] On Behalf Of David Walker
Sent: Friday, September 27, 2013 1:26 PM
To: InCommon AD Assurance Group
Subject: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call



Quick notes from today's call are on the wiki: .

Ann, I hope you're OK with not being able to forward until Monday afternoon your time.  Scream if you need this sooner.


Archive powered by MHonArc 2.6.16.

Top of Page