Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] More responses to Joe S's comments

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] More responses to Joe S's comments

Chronological Thread 
  • From: Eric Goodman <>
  • To: "" <>
  • Subject: [AD-Assurance] More responses to Joe S's comments
  • Date: Fri, 4 Oct 2013 22:49:35 +0000
  • Accept-language: en-US

Responding to a different point in his comments

>-- 7.4
> Practical attacks against NTLMv2 exist. Example:
>ned -in-60-seconds-from-network-guest-to-windows-domain-admin
> Repeats the unacceptable "temporarily compromised" language.
> (yes, Zack is in the running for one of the top 10 most annoying
> presenters of all time, but still)

After watching the presentation, I think this is another "scoping" issue. Joe
is assuming we're making global statements about NTLMv2 and security, not
ones that are scoped to "for purposes of compliance".

There's nothing in the irongeek presentation that contradicts what we've
said. Our assertions are basically:

1) NTLMv2 can't be used to authenticate to the IdP
2) it is impractical to deduce a user's password by intercepting NTLMv2

Therefore, NTLMv2 use is not in violation of the Silver IAP (assuming NTLM
cannot be used to authenticate to the IdP).

The presentation above is about performing MITM attacks to gain access to AD
DS resources (NOT the IdP and NOT the user's password). Quoting ourselves:

"Even though such intercepted credentials may be used to gain access to,
e.g., file shares in the AD Domain, this does not allow the IdP
authentication process to be compromised."

I'll note that the presentation did have an offhand comment that Windows LDAP
allows for NTLM authentication; I wasn't able to infer the "how" from
watching, but it did cause an eyebrow raise on my part.

--- Eric

Archive powered by MHonArc 2.6.16.

Top of Page