ad-assurance - [AD-Assurance] FW: [aac] AD Assurance Cookbook: Interpretation Sections: Response from AD DS Alternate Means workgroup
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
[AD-Assurance] FW: [aac] AD Assurance Cookbook: Interpretation Sections: Response from AD DS Alternate Means workgroup
Chronological Thread
- From: Ann West <>
- To: "" <>
- Subject: [AD-Assurance] FW: [aac] AD Assurance Cookbook: Interpretation Sections: Response from AD DS Alternate Means workgroup
- Date: Fri, 8 Nov 2013 16:24:54 +0000
- Accept-language: en-US
Hello,
After the AAC meeting with us last Friday, there was a side thread about
the applicability of the cookbook to the majority of schools and whether
it focused the recommendations too tightly to get around developing AMs.
Mary asked one of her staff to review the cookbook in this light and, in
particular, how Va Tech could use it. Below is her response.
Ann
On 11/8/13 9:23 AM, "Dunker, Mary"
<>
wrote:
>Ann, Tom, & Scott,
>
>I spoke with Marc DeBonis, who manages our Microsoft: Secure
>Infrastructure Services group. Marc thought it would be possible for an
>IdP like Virginia Tech to implement the configuration recommended in the
>AD cookbook. However, he noted that a more typical Windows implementation
>for an IdP would be to use ADFS with Kerberos or NTLMv2 for Integrated
>Windows Authentication.
>
>To meet IAP Section 4.2.3.6.2 requirements, Marc thought the only viable
>option for us would be to use "Encryption on the wire via IPSec" to force
>LDAP to use a secured channel. He thought it would be possible, using CAS
>as the login handler, to build an encrypted IPsec tunnel and use
>certificates for the connection between CAS and the AD on port 389 LDAP.
>If we made that IPsec tunnel required for all clients that connect to 389
>LDAP then certainly anything that can't verify the certificate chain (or
>do IPsec) will fail.
>
>Marc and I both noticed the use of "MIT Kerberos" and unqualified
>"Kerberos" throughout the document. We assume when Kerberos is
>unqualified, the references are to Windows Kerberos, but it might help to
>make that clear.
>
>As I said earlier, Virginia Tech has no plans to implement an IdP using
>our Active Directory credentials.
>
>I hope this helps. I'm copying Marc in case you need clarification.
>
>Best,
>Mary
>
>
>-----------------------------------------------------------------
>Mary Dunker
>Director, Secure Enterprise Technology Initiatives
>Virginia Tech Information Technology
>1700 Pratt Drive
>Blacksburg, VA 24060
>540-231-9327
>
>
- [AD-Assurance] FW: [aac] AD Assurance Cookbook: Interpretation Sections: Response from AD DS Alternate Means workgroup, Ann West, 11/08/2013
- [AD-Assurance] RE: [aac] AD Assurance Cookbook: Interpretation Sections: Response from AD DS Alternate Means workgroup, Eric Goodman, 11/08/2013
- [AD-Assurance] RE: [aac] AD Assurance Cookbook: Interpretation Sections: Response from AD DS Alternate Means workgroup, Brian Arkills, 11/08/2013
- [AD-Assurance] RE: [aac] AD Assurance Cookbook: Interpretation Sections: Response from AD DS Alternate Means workgroup, Eric Goodman, 11/08/2013
Archive powered by MHonArc 2.6.16.