ad-assurance - [AD-Assurance] RE: appendix A, NTLMv1, and MacOS VPN client
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Thomas Kovarik <>
- To: "" <>
- Subject: [AD-Assurance] RE: appendix A, NTLMv1, and MacOS VPN client
- Date: Fri, 15 Aug 2014 17:20:27 +0000
- Accept-language: en-US
Wow, Brian. Nice achievement. Will that talk be recorded? I won’t be there in October, but I’d love to benefit from your long, uphill slog… Tom Kovarik (301) 405-1025 From: [mailto:]
On Behalf Of Brian Arkills Hi folks, Earlier this week, the UW successfully turned off NTLMv1 on our central AD’s domain controllers. It’s been quite a ride getting to that milestone, and I plan to present something on that at the Windows HiEd conference in October. If folks
here want something more on that, I’ll see what I can do.
J I’m writing today about two follow-up items that I think relate to our work on the AD Silver Cookbook. First, there’s appendix A (https://spaces.internet2.edu/display/InCAssurance/InCommon+Silver+with+Active+Directory+Domain+Services+Cookbook+-+201404#InCommonSilverwithActiveDirectoryDomainServicesCookbook-201404-AppendixAKnownIssuesWithNTLMv1Disabled%2FLMHASHStorageTurnedOff)
which is focused on known problems with turning off NTLMv1 and LM hashes. I think most of that appendix could (should?) be replaced with a link to our resource page on this:
https://wiki.cac.washington.edu/display/UWWI/NTLMv1+Removal+-+Known+Problems+and+Workarounds. Obviously, there are a ton of known problems in the UW’s NTLMv1 resource page which aren’t listed in the appendix so it’s an improvement on that account. But there’s
also some problems with the existing text in appendix A, particularly around the last section which talks about Radius+Samba. That issue isn’t necessarily limited to Radius or Samba, so the intro is misleading. The appendix also doesn’t note the biggest issue
related to that which is that the MacOS VPN client apparently doesn’t support NTLMv2 or Kerberos (i.e. at best it can use NTLMv1)--and it doesn’t mention the known ways to configure MSCHAPv2 on Windows Server to use NTLMv2. Which is a nice segue … I vaguely recall some discussion of MSCHAPv2 we had. I’m wondering if anyone has any workarounds/solutions on the MacOS VPN NTLMv1 issue. We’re struggling with that currently, and the alternatives seem to be allowing NTLMv1 with local user
accounts or buying an expensive 3rd party solution. -B |
- [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Brian Arkills, 08/15/2014
- [AD-Assurance] RE: appendix A, NTLMv1, and MacOS VPN client, Thomas Kovarik, 08/15/2014
- <Possible follow-up(s)>
- Re: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Ann West, 08/15/2014
- RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Brian Arkills, 08/15/2014
- Re: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Ann West, 08/15/2014
- RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Curry, Warren, 08/18/2014
- RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Eric Goodman, 08/20/2014
- RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Brian Arkills, 08/15/2014
Archive powered by MHonArc 2.6.16.