Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: appendix A, NTLMv1, and MacOS VPN client

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: appendix A, NTLMv1, and MacOS VPN client


Chronological Thread 
  • From: Thomas Kovarik <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: appendix A, NTLMv1, and MacOS VPN client
  • Date: Fri, 15 Aug 2014 17:20:27 +0000
  • Accept-language: en-US

Wow, Brian. Nice achievement. Will that talk be recorded? I won’t be there in October, but I’d love to benefit from your long, uphill slog…

 

Tom Kovarik

(301) 405-1025

 

From: [mailto:] On Behalf Of Brian Arkills
Sent: Friday, August 15, 2014 12:49 PM
To:
Subject: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client

 

Hi folks,

 

Earlier this week, the UW successfully turned off NTLMv1 on our central AD’s domain controllers. It’s been quite a ride getting to that milestone, and I plan to present something on that at the Windows HiEd conference in October. If folks here want something more on that, I’ll see what I can do. J

 

I’m writing today about two follow-up items that I think relate to our work on the AD Silver Cookbook.

 

First, there’s appendix A (https://spaces.internet2.edu/display/InCAssurance/InCommon+Silver+with+Active+Directory+Domain+Services+Cookbook+-+201404#InCommonSilverwithActiveDirectoryDomainServicesCookbook-201404-AppendixAKnownIssuesWithNTLMv1Disabled%2FLMHASHStorageTurnedOff) which is focused on known problems with turning off NTLMv1 and LM hashes. I think most of that appendix could (should?) be replaced with a link to our resource page on this: https://wiki.cac.washington.edu/display/UWWI/NTLMv1+Removal+-+Known+Problems+and+Workarounds. Obviously, there are a ton of known problems in the UW’s NTLMv1 resource page which aren’t listed in the appendix so it’s an improvement on that account. But there’s also some problems with the existing text in appendix A, particularly around the last section which talks about Radius+Samba. That issue isn’t necessarily limited to Radius or Samba, so the intro is misleading. The appendix also doesn’t note the biggest issue related to that which is that the MacOS VPN client apparently doesn’t support NTLMv2 or Kerberos (i.e. at best it can use NTLMv1)--and it doesn’t mention the known ways to configure MSCHAPv2 on Windows Server to use NTLMv2.

 

Which is a nice segue …

 

I vaguely recall some discussion of MSCHAPv2 we had. I’m wondering if anyone has any workarounds/solutions on the MacOS VPN NTLMv1 issue. We’re struggling with that currently, and the alternatives seem to be allowing NTLMv1 with local user accounts or buying an expensive 3rd party solution.

 

-B




Archive powered by MHonArc 2.6.16.

Top of Page