ad-assurance - RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Brian Arkills <>
- To: "" <>
- Cc: Dean Woodbeck <>
- Subject: RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client
- Date: Fri, 15 Aug 2014 17:33:52 +0000
- Accept-language: en-US
Sure, but I haven’t yet created a presentation. ;) Maybe in October/November timeframe …
From: [mailto:]
On Behalf Of Ann West Hi Brian, Congratulations! Quite an achievement. Would you be willing to present a webinar on this topic? We can certainly record it as well. Might be a nice HESIC/InCommon IAM Online topic. Ann From: Brian Arkills <> Hi folks, Earlier this week, the UW successfully turned off NTLMv1 on our central AD’s domain controllers. It’s been quite a ride getting to that milestone, and I plan to present something on that at the Windows HiEd conference
in October. If folks here want something more on that, I’ll see what I can do.
J I’m writing today about two follow-up items that I think relate to our work on the AD Silver Cookbook. First, there’s appendix A (https://spaces.internet2.edu/display/InCAssurance/InCommon+Silver+with+Active+Directory+Domain+Services+Cookbook+-+201404#InCommonSilverwithActiveDirectoryDomainServicesCookbook-201404-AppendixAKnownIssuesWithNTLMv1Disabled%2FLMHASHStorageTurnedOff)
which is focused on known problems with turning off NTLMv1 and LM hashes. I think most of that appendix could (should?) be replaced with a link to our resource page on this:
https://wiki.cac.washington.edu/display/UWWI/NTLMv1+Removal+-+Known+Problems+and+Workarounds. Obviously, there are a ton of known problems in the UW’s NTLMv1 resource page which aren’t listed in the appendix so it’s an improvement on that account. But there’s
also some problems with the existing text in appendix A, particularly around the last section which talks about Radius+Samba. That issue isn’t necessarily limited to Radius or Samba, so the intro is misleading. The appendix also doesn’t note the biggest issue
related to that which is that the MacOS VPN client apparently doesn’t support NTLMv2 or Kerberos (i.e. at best it can use NTLMv1)--and it doesn’t mention the known ways to configure MSCHAPv2 on Windows Server to use NTLMv2. Which is a nice segue … I vaguely recall some discussion of MSCHAPv2 we had. I’m wondering if anyone has any workarounds/solutions on the MacOS VPN NTLMv1 issue. We’re struggling with that currently, and the alternatives seem to be allowing
NTLMv1 with local user accounts or buying an expensive 3rd party solution. -B |
- [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Brian Arkills, 08/15/2014
- [AD-Assurance] RE: appendix A, NTLMv1, and MacOS VPN client, Thomas Kovarik, 08/15/2014
- <Possible follow-up(s)>
- Re: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Ann West, 08/15/2014
- RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Brian Arkills, 08/15/2014
- Re: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Ann West, 08/15/2014
- RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Curry, Warren, 08/18/2014
- RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Eric Goodman, 08/20/2014
- RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client, Brian Arkills, 08/15/2014
Archive powered by MHonArc 2.6.16.