Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

Just back from a mostly-email-less vacation, so late congratulations on this!

 

I’m fine with updating the appendix, though I’m not sure what the right process for that would be. Perhaps we could just make create the update via the list here, and then send a notice to the assurance list announcing them (allowing for comment, but not necessarily being as formal about it as we were for the original v2 release).

 

Warren, if UFL also has resources like Brian alludes to, we could include those in the appendix as well.

 

I don’t have any good information about MSCHAP/NTLM and MacOS issues other than a recollection that yes, it’s a problem. So I can neither confirm nor deny your suspicions re:local accounts or third party solutions.

 

--- Eric

 

From: [mailto:] On Behalf Of Curry, Warren
Sent: Monday, August 18, 2014 9:22 AM
To:
Cc: Dean Woodbeck
Subject: RE: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client

 

Yes nice job.  We did this awhile back at UF it was a significant impact and communication effort throughout the campus…

 

-warren

 

 

 

From: [] On Behalf Of Ann West
Sent: Friday, August 15, 2014 1:30 PM
To:
Cc: Dean Woodbeck
Subject: Re: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client

 

Hi Brian,

 

Congratulations! Quite an achievement. 

 

Would you be willing to present a webinar on this topic? We can certainly record it as well. Might be a nice HESIC/InCommon IAM Online topic. 

 

Ann

 

From: Brian Arkills <>
Reply-To: "" <>
Date: Friday, August 15, 2014 at 12:48 PM
To: "" <>
Subject: [AD-Assurance] appendix A, NTLMv1, and MacOS VPN client

 

Hi folks,

 

Earlier this week, the UW successfully turned off NTLMv1 on our central AD’s domain controllers. It’s been quite a ride getting to that milestone, and I plan to present something on that at the Windows HiEd conference in October. If folks here want something more on that, I’ll see what I can do. J

 

I’m writing today about two follow-up items that I think relate to our work on the AD Silver Cookbook.

 

First, there’s appendix A (https://spaces.internet2.edu/display/InCAssurance/InCommon+Silver+with+Active+Directory+Domain+Services+Cookbook+-+201404#InCommonSilverwithActiveDirectoryDomainServicesCookbook-201404-AppendixAKnownIssuesWithNTLMv1Disabled%2FLMHASHStorageTurnedOff) which is focused on known problems with turning off NTLMv1 and LM hashes. I think most of that appendix could (should?) be replaced with a link to our resource page on this: https://wiki.cac.washington.edu/display/UWWI/NTLMv1+Removal+-+Known+Problems+and+Workarounds. Obviously, there are a ton of known problems in the UW’s NTLMv1 resource page which aren’t listed in the appendix so it’s an improvement on that account. But there’s also some problems with the existing text in appendix A, particularly around the last section which talks about Radius+Samba. That issue isn’t necessarily limited to Radius or Samba, so the intro is misleading. The appendix also doesn’t note the biggest issue related to that which is that the MacOS VPN client apparently doesn’t support NTLMv2 or Kerberos (i.e. at best it can use NTLMv1)--and it doesn’t mention the known ways to configure MSCHAPv2 on Windows Server to use NTLMv2.

 

Which is a nice segue …

 

I vaguely recall some discussion of MSCHAPv2 we had. I’m wondering if anyone has any workarounds/solutions on the MacOS VPN NTLMv1 issue. We’re struggling with that currently, and the alternatives seem to be allowing NTLMv1 with local user accounts or buying an expensive 3^rd party solution.

 

-B