[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using active directory keys

"Douglas E. Engert" <deengert@anl.gov> writes:

> You migtht be missing something here. You can do SSO to the rest of the
> world using your AD principals.

Yes, if you don't mind trusting the infrastructure to Microsoft even
more (and using relatively weak crypto generally as I understand it).

> So what you are really trying to do is copy or move principals from AD
> to some other realm keeping the same password for the user.

Yes -- `pass-through' login as written up at Stanford, UMich &c and in
the Heimdal doc.  It's just that there isn't the existing serious
Kerberos infrastructure here that I assume they had and that you might
expect at a national lab.

> As I understand
> it AD keeps the password in the database hidden some where. If your domain
> also supports NTLM authentication, then it might be possible to
> access the NTLM copy of the password instead. They should be in sync.

Is there something wrong with Luke's suggestion of extracting and
using the NTLM hashes (apart from their weakness as keys)?