[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: using active directory keys
Dave Love wrote:
> "Douglas E. Engert" <email@example.com> writes:
>>You migtht be missing something here. You can do SSO to the rest of the
>>world using your AD principals.
> Yes, if you don't mind trusting the infrastructure to Microsoft even
> more (and using relatively weak crypto generally as I understand it).
There are lots of trade offs. And the crypto situation is getting better.
Years ago, Microsoft went with RC4 and Kerberos when with 3DES leaving only
DES common between them. Newer Kerberos have RC4 support now and both
will have AES soon.
>>So what you are really trying to do is copy or move principals from AD
>>to some other realm keeping the same password for the user.
> Yes -- `pass-through' login as written up at Stanford, UMich &c and in
> the Heimdal doc. It's just that there isn't the existing serious
> Kerberos infrastructure here that I assume they had and that you might
> expect at a national lab.
Not sure what you mean by a serious Kerberos infrastrusture. It sounds like
you don't like the administration policies and procedures used at your site
with AD. We condsider AD a serious Kerberos infrastructure here. That could
change and we might want to do something like what you are doing in the future.
Will have to wait and see.
>>As I understand
>>it AD keeps the password in the database hidden some where. If your domain
>>also supports NTLM authentication, then it might be possible to
>>access the NTLM copy of the password instead. They should be in sync.
> Is there something wrong with Luke's suggestion of extracting and
> using the NTLM hashes (apart from their weakness as keys)?
Not that I know of, I was suggesting that you might have wanted to consider
using the principals in AD and AD as the KDC directly without having to setup
another realm and copy out all the keys.
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439