Re: kerberos!

From: David Schenz (schenz.9_at_DPS.OHIO-STATE.EDU)
Date: 09/10/04

  • Next message: Paul Leach: "Re: kerberos!" 
    Date:         Fri, 10 Sep 2004 12:37:06 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Two important points need to be remembered here: first, in order to join
    a domain in the first place, NTLMv2 is still necessary (as the joining
    member is not a part of the Kerberos realm), and second, windows
    requires NTLMv2 to authenticate when opening a cif share via ip address.
    Authentication falls back to NTLMv2 if Kerberos can't meet the following
    conditions:

    1. A KDC service has to be available (i.e. a domain controller)
    2. The host SPN must be registered

    Evaluating the situation in discussion (assuming no implicit or explicit
    trusts are setup i.e. the domains are in separate forests - remember
    domains and trees are not security boundaries)..... User 1 in domain A
    tries to authenticate to File Server 2 in domain B. User 1 will try to
    authenticate against a domain A dc. Since no SPN is available for file
    server 2 is registered on domain A's dc, the authentication will fall
    back to NTLM. I'm certainly glossing over the finer details of Kerberos
    here, but it gets the point across.

    So yes, you're certainly right in that it is less secure. Unfortunately,
    as currently designed, fallback to NTLMv2 is still necessary. I agree
    that legacy support in Windows needs to be disabled by default. Too
    often the trade off has been chosen in favor of compatibility over
    security (causing many of Microsoft's security issues.

    David

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----

  • Next message: Paul Leach: "Re: kerberos!"

    Relevant Pages

    • Re: WINCE 6.0 Shared Folder
      ... doesn't support it NTLMv2, they only support NTLM. ... need to change on the Vista system that is going to access the PVC device. ... Security Settings / Local Policies /Security Options ... Domain controllers accept LM, NTLM, and NTLMv2 ...
      (microsoft.public.windowsce.platbuilder)
    • Re: WINCE 6.0 Shared Folder
      ... doesn't support it NTLMv2, they only support NTLM. ... Security Settings / Local Policies /Security Options ... authentication level" ... Domain controllers accept LM, NTLM, and NTLMv2 ...
      (microsoft.public.windowsce.platbuilder)
    • Re: Passwords with Lan Manager (LM) under Windows
      ... I already said why you can't pre-compile NTLMv2: The hash generated for the ... As I said earlier "Kerberos support with IPsec" And by this yes ...
      (Pen-Test)
    • Re: Zugriff einschrdnken
      ... Du könntest auf allen Servers einstellen, das diese nur noch Kerberos ... NTLMv2 ist standardmäßig auf keinem heutigen ... und nur über die richtige ClassID die richtigen Optionen wie DNS-Server ... SICHER ist ausschliesslich das ganze über IPSec zu machen, ...
      (microsoft.public.de.german.windows.server.active_directory)
    • Re: Kerberos & NTLM Auth in IIS6
      ... A little known fact regarding NTLMv2 is that only those applications that authenticate using the ... Local Security Authority will be affected by the LMCompatibility mode setting. ... A number of applications use the NTLM Security Support ... Enable NTLMv2 Authentication for NTLM Security ...
      (Focus-Microsoft)