Re: Active Directory password external use

From: Manuel Fernandes (manuelf_at_mailblocks.com)
Date: 08/31/05

Next message: Alfred Huger: "Call for new mailing lists @ SecurityFocus"

Previous message: Matthew Farrenkopf: "Re: Active Directory password external use"
In reply to: Matthew Farrenkopf: "Re: Active Directory password external use"
Next in thread: Kurt Dillard: "RE: Active Directory password external use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 31 Aug 2005 11:37:55 -0700
To: farrenkm@ohsu.edu, focus-ms@securityfocus.com

What agent or daemon will capture this - is it part of an identity
management (IdM) system?

Yes, some IdM agents can capture the password in clearat the DC and
distribute it before it is encrypted.

Without getting specific to a product or technology, most mature
systems have provisions to interact with msgina.dll

-----Original Message-----
From: Matthew Farrenkopf <farrenkm@ohsu.edu>
To: focus-ms@securityfocus.com
Sent: Wed, 31 Aug 2005 08:21:47 -0700
Subject: Re: Active Directory password external use

"Rodrigo Blanco" <rodrigo.blanco.r@gmail.com>:
>I am currently doing a project that requires using the Active
>Directory users' password for other purposes other than just
>workstation logon or share access.
>
>What I would need to do is detect password change / reset events on
>the domain, capture the new password and send it to another
>application. This could be done with an agent or daemon running on the
>DC machine.
>
>The question is, when a users' password is changed / resetted, is it
>possible to externally capture this event and make use of the password
>before it is stored in a non-reversible format inside the active dir.?
>
>What security implications would this have, and what security measures
>would you propose for such an agent?

Seems like a lot of work for a small reward. We have several Web
applications
that authenticate directly against the domain controller. I've never
done it
before, but there's probably someone that has (and I am actively trying
to learn
how to do it).

Why not do that?

Matt

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Alfred Huger: "Call for new mailing lists @ SecurityFocus"

Previous message: Matthew Farrenkopf: "Re: Active Directory password external use"
In reply to: Matthew Farrenkopf: "Re: Active Directory password external use"
Next in thread: Kurt Dillard: "RE: Active Directory password external use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Active Directory password external use
... Active Directory password external use ... What agent or daemon will capture this - is it part of an identity ... New Consultant: C/D/H is proud to welcome Jason Cooper to our Southfield office! ...
(Focus-Microsoft)
Re: Qui sest qui qui joue avec mon Outlook Express ?
... >> Lis comme moi tes newsgroupes avec Agent ... >J'ai suivi le lien et j'ai vu une capture! ... mais au moins on fait la nique à Billou. ...
(soc.culture.belgium)
Re: How to create an "Agent Application"?
... > I'm trying to create a daemon for Mac OS X. ... > Apple documentation says "If you need to provide user-specific ... an Agent Application will be suitable for my purposes. ... As far as I can tell, this is just a regular GUI app ...
(comp.sys.mac.programmer.help)
Re: [RESEND][PATCH] Send uevents for disk write_protect changes
... This patch is needed for the dm-multipath, so that the daemon can capture the ... event and reload the dm table when the read-only setting of the disk changes. ...
(Linux-Kernel)