Active Directory

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Active Directory

Scott Arciszewski
Quick question,

I'm developing some applications that use LDAP to authenticate users (it's
a corporate environment). However, I do not have admin access to the server
that hosts LDAP and thus cannot examine the hashes, so I've been doing some
reading and talking with other devs about this... but I've reached a dead
end.

Here's what I know: AD used to use LM hashes, they migrated to Kerberos a
while back. I cannot for the life of me find out if they still store hashes
on the server, because Microsoft's documentation is equal parts
labyrinthine and sparse.

Questions:
Does Kerberos mitigate the need to store hashes in a database, registry, or
filesystem?
If not, how does Kerberos stack up to a password-hashing scheme like PBKDF2
or scrypt? (A quick glance at the Github page reveals that DES is still
allowed, but deprecated.)
How well do the Kerberos maintainers believe Microsoft implemented the
protocol for Active Directory?

Thanks for your time, if you don't have time to write out an answer but
know of links to refer to me to, I'd greatly appreciate the help!

Scott
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory

Dmitri Pal
On 12/07/2013 12:24 AM, Scott Arciszewski wrote:

> Quick question,
>
> I'm developing some applications that use LDAP to authenticate users (it's
> a corporate environment). However, I do not have admin access to the server
> that hosts LDAP and thus cannot examine the hashes, so I've been doing some
> reading and talking with other devs about this... but I've reached a dead
> end.
>
> Here's what I know: AD used to use LM hashes, they migrated to Kerberos a
> while back. I cannot for the life of me find out if they still store hashes
> on the server, because Microsoft's documentation is equal parts
> labyrinthine and sparse.
>
> Questions:
> Does Kerberos mitigate the need to store hashes in a database, registry, or
> filesystem?
> If not, how does Kerberos stack up to a password-hashing scheme like PBKDF2
> or scrypt? (A quick glance at the Github page reveals that DES is still
> allowed, but deprecated.)
> How well do the Kerberos maintainers believe Microsoft implemented the
> protocol for Active Directory?
>
> Thanks for your time, if you don't have time to write out an answer but
> know of links to refer to me to, I'd greatly appreciate the help!
>
> Scott
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

It looks like you are trying to use Kerberos with AD.
A more detailed use case would be better to understand your goal and
limitations.
AD uses Kerberos too so it is not clear what exactly you are trying to
accomplish with using Kerberos with AD as a LDAP source.
There are solutions that allow you to have a Kerberos server to serve
your infrastructure while syncing data from AD or leveraging a trust
with AD.
Have you looked at freeIPA?
http://www.freeipa.org/page/IPAv3_testing_AD_trust

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory

Douglas E. Engert
In reply to this post by Scott Arciszewski

On 12/6/2013 11:24 PM, Scott Arciszewski wrote:

> Quick question,
>
> I'm developing some applications that use LDAP to authenticate users (it's
> a corporate environment). However, I do not have admin access to the server
> that hosts LDAP and thus cannot examine the hashes, so I've been doing some
> reading and talking with other devs about this... but I've reached a dead
> end.
>
> Here's what I know: AD used to use LM hashes, they migrated to Kerberos a
> while back. I cannot for the life of me find out if they still store hashes
> on the server, because Microsoft's documentation is equal parts
> labyrinthine and sparse.
>
> Questions:
> Does Kerberos mitigate the need to store hashes in a database, registry, or
> filesystem?

Yes.

> If not, how does Kerberos stack up to a password-hashing scheme like PBKDF2
> or scrypt? (A quick glance at the Github page reveals that DES is still
> allowed, but deprecated.)
> How well do the Kerberos maintainers believe Microsoft implemented the
> protocol for Active Directory?

Very well. Microsoft developers have been IETF Kerberos working group chairs
and active in the working group over the years.

http://msdn.microsoft.com/en-us/library/cc233855.aspx

[MS_KILE]  last updated 11/14/2013 is a document that
shows how Microsoft's implementation of Kerberos complies to the RFCs,
and what extensions they have Added.

>
> Thanks for your time, if you don't have time to write out an answer but
> know of links to refer to me to, I'd greatly appreciate the help!

Other things to search for:
   SSPI GSS-API - shows how Microsodt SSP implements GSS_API protocols.
   includes PuTTY for ssh from Windows.

    "windows integrated authentication" Kerberos
    Browser use of Kerberos, including FireFox and Chrome

    mod_auth_kerb -   Apache use of Kerberos with the above.

    java Krb5LoginModule - using Kerberos to from Java,
            AD can be the KDC.

    pam_krb5  -  Kerberos login whch can use AD as the KDC.

    msktutil  - manage keytabs on Unix with AD as the KDC.

And my all time favorite...

    http://technet.microsoft.com/en-us/library/bb742433.aspx

Its for Windows 2000, but explains a lot of the basics.



>
> Scott
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev