Re: AD authentication encryption

Tech-Archive recommends: Fix windows errors by optimizing your registry

If you are using Windows 2000 or greater than you have an native LDAP
client. If you have a pre 2000 client you can't logon with Kerberos but you
can use NTLM v2 Authentication, but you will need to download the AD Client
(AD Client Extension - DSClient). Any network can be sniffed and if you are
concerned about this you can encrypt your packets with protocols such as
IPSec which is native in AD. All AD passwords transmitted using Kerberos
are just the hashes of the actual passwords, so when a user sniffs a network
they will only see the hash not actual passwords that are encypted.

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

"Eddie" <Eddie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7152657F-76A3-4A41-99A7-6099E97624BA@xxxxxxxxxxxxxxxx
Thank you for your reply.
I am not quite sure if i got windows LDAP client
If I have a default setup on my AD and some client machines joined the AD
on
LAN, can somebody steal the password by a sniffer? or it is protected by
SSPI
which comes with Kerberos?



"Joe Kaplan (MVP - ADSI)" wrote:

It depends on the flags you use.

AD supports transport level encryption with SSL. This will encrypt all
of
the traffic, including the initial bind request.

AD also supports SSPI authentication using the negotiate protocol
(Kerberos
or NTLM). Neither of these mechanisms passes plaintext credentials on
the
wire. Additionally, a feature of SSPI is that it can be used to encrypt
and
sign the network traffic, much like SSL, after the initial authentication
is
performed via a bind.

SSL requires a certificate on the DC, so you don't get it by default.
Negotiate auth is supported by AD without any additional configuration,
but
you probably can't use it unless you have a Windows LDAP client that
supports SSPI.

The way you enable these settings depends on the API you are using.

Joe K.

"Eddie" <Eddie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:596B7D48-0378-4A72-86BD-C669DBFF706D@xxxxxxxxxxxxxxxx
Anyone knows what kind of encryption does windows 2003 use to
communicate
between client and AD, AD and AD for authentication? Thanks for help.






.

Relevant Pages

  • SSPI not populating Microsoft Kerberos cache
    ... the server side and SSPI on client side since client is only on windows. ... InitializeSecurityContext calls of SSPI. ... TGT in Microsoft Kerberos cache and populates the cache with the service ...
    (comp.protocols.kerberos)
  • RE: Security Event Log Repeating... Access errors
    ... Tony thanks for the quick reply. ... A Kerberos Error Message was received: ... Client Realm: ... >> Workstation Name: EDECANUSBASE ...
    (microsoft.public.windows.server.sbs)
  • Re: Server not found in Kerberos Database
    ... Server not found in Kerberos Database ... When I am trying to do a kinit on the client, ... I have a KDC on Win2003 and a client which is a Linux is trying = ...
    (comp.protocols.kerberos)
  • Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server 8.1.
    ... but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. ... We've tried adding the AllowTGTSessionKey registry key on client and server, but that didn't change it either. ... Enable Integrated Windows Authentication ...
    (comp.protocols.kerberos)
  • Re: Kerberos authentication fails
    ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ...
    (microsoft.public.win2000.security)