Re: [ActiveDir] - reverse encryption of ad passwords

Wed, 27 Aug 2003 03:15:38 +0000 

Brent,

I don't think it's a good idea to store reversibly encrypted passwords
in AD, especially since they get replicated to DCs which you not be able
to physically secure.

However, you can use the password filter DLL to intercept password changes,
and dynamically store the new passwords away somewhere safe, for use in a
RADIUS service or other system.  That is essentially what we do with our
P-Synch product -- intercept password changes in progress, apply a
supplementary quality policy, and automatically push the new password to
other systems (including other LDAP directories, passwd files on Unix,
whatever).

This approach keeps AD pristine, only introduces a small DLL on each DC,
has negligible performance impact on the domain, and lets users keep one
password on multiple systems.

You might consider using three products to get the desired effect without
turning on plaintext or reversibly encrypted password:

  * Your preferred RADIUS service (sounds like Steel Belted).

    (http://funk.com)

  * Microsoft's MIIS to automatically mirror the user base from AD to
    whatever Steel Belted RADIUS likes to use natively.

    (http://microsoft.com/miis/)

  * P-Synch to synchronize passwords between the two.

    (http://psynch.com)

Good luck!

-- Idan

On Tue, 26 Aug 2003, Wilhelm, Brent wrote:

>
>
>
>
> Hey everybody,
>
>
>
>                         Our network engineer is pushing us to turn on
> reverse encryption at the root level so that he can stand up a third
> party radius server against it.
>
>             Everything that my guys (server guys) have found says not to
> do it unless you absolutely have to because it stores them in clear
> text.
>
>
>
> Link:
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/505.
> asp
>
>
>
>             So...  of course we don't want to flip the switch.
>
>
>
>             Does anyone know anything else about reverse encryption that
> might be of interest?
>
>             Does anyone know anything other ways to allow a third party
> (Steel Belted Radius) to talk with the AD?
>
>
>
> Thanks - Brent
>
>

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to