All, It turns out my network guy has been told that sending LM and NTLM responses is a security risk. I have read the wikipedia article http://en.wikipedia.org/wiki/NTLM#Vulnerabilities But don't see how its a problem with a properly secured network. Does anyone else have some data I can use to understand how the user or the network might be vulnerable? Tom ________________________________________ From: Healey, Thomas Sent: Tuesday, February 15, 2011 2:45 PM To: [email protected] Subject: Re: [cas-user] SPNEGO and Windows 7
This fixed the Win7 and SPNEGO problem. http://www.tomshardware.com/forum/75-63-windows-samba-issue I only needed to sent LM and NTLM responses. I did not need to disable 128 but encryption. Thank you Pavel and Bill for your time. Tom On Feb 15, 2011, at 9:33 AM, Healey, Thomas wrote: > Yep thats what we are doing. Did you find that you had to remove the password > in order for it to work? I found that it works with or without for all > clients except for Win 7. > Tom > On Feb 15, 2011, at 9:30 AM, Pavel Tavoda wrote: > >> We was solving some problem on this mailing list and we found out that >> RC4-HMAC doesn't work. Than we switched to DES and everything start >> working. >> >> Pavel >> >> >> On Tue, Feb 15, 2011 at 3:21 PM, Healey, Thomas >> <[email protected]> wrote: >>> Thank you Pavel. >>> I ended up doing that back in Jan 2010 when my network admins changed the >>> AD server to run under 2008. >>> What I do find interesting is the removal of the password. Why did you do >>> that? >>> Tom >>> On Feb 15, 2011, at 5:59 AM, Pavel Tavoda wrote: >>> >>>> Hello, >>>> we was recently solving similar problem with 2003. Some hint which can >>>> help: >>>> 1) start with new CAS machine or change name of existing machine >>>> 2) follow https://wiki.jasig.org/display/CASUM/SPNEGO but with "Java >>>> 1.5 Update 7 and before" even if you have new java (create new SPN >>>> account and don't forget to turn "Use DES encryption types for this >>>> account") >>>> 3) after creating keytab try 'kinit -k -t keytaba.file >>>> HTTP/fqdn@DOMAIN' from machine where CAS server is running. You should >>>> get ticket without typing password (klist tickets), don't use Java >>>> tools klist, kinit, install them from MS. >>>> 4) when you manage step 3 working, remove jcifsServicePassword from >>>> deployerConfig.xml >>>> >>>> Pavel >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>> >>> Tom Healey >>> [email protected] >>> Office:(434)924-0562 >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > Tom Healey > [email protected] > Office:(434)924-0562 > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user<image009.jpg><ATT00001..txt><image003.png><ATT00002..txt><image004.png><ATT00003..txt><image005.png><ATT00004..txt><image006.png><ATT00005..txt><image010.png><ATT00006..txt> Tom Healey [email protected] Office:(434)924-0562 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
