Problem is between your browser -> NT domain server and your browser -> CAS server. Not between your browser -> other side authenticated with CAS ticket. If you can control CAS I guess you aren't vulnerable to this. And of course I hope you use HTTPS between your browser and CAS.
Pavel On Fri, Feb 18, 2011 at 12:26 PM, Healey, Thomas < [email protected]> wrote: > All, > It turns out my network guy has been told that sending LM and NTLM > responses is a security risk. > I have read the wikipedia article > http://en.wikipedia.org/wiki/NTLM#Vulnerabilities > But don't see how its a problem with a properly secured network. > Does anyone else have some data I can use to understand how the user or the > network might be vulnerable? > > Tom > ________________________________________ > From: Healey, Thomas > Sent: Tuesday, February 15, 2011 2:45 PM > To: [email protected] > Subject: Re: [cas-user] SPNEGO and Windows 7 > > This fixed the Win7 and SPNEGO problem. > > http://www.tomshardware.com/forum/75-63-windows-samba-issue > > > I only needed to sent LM and NTLM responses. I did not need to disable 128 > but encryption. > > Thank you Pavel and Bill for your time. > > Tom > > > On Feb 15, 2011, at 9:33 AM, Healey, Thomas wrote: > > > Yep thats what we are doing. Did you find that you had to remove the > password in order for it to work? I found that it works with or without for > all clients except for Win 7. > > Tom > > On Feb 15, 2011, at 9:30 AM, Pavel Tavoda wrote: > > > >> We was solving some problem on this mailing list and we found out that > >> RC4-HMAC doesn't work. Than we switched to DES and everything start > >> working. > >> > >> Pavel > >> > >> > >> On Tue, Feb 15, 2011 at 3:21 PM, Healey, Thomas > >> <[email protected]> wrote: > >>> Thank you Pavel. > >>> I ended up doing that back in Jan 2010 when my network admins changed > the AD server to run under 2008. > >>> What I do find interesting is the removal of the password. Why did you > do that? > >>> Tom > >>> On Feb 15, 2011, at 5:59 AM, Pavel Tavoda wrote: > >>> > >>>> Hello, > >>>> we was recently solving similar problem with 2003. Some hint which can > help: > >>>> 1) start with new CAS machine or change name of existing machine > >>>> 2) follow https://wiki.jasig.org/display/CASUM/SPNEGO but with "Java > >>>> 1.5 Update 7 and before" even if you have new java (create new SPN > >>>> account and don't forget to turn "Use DES encryption types for this > >>>> account") > >>>> 3) after creating keytab try 'kinit -k -t keytaba.file > >>>> HTTP/fqdn@DOMAIN' from machine where CAS server is running. You > should > >>>> get ticket without typing password (klist tickets), don't use Java > >>>> tools klist, kinit, install them from MS. > >>>> 4) when you manage step 3 working, remove jcifsServicePassword from > >>>> deployerConfig.xml > >>>> > >>>> Pavel > >>>> > >>>> -- > >>>> You are currently subscribed to [email protected] as: > [email protected] > >>>> To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > >>>> > >>> > >>> Tom Healey > >>> [email protected] > >>> Office:(434)924-0562 > >>> > >>> -- > >>> You are currently subscribed to [email protected] as: > [email protected] > >>> To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > >> > >> -- > >> You are currently subscribed to [email protected] as: > [email protected] > >> To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > >> > > > > Tom Healey > > [email protected] > > Office:(434)924-0562 > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > <image009.jpg><ATT00001..txt><image003.png><ATT00002..txt><image004.png><ATT00003..txt><image005.png><ATT00004..txt><image006.png><ATT00005..txt><image010.png><ATT00006..txt> > > Tom Healey > [email protected] > Office:(434)924-0562 > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
