Re: [cas-user] SPNEGO and Windows 7

[Healey, Thomas]

Pavel,
What do you mean "control CAS"?
And yes HTTPS all the way!
Tom
On Feb 18, 2011, at 8:53 AM, Pavel Tavoda wrote:

Problem is between your browser -> NT domain server and your browser -> CAS 
server. Not between your browser -> other side authenticated with CAS ticket. 
If you can control CAS I guess you aren't vulnerable to this.
And of course I hope you use HTTPS between your browser and CAS.

Pavel

On Fri, Feb 18, 2011 at 12:26 PM, Healey, Thomas 
<heal...@darden.virginia.edu<mailto:heal...@darden.virginia.edu>> wrote:
All,
It turns out my network guy has been told that sending LM and NTLM responses is 
a security risk.
I have read the wikipedia article
http://en.wikipedia.org/wiki/NTLM#Vulnerabilities
But don't see how its  a problem with a properly secured network.
Does anyone else have some data I can use to understand how the user or the 
network  might be vulnerable?

Tom
________________________________________
From: Healey, Thomas
Sent: Tuesday, February 15, 2011 2:45 PM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] SPNEGO and Windows 7

This fixed the Win7 and SPNEGO problem.

http://www.tomshardware.com/forum/75-63-windows-samba-issue


I only needed to sent LM and NTLM responses. I did not need to disable 128 but 
encryption.

Thank you Pavel and Bill for your time.

Tom


On Feb 15, 2011, at 9:33 AM, Healey, Thomas wrote:

> Yep thats what we are doing. Did you find that you had to remove the password 
> in order for it to work? I found that it works with or without for all 
> clients except for Win 7.
> Tom
> On Feb 15, 2011, at 9:30 AM, Pavel Tavoda wrote:
>
>> We was solving some problem on this mailing list and we found out that
>> RC4-HMAC doesn't work. Than we switched to DES and everything start
>> working.
>>
>> Pavel
>>
>>
>> On Tue, Feb 15, 2011 at 3:21 PM, Healey, Thomas
>> <heal...@darden.virginia.edu<mailto:heal...@darden.virginia.edu>> wrote:
>>> Thank you Pavel.
>>> I ended up doing that back in Jan 2010 when my network admins changed the 
>>> AD server to run under 2008.
>>> What I do find interesting is the removal of the password. Why did you do 
>>> that?
>>> Tom
>>> On Feb 15, 2011, at 5:59 AM, Pavel Tavoda wrote:
>>>
>>>> Hello,
>>>> we was recently solving similar problem with 2003. Some hint which can 
>>>> help:
>>>> 1) start with new CAS machine or change name of existing machine
>>>> 2) follow https://wiki.jasig.org/display/CASUM/SPNEGO but with "Java
>>>> 1.5 Update 7 and before" even if you have new java (create new SPN
>>>> account and don't forget to turn "Use DES encryption types for this
>>>> account")
>>>> 3) after creating keytab try 'kinit -k -t keytaba.file
>>>> HTTP/fqdn@DOMAIN' from machine where CAS server is running. You should
>>>> get ticket without typing password (klist tickets), don't use Java
>>>> tools klist, kinit, install them from MS.
>>>> 4) when you manage step 3 working, remove jcifsServicePassword from
>>>> deployerConfig.xml
>>>>
>>>> Pavel
>>>>
>>>> --
>>>> You are currently subscribed to 
>>>> cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
>>>> heal...@darden.virginia.edu<mailto:heal...@darden.virginia.edu>
>>>> To unsubscribe, change settings or access archives, see 
>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>>
>>>
>>> Tom Healey
>>> heal...@darden.virginia.edu<mailto:heal...@darden.virginia.edu>
>>> Office:(434)924-0562
>>>
>>> --
>>> You are currently subscribed to 
>>> cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
>>> pavel.tav...@gmail.com<mailto:pavel.tav...@gmail.com>
>>> To unsubscribe, change settings or access archives, see 
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>> --
>> You are currently subscribed to 
>> cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
>> heal...@darden.virginia.edu<mailto:heal...@darden.virginia.edu>
>> To unsubscribe, change settings or access archives, see 
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>
> Tom Healey
> heal...@darden.virginia.edu<mailto:heal...@darden.virginia.edu>
> Office:(434)924-0562
>
> --
> You are currently subscribed to 
> cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
> heal...@darden.virginia.edu<mailto:heal...@darden.virginia.edu>
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user<image009.jpg><ATT00001..txt><image003.png><ATT00002..txt><image004.png><ATT00003..txt><image005.png><ATT00004..txt><image006.png><ATT00005..txt><image010.png><ATT00006..txt>

Tom Healey
heal...@darden.virginia.edu<mailto:heal...@darden.virginia.edu>
Office:(434)924-0562

--
You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
pavel.tav...@gmail.com<mailto:pavel.tav...@gmail.com>
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



Tom Healey
heal...@darden.virginia.edu<mailto:heal...@darden.virginia.edu>
Office:(434)924-0562
 [cid:image009.jpg@01CAF048.523CD370] <http://www.darden.virginia.edu/> 
<http://www.darden.virginia.edu/> <http://www.darden.virginia.edu/> 
<http://www.darden.virginia.edu/>
Visit Darden on <http://www.darden.virginia.edu/> 
[cid:image003.png@01CAF048.522023B0] <http://www.facebook.com/DardenMBA> 
<http://www.facebook.com/DardenMBA> <http://www.facebook.com/DardenMBA> 
<http://www.facebook.com/DardenMBA> <http://www.facebook.com/DardenMBA>  
Facebook<http://www.facebook.com/DardenMBA> | 
<http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> 
[cid:image004.png@01CAF048.522023B0] 
<http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> 
<http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> 
<http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> 
<http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> 
<http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg>  
LinkedIn<http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg>
 | <http://twitter.com/DardenMBA> [cid:image005.png@01CAF048.522023B0] 
<http://twitter.com/DardenMBA> <http://twitter.com/DardenMBA> 
<http://twitter.com/DardenMBA> <http://twitter.com/DardenMBA> 
<http://twitter.com/DardenMBA>  Twitter<http://twitter.com/DardenMBA> | 
<http://www.youtube.com/user/DardenMBA> [cid:image006.png@01CAF048.522023B0] 
<http://www.youtube.com/user/DardenMBA> <http://www.youtube.com/user/DardenMBA> 
<http://www.youtube.com/user/DardenMBA>  
<http://www.youtube.com/user/DardenMBA>  
YouTube<http://www.youtube.com/user/DardenMBA>
Please do not print this e-mail or attachments unless necessary.  If you must, 
please recycle.
Keep your Darden information current on 
<http://dardencommunity.darden.virginia.edu/> 
[cid:image010.png@01CAF048.523CD370] 
<http://dardencommunity.darden.virginia.edu/>







<http://dardencommunity.darden.virginia.edu/>


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

<<inline: image009.jpg>>

<<inline: image003.png>>

<<inline: image004.png>>

<<inline: image005.png>>

<<inline: image006.png>>

<<inline: image010.png>>