Some vulnerabilities can be exploited on server side where you are authorizing. If you control what is in CAS, CAS application, no XSS exploit is possible in CAS.
Palo On Fri, Feb 18, 2011 at 3:17 PM, Healey, Thomas <[email protected] > wrote: > Pavel, > What do you mean "control CAS"? > And yes HTTPS all the way! > Tom > On Feb 18, 2011, at 8:53 AM, Pavel Tavoda wrote: > > Problem is between your browser -> NT domain server and your browser -> CAS > server. Not between your browser -> other side authenticated with CAS > ticket. If you can control CAS I guess you aren't vulnerable to this. > And of course I hope you use HTTPS between your browser and CAS. > > Pavel > > On Fri, Feb 18, 2011 at 12:26 PM, Healey, Thomas < > [email protected]<mailto:[email protected]>> wrote: > All, > It turns out my network guy has been told that sending LM and NTLM > responses is a security risk. > I have read the wikipedia article > http://en.wikipedia.org/wiki/NTLM#Vulnerabilities > But don't see how its a problem with a properly secured network. > Does anyone else have some data I can use to understand how the user or the > network might be vulnerable? > > Tom > ________________________________________ > From: Healey, Thomas > Sent: Tuesday, February 15, 2011 2:45 PM > To: [email protected]<mailto:[email protected]> > Subject: Re: [cas-user] SPNEGO and Windows 7 > > This fixed the Win7 and SPNEGO problem. > > http://www.tomshardware.com/forum/75-63-windows-samba-issue > > > I only needed to sent LM and NTLM responses. I did not need to disable 128 > but encryption. > > Thank you Pavel and Bill for your time. > > Tom > > > On Feb 15, 2011, at 9:33 AM, Healey, Thomas wrote: > > > Yep thats what we are doing. Did you find that you had to remove the > password in order for it to work? I found that it works with or without for > all clients except for Win 7. > > Tom > > On Feb 15, 2011, at 9:30 AM, Pavel Tavoda wrote: > > > >> We was solving some problem on this mailing list and we found out that > >> RC4-HMAC doesn't work. Than we switched to DES and everything start > >> working. > >> > >> Pavel > >> > >> > >> On Tue, Feb 15, 2011 at 3:21 PM, Healey, Thomas > >> <[email protected]<mailto:[email protected]>> > wrote: > >>> Thank you Pavel. > >>> I ended up doing that back in Jan 2010 when my network admins changed > the AD server to run under 2008. > >>> What I do find interesting is the removal of the password. Why did you > do that? > >>> Tom > >>> On Feb 15, 2011, at 5:59 AM, Pavel Tavoda wrote: > >>> > >>>> Hello, > >>>> we was recently solving similar problem with 2003. Some hint which can > help: > >>>> 1) start with new CAS machine or change name of existing machine > >>>> 2) follow https://wiki.jasig.org/display/CASUM/SPNEGO but with "Java > >>>> 1.5 Update 7 and before" even if you have new java (create new SPN > >>>> account and don't forget to turn "Use DES encryption types for this > >>>> account") > >>>> 3) after creating keytab try 'kinit -k -t keytaba.file > >>>> HTTP/fqdn@DOMAIN' from machine where CAS server is running. You > should > >>>> get ticket without typing password (klist tickets), don't use Java > >>>> tools klist, kinit, install them from MS. > >>>> 4) when you manage step 3 working, remove jcifsServicePassword from > >>>> deployerConfig.xml > >>>> > >>>> Pavel > >>>> > >>>> -- > >>>> You are currently subscribed to [email protected]<mailto: > [email protected]> as: [email protected]<mailto: > [email protected]> > >>>> To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > >>>> > >>> > >>> Tom Healey > >>> [email protected]<mailto:[email protected]> > >>> Office:(434)924-0562 > >>> > >>> -- > >>> You are currently subscribed to [email protected]<mailto: > [email protected]> as: [email protected]<mailto: > [email protected]> > >>> To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > >> > >> -- > >> You are currently subscribed to [email protected]<mailto: > [email protected]> as: [email protected]<mailto: > [email protected]> > >> To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > >> > > > > Tom Healey > > [email protected]<mailto:[email protected]> > > Office:(434)924-0562 > > > > -- > > You are currently subscribed to [email protected]<mailto: > [email protected]> as: [email protected]<mailto: > [email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > <image009.jpg><ATT00001..txt><image003.png><ATT00002..txt><image004.png><ATT00003..txt><image005.png><ATT00004..txt><image006.png><ATT00005..txt><image010.png><ATT00006..txt> > > Tom Healey > [email protected]<mailto:[email protected]> > Office:(434)924-0562 > > -- > You are currently subscribed to [email protected]<mailto: > [email protected]> as: [email protected]<mailto: > [email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > Tom Healey > [email protected]<mailto:[email protected]> > Office:(434)924-0562 > [cid:[email protected]] <http://www.darden.virginia.edu/> < > http://www.darden.virginia.edu/> <http://www.darden.virginia.edu/> < > http://www.darden.virginia.edu/> > Visit Darden on <http://www.darden.virginia.edu/> > [cid:[email protected]] <http://www.facebook.com/DardenMBA> < > http://www.facebook.com/DardenMBA> <http://www.facebook.com/DardenMBA> < > http://www.facebook.com/DardenMBA> <http://www.facebook.com/DardenMBA> > Facebook<http://www.facebook.com/DardenMBA> | < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> > [cid:[email protected]] < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> > LinkedIn< > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> | > <http://twitter.com/DardenMBA> [cid:[email protected]] < > http://twitter.com/DardenMBA> <http://twitter.com/DardenMBA> < > http://twitter.com/DardenMBA> <http://twitter.com/DardenMBA> < > http://twitter.com/DardenMBA> Twitter<http://twitter.com/DardenMBA> | < > http://www.youtube.com/user/DardenMBA> [cid:[email protected]] > <http://www.youtube.com/user/DardenMBA> < > http://www.youtube.com/user/DardenMBA> < > http://www.youtube.com/user/DardenMBA> < > http://www.youtube.com/user/DardenMBA> YouTube< > http://www.youtube.com/user/DardenMBA> > Please do not print this e-mail or attachments unless necessary. If you > must, please recycle. > Keep your Darden information current on < > http://dardencommunity.darden.virginia.edu/> > [cid:[email protected]] < > http://dardencommunity.darden.virginia.edu/> > > > > > > > > <http://dardencommunity.darden.virginia.edu/> > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
