RE: [ActiveDir] - reverse encryption of ad passwords

[Wilhelm, Brent]

Rick, 

 

Thanks for the info, I will look into it
ASAP.

 

Brent

 

-Original Message-
From: Rick Kingslan
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 27, 2003
9:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] - reverse
encryption of ad passwords

 

Brent,

 

I can't even imagine why
your Network Engineer would think that you need to enable Reverse Encryption
for SBR to work.  Your first question should be 'Do you REALLY know what
you're doing?"  SBR does NOT require this setting - at least the
current version(s), including the past couple of years.  I've implemented
SBR and know this isn't necessary.

 

How/ what is this being
implemented for?  PKI is available, as is EAP-TLS (specifically for the
WiFi environment).

 

SBR communicates with AD
via the services that are installed.  Look here for a bit more information
on install, but you are 100% correct for resisting Reverse Encryption.  RE
is bad - very bad.

 

http://www.funk.com/subsections/sbrtechnotes.asp

 

Rick
Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Wilhelm, Brent
Sent: Tuesday, August 26, 2003
6:02 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] - reverse
encryption of ad passwords

 

 

Hey everybody,

 

   
Our network engineer is pushing us to turn on reverse encryption at the root
level so that he can stand up a third party radius server against it.

   
Everything that my guys (server guys) have found says not to do it unless you
absolutely have to because it stores them in clear text.

 

Link:

http://msdn.microsoft.com/library/default.asp?url="">

 

   
So…  of course we don’t want to
flip the switch.

 

   
Does anyone know anything else about reverse encryption that might be of
interest?

   
Does anyone know anything other ways to allow a third party (Steel Belted Radius)
to talk with the AD?

 

Thanks
- Brent

RE: [ActiveDir] - reverse encryption of ad passwords

[Rick Kingslan]

Brent,
 
I can't even imagine why your Network Engineer would think 
that you need to enable Reverse Encryption for SBR to work.  Your first 
question should be 'Do you REALLY know what you're doing?"  SBR does NOT 
require this setting - at least the current version(s), including the past 
couple of years.  I've implemented SBR and know this isn't 
necessary.
 
How/ what is this being implemented for?  PKI is 
available, as is EAP-TLS (specifically for the WiFi 
environment).
 
SBR communicates with AD via the services that are 
installed.  Look here for a bit more information on install, but you 
are 100% correct for resisting Reverse Encryption.  RE is bad - very 
bad.
 
http://www.funk.com/subsections/sbrtechnotes.asp
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Wilhelm, 
BrentSent: Tuesday, August 26, 2003 6:02 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] - reverse encryption 
of ad passwords


 
 
Hey 
everybody,
 
    
Our network engineer is pushing us to turn on reverse encryption at the root 
level so that he can stand up a third party radius server against 
it.
    
Everything that my guys (server guys) have found says not to do it unless you 
absolutely have to because it stores them in clear text.
 
Link:
http://msdn.microsoft.com/library/default.asp?url="">
 
    
So…  of course we 
don’t want to flip the switch.
 
    
Does anyone know anything else about reverse encryption that might be of 
interest?
    
Does anyone know anything other ways to allow a third party (Steel Belted 
Radius) to talk with the AD?
 
Thanks - 
Brent

RE: [ActiveDir] - reverse encryption of ad passwords

[Michael B. Smith]

Title: Message



If you 
are using a non-Windows RADIUS client with IAS, or the client software only 
supports PAP or CHAP the passwords for the users must be stored reversibly 
encrypted.
 
It's 
also required if a Macintosh is using remote access.
 

  
  -Original Message-From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 
  2003 7:02 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] - reverse encryption of ad passwords
  Well, Win2k and later include the Internet Authentication Service, 
  which IS RADIUS for Windows using AD as the database. I believe RADIUS servers 
  can be chained (a la LDAP referrals) as well.
   
   
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Wilhelm, Brent 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 
7:02 PMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] - reverse encryption of ad passwords

 
 
Hey 
everybody,
 
    
Our network engineer is pushing us to turn on reverse encryption at the root 
level so that he can stand up a third party radius server against 
it.
    
Everything that my guys (server guys) have found says not to do it unless 
you absolutely have to because it stores them in clear 
text.
 
Link:
http://msdn.microsoft.com/library/default.asp?url="">
 
    
So...  of 
course we don't want to flip the switch.
 
    
Does anyone know anything else about reverse encryption that might be of 
interest?
    
Does anyone know anything other ways to allow a third party (Steel Belted 
Radius) to talk with the AD?
 
Thanks - 
Brent

RE: [ActiveDir] - reverse encryption of ad passwords

[Roger Seielstad]

Title: Message



Well, 
Win2k and later include the Internet Authentication Service, which IS RADIUS for 
Windows using AD as the database. I believe RADIUS servers can be chained (a la 
LDAP referrals) as well.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Wilhelm, Brent 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 7:02 
  PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] - 
  reverse encryption of ad passwords
  
   
   
  Hey 
  everybody,
   
      
  Our network engineer is pushing us to turn on reverse encryption at the root 
  level so that he can stand up a third party radius server against 
  it.
      
  Everything that my guys (server guys) have found says not to do it unless you 
  absolutely have to because it stores them in clear text.
   
  Link:
  http://msdn.microsoft.com/library/default.asp?url="">
   
      
  So...  of course 
  we don't want to flip the switch.
   
      
  Does anyone know anything else about reverse encryption that might be of 
  interest?
      
  Does anyone know anything other ways to allow a third party (Steel Belted 
  Radius) to talk with the AD?
   
  Thanks - 
  Brent

Re: [ActiveDir] - reverse encryption of ad passwords

[[EMAIL PROTECTED]]

Brent,

I don't think it's a good idea to store reversibly encrypted passwords
in AD, especially since they get replicated to DCs which you not be able
to physically secure.

However, you can use the password filter DLL to intercept password changes,
and dynamically store the new passwords away somewhere safe, for use in a
RADIUS service or other system.  That is essentially what we do with our
P-Synch product -- intercept password changes in progress, apply a
supplementary quality policy, and automatically push the new password to
other systems (including other LDAP directories, passwd files on Unix,
whatever).

This approach keeps AD pristine, only introduces a small DLL on each DC,
has negligible performance impact on the domain, and lets users keep one
password on multiple systems.

You might consider using three products to get the desired effect without
turning on plaintext or reversibly encrypted password:

  * Your preferred RADIUS service (sounds like Steel Belted).

(http://funk.com)

  * Microsoft's MIIS to automatically mirror the user base from AD to
whatever Steel Belted RADIUS likes to use natively.

(http://microsoft.com/miis/)

  * P-Synch to synchronize passwords between the two.

(http://psynch.com)

Good luck!

-- Idan

On Tue, 26 Aug 2003, Wilhelm, Brent wrote:

>
>
>
>
> Hey everybody,
>
>
>
> Our network engineer is pushing us to turn on
> reverse encryption at the root level so that he can stand up a third
> party radius server against it.
>
> Everything that my guys (server guys) have found says not to
> do it unless you absolutely have to because it stores them in clear
> text.
>
>
>
> Link:
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/505.
> asp
>
>
>
> So...  of course we don't want to flip the switch.
>
>
>
> Does anyone know anything else about reverse encryption that
> might be of interest?
>
> Does anyone know anything other ways to allow a third party
> (Steel Belted Radius) to talk with the AD?
>
>
>
> Thanks - Brent
>
>

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] - reverse encryption of ad passwords

[Wilhelm, Brent]

 

 

Hey
everybody,

 

    Our
network engineer is pushing us to turn on reverse encryption at the root level
so that he can stand up a third party radius server against it.

    Everything
that my guys (server guys) have found says not to do it unless you absolutely have
to because it stores them in clear text.

 

Link:

http://msdn.microsoft.com/library/default.asp?url="">

 

    So…  of course we don’t want to flip the switch.

 

    Does
anyone know anything else about reverse encryption that might be of interest?

    Does
anyone know anything other ways to allow a third party (Steel Belted Radius) to
talk with the AD?

 

Thanks - Brent