RE: [ActiveDir] - reverse encryption of ad passwords
Rick, Thanks for the info, I will look into it ASAP. Brent -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 9:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] - reverse encryption of ad passwords Brent, I can't even imagine why your Network Engineer would think that you need to enable Reverse Encryption for SBR to work. Your first question should be 'Do you REALLY know what you're doing?" SBR does NOT require this setting - at least the current version(s), including the past couple of years. I've implemented SBR and know this isn't necessary. How/ what is this being implemented for? PKI is available, as is EAP-TLS (specifically for the WiFi environment). SBR communicates with AD via the services that are installed. Look here for a bit more information on install, but you are 100% correct for resisting Reverse Encryption. RE is bad - very bad. http://www.funk.com/subsections/sbrtechnotes.asp Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilhelm, Brent Sent: Tuesday, August 26, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] - reverse encryption of ad passwords Hey everybody, Our network engineer is pushing us to turn on reverse encryption at the root level so that he can stand up a third party radius server against it. Everything that my guys (server guys) have found says not to do it unless you absolutely have to because it stores them in clear text. Link: http://msdn.microsoft.com/library/default.asp?url=""> So… of course we don’t want to flip the switch. Does anyone know anything else about reverse encryption that might be of interest? Does anyone know anything other ways to allow a third party (Steel Belted Radius) to talk with the AD? Thanks - Brent
RE: [ActiveDir] - reverse encryption of ad passwords
Brent, I can't even imagine why your Network Engineer would think that you need to enable Reverse Encryption for SBR to work. Your first question should be 'Do you REALLY know what you're doing?" SBR does NOT require this setting - at least the current version(s), including the past couple of years. I've implemented SBR and know this isn't necessary. How/ what is this being implemented for? PKI is available, as is EAP-TLS (specifically for the WiFi environment). SBR communicates with AD via the services that are installed. Look here for a bit more information on install, but you are 100% correct for resisting Reverse Encryption. RE is bad - very bad. http://www.funk.com/subsections/sbrtechnotes.asp Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilhelm, BrentSent: Tuesday, August 26, 2003 6:02 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] - reverse encryption of ad passwords Hey everybody, Our network engineer is pushing us to turn on reverse encryption at the root level so that he can stand up a third party radius server against it. Everything that my guys (server guys) have found says not to do it unless you absolutely have to because it stores them in clear text. Link: http://msdn.microsoft.com/library/default.asp?url=""> So… of course we don’t want to flip the switch. Does anyone know anything else about reverse encryption that might be of interest? Does anyone know anything other ways to allow a third party (Steel Belted Radius) to talk with the AD? Thanks - Brent
RE: [ActiveDir] - reverse encryption of ad passwords
Title: Message If you are using a non-Windows RADIUS client with IAS, or the client software only supports PAP or CHAP the passwords for the users must be stored reversibly encrypted. It's also required if a Macintosh is using remote access. -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] - reverse encryption of ad passwords Well, Win2k and later include the Internet Authentication Service, which IS RADIUS for Windows using AD as the database. I believe RADIUS servers can be chained (a la LDAP referrals) as well. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Wilhelm, Brent [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 7:02 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] - reverse encryption of ad passwords Hey everybody, Our network engineer is pushing us to turn on reverse encryption at the root level so that he can stand up a third party radius server against it. Everything that my guys (server guys) have found says not to do it unless you absolutely have to because it stores them in clear text. Link: http://msdn.microsoft.com/library/default.asp?url=""> So... of course we don't want to flip the switch. Does anyone know anything else about reverse encryption that might be of interest? Does anyone know anything other ways to allow a third party (Steel Belted Radius) to talk with the AD? Thanks - Brent
RE: [ActiveDir] - reverse encryption of ad passwords
Title: Message Well, Win2k and later include the Internet Authentication Service, which IS RADIUS for Windows using AD as the database. I believe RADIUS servers can be chained (a la LDAP referrals) as well. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Wilhelm, Brent [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 7:02 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] - reverse encryption of ad passwords Hey everybody, Our network engineer is pushing us to turn on reverse encryption at the root level so that he can stand up a third party radius server against it. Everything that my guys (server guys) have found says not to do it unless you absolutely have to because it stores them in clear text. Link: http://msdn.microsoft.com/library/default.asp?url=""> So... of course we don't want to flip the switch. Does anyone know anything else about reverse encryption that might be of interest? Does anyone know anything other ways to allow a third party (Steel Belted Radius) to talk with the AD? Thanks - Brent
Re: [ActiveDir] - reverse encryption of ad passwords
Brent, I don't think it's a good idea to store reversibly encrypted passwords in AD, especially since they get replicated to DCs which you not be able to physically secure. However, you can use the password filter DLL to intercept password changes, and dynamically store the new passwords away somewhere safe, for use in a RADIUS service or other system. That is essentially what we do with our P-Synch product -- intercept password changes in progress, apply a supplementary quality policy, and automatically push the new password to other systems (including other LDAP directories, passwd files on Unix, whatever). This approach keeps AD pristine, only introduces a small DLL on each DC, has negligible performance impact on the domain, and lets users keep one password on multiple systems. You might consider using three products to get the desired effect without turning on plaintext or reversibly encrypted password: * Your preferred RADIUS service (sounds like Steel Belted). (http://funk.com) * Microsoft's MIIS to automatically mirror the user base from AD to whatever Steel Belted RADIUS likes to use natively. (http://microsoft.com/miis/) * P-Synch to synchronize passwords between the two. (http://psynch.com) Good luck! -- Idan On Tue, 26 Aug 2003, Wilhelm, Brent wrote: > > > > > Hey everybody, > > > > Our network engineer is pushing us to turn on > reverse encryption at the root level so that he can stand up a third > party radius server against it. > > Everything that my guys (server guys) have found says not to > do it unless you absolutely have to because it stores them in clear > text. > > > > Link: > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/505. > asp > > > > So... of course we don't want to flip the switch. > > > > Does anyone know anything else about reverse encryption that > might be of interest? > > Does anyone know anything other ways to allow a third party > (Steel Belted Radius) to talk with the AD? > > > > Thanks - Brent > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] - reverse encryption of ad passwords
Hey everybody, Our network engineer is pushing us to turn on reverse encryption at the root level so that he can stand up a third party radius server against it. Everything that my guys (server guys) have found says not to do it unless you absolutely have to because it stores them in clear text. Link: http://msdn.microsoft.com/library/default.asp?url=""> So… of course we don’t want to flip the switch. Does anyone know anything else about reverse encryption that might be of interest? Does anyone know anything other ways to allow a third party (Steel Belted Radius) to talk with the AD? Thanks - Brent