Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » SASL Authentication
SASL Authentication [message #160951] Fri, 11 September 2009 00:34 Go to next message
Jim  is currently offline Jim  Australia
Messages: 1625
Registered: July 2009
Senior Member
We are using Windows Server 2003 SP2 DCs.

Are there any known issues/limitations of using Digest -MD5 authentication mechanism against AD?

Should SSL be set up on DC's for using Digest-MD5?

Should the passwords be saved in reverse fashion for MD5 auth to work?

When using Digest -MD5 are passwords transmitted using clear text? or are passwords stored as clear text in AD?




--
Re: SASL Authentication [message #160973 is a reply to message #160951] Fri, 11 September 2009 13:25 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
Digest does not involve passing plaintext passwords on the network. It
would not be a very good authentication protocol if it did. :)

SSL is not needed for Digest although you can use it in conjunction with
Digest if you'd like to encrypt the network channel.

Reversible encryption is no longer needed. In 2003, the DC precomputes
digest hashes and stores them along with the other password secrets. This
is a good thing. However, there is one trick with this in that it also
makes user names case sensitive which they typically are not in Windows.
The reason is that the hash must be based on a binary version of the string
data and characters of different cases are different binary values. What
happens is that a hash is computed with the name as it is stored in the
directory, an upper case version and a lower case version. However, if the
user provides a username that does not match one of those casings, you'll
get an auth failure.

So, hopefully that helps. I guess I would not say there are any limitations
per say. Digest auth is infrequently used against AD so there isn't a ton
of experience or documentation about it, but it is there.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Jim" <Jim@live.com> wrote in message
news:uLLkenqMKHA.1372@TK2MSFTNGP02.phx.gbl...
We are using Windows Server 2003 SP2 DCs.

Are there any known issues/limitations of using Digest -MD5 authentication
mechanism against AD?

Should SSL be set up on DC's for using Digest-MD5?

Should the passwords be saved in reverse fashion for MD5 auth to work?

When using Digest -MD5 are passwords transmitted using clear text? or are
passwords stored as clear text in AD?
Re: SASL Authentication [message #160987 is a reply to message #160973] Fri, 11 September 2009 14:48 Go to previous message
michael[1]  is currently offline michael[1]
Messages: 10
Registered: August 2009
Junior Member
Joe Kaplan wrote:
> Digest does not involve passing plaintext passwords on the network. It
> would not be a very good authentication protocol if it did. :)

Indeed with SASL/DIGEST-MD5 only a MD5 hash calculated over the password and a
random challenge is transmitted.

> SSL is not needed for Digest although you can use it in conjunction with
> Digest if you'd like to encrypt the network channel.

I vaguely remember that there are some issues even with SASL/DIGEST-MD5 and so
the recommendation is to also use SSL/TLS with that bind mech if you have
really strong security requirements. If you don't expect attacks with lots of
CPU power it still might be ok for protecting against sniffing.

> Reversible encryption is no longer needed. In 2003, the DC precomputes
> digest hashes and stores them along with the other password secrets.
> This is a good thing. However, there is one trick with this in that it
> also makes user names case sensitive which they typically are not in
> Windows.

And there's also a problem with non-ASCII chars in usernames when sending the
username in UTF-8 (as indicated by AD's SASL response).

Full story:
http://groups.google.com/group/microsoft.public.windows.serv er.active_directory/browse_thread/thread/5e6b2890e9138ba2/be 82fa83f0e56278?hl=de#be82fa83f0e56278

> I guess I would not say there are any
> limitations per say.

Also the DNS configuration (A and PTR RRs) MUST be correct. I had problems
when using the IP address when connecting and without correct DNS PTR
resolving. Don't know why though.

> Digest auth is infrequently used against AD so
> there isn't a ton of experience or documentation about it, but it is there.

A customer of me is using SASL/DIGEST-MD5 with his portal software for
authenticating end users.

Ciao, Michael.
Previous Topic:Bad IP in [1Ch] Domain Controller record
Next Topic:AD Attributes
Goto Forum:
  


Current Time: Fri Jan 19 00:45:33 MST 2018

Total time taken to generate the page: 0.03649 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software