lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 01 Apr 2005 02:37:25 +0200
From: "Jan P. Monsch" <jan.monsch@...c.ch>
To: webappsec@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Smartcard-Logon and NTLM-Backward Compatability


Hi!

Lets have following szenario:

1) We have a Windows 2000 AD and Windows XP Clients. All users have a
smartcard and logon to their windows client with the smartcard. This
means that authentication with the AD happens via Kerberos and client
certificate.

2) In the Intranet we have a web server (Tomcat with JCIFS) which uses
NTLMv2 to authenticate the users against the AD. The web server does not
support Kerberos. As far as I now NTLM does only work with
username/passwords and not with smartcards. (Please correct me if I am
wrong)

Question:
1) Is it possible that a user with smartcard logon can login to the web
server with NTLM?
2) When 1) is possible then how does the client machine know the
password to be used for NTLM authentication?
3) If a password is used then I would like to know which password it is
and who generated it?
4) Does the parallel use of NTLM "with smartcard" weaken the
Smartcard-Logon with Kerberos. As far as I know client certificates with
Kerberos is very secure.
5) If no password is used for NTLM with the web server is a Kerberos
ticket passed through the NTLM mechanisms?

I know that it would be best to migrate everything to Kerberos, but I
have to know answers exactly to the above szenario.

Thank you very much for your help!

Kind regards
Jan

-- 
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG
Glärnischstrasse 7, CH-8640 Rapperswil, Switzerland

Tel +41 55 214 41 67
Fax +41 55 214 41 61
jan.monsch@...c.ch
http://www.csnc.ch

PGP: F055 837D 2D86 1C86 C5E0  065C 0D16 B8B3 9E58 71F3

Security Review - Penetration Testing - Computer Forensics
_____________________________________________________________

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ