InCommon Assurance Active Directory for Silver Cookbook
Conference Call Notes – September 7th, 2011
Silver/AD Cookbook available at: InCommon Silver with Active Directory Cookbook - DRAFT
Participants
Nick Roy, Nate Moraton (Iowa), Ann West (InCommon/Internet2/Michigan Tech), Russell Yount (CMU), Tom Goldson, Susan Knight, Javier _____ (Texas A&M), Tommy Doan (Texas), John Craybacher (Illinois), Ron Thielen, Cynthia Hazelton (U. Chicago), Thomas Callaci (Wisconsin - Madison), Dave Jaskie, Scott Purl, Keith Emmons, Bruno Wolff, David Rasmussen, Joseph Pascoe, Jim Kavanagh, Julie Reindl (Wisconsin - Milwaukee), Tina Meyer (Oklahoma State) [cicincsilver:If we missed you or spelled your name wrong or got your institution wrong, please send a note to me at nicholas hyphen roy at uiowa dot edu]
Administrivia
Note taker: Nate Moraton (Iowa)
Discussion of monthly meeting schedule, use of assurance@incommon.org list for discussion, wiki editing logistics. Group decided it was best to use the mailing list for discussion and feedback on the cookbook, the feedback will get streamlined into the cookbook via the list discussions. The group likes the idea of free discussion on the assurance list with a monthly meeting for administrative bits and follow-up.
Nick will send out a doodle poll to the assurance list to get feedback on the meeting time that works best for everyone interested.
Nick mentioned that he’s been asked to do some things that are going to require more of his time and would like to ask for interested parties to step up and volunteer to lead the AD/Silver cookbook effort. If you’re interested in doing this, or know of a good candidate or candidates, please send a note to Nick (nicholas hyphen roy at uiowa dot edu).
Cookbook Structure, To-Dos, Feedback
Tom Callaci noted that people seem to be really excited about the cookbook, but one of the things that would really help is to fill out the appendices (especially A, B and C) to help fill in the blanks for technical requirements. For instance: Forest functional level 2008 means you can’t have any pre-2008 DCs in your forest, that would be good to add to the appendices. Can you or can’t you use a Mac with AD if you require NTLMv2, stuff like that. Nick commented that some of the AD experts who’ve helped with the cookbook like Brian Arkills, Dan Metzler and Alex Barth, who couldn’t make the call today, have provided some good information on that, but it needs to get into the wiki. We’d ask the technical experts to please fill in the blanks in the appendix with any knowledge they think is relevant there. If you have specific questions about things you’d like to see there, please start a discussion in the assurance list and that will help get the ball rolling.
Ron Thielen noted that the cookbook is written from the perspective of an institution that’s planning to use AD for its primary Silver credential store. Could we add information to differentiate those things you need to be concerned with if you are using AD as your primary credential store, from only those things that you need to be concerned with if some other system is your primary credential store for Silver, and you only happen to publish those same passwords in AD. Tom Callaci and Nick noted that people at Wisconsin and Iowa have thought about this, and we can’t think of an instance where you would not have to be concerned about all the areas identified in the cookbook if your AD implementation has the same passwords as those used for Silver. One possible way might be if you have an MIT KDC, and your AD users proxy authentication to the MIT Kerberos via a trust, but that’s not documented in the cookbook. If your institution does this and you’ve thought about it, please contribute your thoughts and start a discussion on the assurance list. Nick asked for everyone on the call to share these types of concerns with those “in the know” about authentication and Silver at their institutions and get them thinking about it if they have AD on campus. Please try to get your AD and Silver people involved in this discussion, even if they might think that AD isn’t in scope- it’s likely that it is.
Ron Thielen and Tom Callaci noted that the table that sets out Microsoft’s recommended password policy is a bit too proscriptive, and there are many ways you could tune password parameters to meet the requirements for Silver. They asked to replace that table with a paragraph saying you have to meet the entropy requirements, and pointing to an entropy calculator.
Russell Yount and Tom Callaci discussed multiple password stores from an entropy perspective- if you have multiple Kerberos KDCs, for instance, an MIT and an AD implementation, how does that affect lockout, and what do you have to do to mitigate risk of brute force attack? Do you have to spread the statistical risk calculation across all systems equally, can you do the calculation for each system and add them up, etc? Nick suggested starting a conversation on this on the assurance list.
The question of MSCHAPv2, RADIUS servers and 802.1x, and how disabling things like NTLMv1 impacts that (for instance, does disabling NTLMv1 prevent RADIUS backed by AD credentials from supporting 802.1x for wireless?) was posed. Nick suggested a discussion about this on the assurance list, and asked the person who posed the question (we didn’t capture that, our apologies) to pose the question on the list.
Follow-up, any other items
Cynthia Hazelton asked how she could be added to the assurance list, Ann West noted that there should be information on subscribing on the InCommon site. It looks like you can also subscribe at: https://lists.incommon.org/sympa/info/assurance [cicincsilver:-ed]