Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
- Subject: Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
- From: Paul Nelson <email@hidden>
- Date: Mon, 07 Jan 2008 09:11:53 -0600
- Thread-topic: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
> From: "Timothy J. Miller" <email@hidden>
> If you could
>>> get cached creds on OS X (Paul, does ADmitMAC f/CAC support cached
>>> creds?) it should then work with
>>> Entourage (assuming Entourage can wield cached creds on OS X).
>>>
ADmitMac does cache login information, but it does not cache NTLMv2 creds.
This is technically possible, but it would not help with Entourage 2008
directly. Thursby does include an HTTP gateway that allows Erage 2004 to
use Kerberos creds. That gateway could be enhanced to use cached NTLMv2
creds.
The problem with the NTLMv2 credential caching is that it is a possible
security hole because of the kind of hash that is cached. This problem is
even worse with smart card users because admins don't require them to change
their password - these users have a password, but it is usually computer
generated. This means the hash that gets cached could be useful for a long
period of time, even past the expiration date of the smart card that was
used to obtain it.
The reason that the NTLMv2 hash can even be obtained is kind of a hack that
Microsoft put in to allow smart card users to work with older,
non-Kerberized versions of Exchange. Saving the hash is like storing a long
term password on client systems.
Paul Nelson
Thursby Software Systems, Inc.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden