Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
- Subject: Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 27 Jan 2012 18:52:10 +0000
- Thread-topic: [Fed-Talk] Problems with OS X STIG, Domain Logins
This is probably a mismatch of Kerberos etypes (encryption types). A
Windows 2003 AD domain controller only uses RC4 or DES for ticket
encryption. These are not permitted under FIPS 140-2. Newer
implementations are now using AES, but some versions of Windows will
reject AS-REQ packets using these etypes.
Wireshark or Netmon will decode Kerberos protocol, and the returned
Kerberos error will tell you exactly what failed.
-- T
On 1/26/12 2:11 PM, "Silberberg, David" <email@hidden> wrote:
>Has anyone out there successfully configured OS X Lion, using the
>existing STIG, and integrated the machines into Active Directory?
>
>We are attempting to create an OS X Lion image that meets our current
>security requirements, using the currently available STIG (I know, I know
> that¹s only really been approved for 10.5, is still pending for 10.6,
>and there really isn¹t anything for
>10.7, but there you have it). Our target is to include these machines in
>our current Active Directory structure. We are not modifying the AD
>schema, rather, we are using Centrify as our policy implementation tool.
>
>We¹re running into peculiar problems. Primarily, after we reach a certain
>point in the STIG, we can no longer log on to the machines with domain
>credentials. We¹re ³babes in the woods² with OS X, so while we have some
>techniques, we¹re pretty much stuck
>with starting from scratch and moving more slowly when we have a problem;
>Time Machine backups don¹t help, they seem to make matters worse,
>especially with Centrify in the middle.
>
>Any help would be greatly appreciated.
>
>David Silberberg
>Don't anthropomorphize computers, they hate it
>
>
>
>
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden