• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Problems with OS X STIG, Domain Logins

  • Subject: Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
  • From: "Miller, Timothy J." <email@hidden>
  • Date: Fri, 27 Jan 2012 18:52:10 +0000
  • Thread-topic: [Fed-Talk] Problems with OS X STIG, Domain Logins
This is probably a mismatch of Kerberos etypes (encryption types).  A
Windows 2003 AD domain controller only uses RC4 or DES for ticket
encryption.  These are not permitted under FIPS 140-2.  Newer
implementations are now using AES, but some versions of Windows will
reject AS-REQ packets using these etypes.

Wireshark or Netmon will decode Kerberos protocol, and the returned
Kerberos error will tell you exactly what failed.

-- T


On 1/26/12 2:11 PM, "Silberberg, David" <email@hidden> wrote:

>Has anyone out there successfully configured OS X Lion, using the
>existing STIG, and integrated the machines into Active Directory?
>
>We are attempting to create an OS X Lion image that meets our current
>security requirements, using the currently available STIG (I know, I know
>­ that¹s only really been approved for 10.5, is still pending for 10.6,
>and there really isn¹t anything for
>10.7, but there you have it).  Our target is to include these machines in
>our current Active Directory structure. We are not modifying the AD
>schema, rather, we are using Centrify as our policy implementation tool.
>
>We¹re running into peculiar problems. Primarily, after we reach a certain
>point in the STIG, we can no longer log on to the machines with domain
>credentials.  We¹re ³babes in the woods² with OS X, so while we have some
>techniques, we¹re pretty much stuck
>with starting from scratch and moving more slowly when we have a problem;
>Time Machine backups don¹t help, they seem to make matters worse,
>especially with Centrify in the middle.
>
>Any help would be greatly appreciated.
>
>David Silberberg
>Don't anthropomorphize computers, they hate it
>
>
>
>
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list      (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
      • From: "O'Donnell, Dan" <email@hidden>
    • [Fed-Talk] Creating Text Books
      • From: "Villano, Paul Mr CIV USA TRADOC" <email@hidden>
References: 
 >[Fed-Talk] Problems with OS X STIG, Domain Logins (From: "Silberberg, David" <email@hidden>)

  • Prev by Date: [Fed-Talk] FYI: Audit Explorer
  • Next by Date: [Fed-Talk] Creating Text Books
  • Previous by thread: Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
  • Next by thread: [Fed-Talk] Creating Text Books
  • Index(es):
    • Date
    • Thread