Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
- Subject: Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
- From: "O'Donnell, Dan" <email@hidden>
- Date: Mon, 30 Jan 2012 18:25:49 +0000
- Thread-topic: [Fed-Talk] Problems with OS X STIG, Domain Logins
One of the things I learned at Macworld 2012: Kerberos in OSX 10.7 is no
longer MIT Kerberos, it is now Heimdal Kerberos.
<http://linsec.ca/blog/2011/07/26/kerberos-on-os-x-10-7-lion/>
-----Original Message-----
From: "Timothy J. Miller" <email@hidden>
Date: Fri, 27 Jan 2012 18:52:10 +0000
To: "Silberberg, David" <email@hidden>,
"email@hidden" <email@hidden>
Subject: Re: [Fed-Talk] Problems with OS X STIG, Domain Logins
>This is probably a mismatch of Kerberos etypes (encryption types). A
>Windows 2003 AD domain controller only uses RC4 or DES for ticket
>encryption. These are not permitted under FIPS 140-2. Newer
>implementations are now using AES, but some versions of Windows will
>reject AS-REQ packets using these etypes.
>
>Wireshark or Netmon will decode Kerberos protocol, and the returned
>Kerberos error will tell you exactly what failed.
>
>-- T
>
>
>On 1/26/12 2:11 PM, "Silberberg, David" <email@hidden> wrote:
>
>>Has anyone out there successfully configured OS X Lion, using the
>>existing STIG, and integrated the machines into Active Directory?
>>
>>We are attempting to create an OS X Lion image that meets our current
>>security requirements, using the currently available STIG (I know, I know
>> that¹s only really been approved for 10.5, is still pending for 10.6,
>>and there really isn¹t anything for
>>10.7, but there you have it). Our target is to include these machines in
>>our current Active Directory structure. We are not modifying the AD
>>schema, rather, we are using Centrify as our policy implementation tool.
>>
>>We¹re running into peculiar problems. Primarily, after we reach a certain
>>point in the STIG, we can no longer log on to the machines with domain
>>credentials. We¹re ³babes in the woods² with OS X, so while we have some
>>techniques, we¹re pretty much stuck
>>with starting from scratch and moving more slowly when we have a problem;
>>Time Machine backups don¹t help, they seem to make matters worse,
>>especially with Centrify in the middle.
>>
>>Any help would be greatly appreciated.
>>
>>David Silberberg
>>Don't anthropomorphize computers, they hate it
>>
>>
>>
>>
>>
>> _______________________________________________
>>Do not post admin requests to the list. They will be ignored.
>>Fed-talk mailing list (email@hidden)
>>Help/Unsubscribe/Update your Subscription:
>>
>>This email sent to email@hidden
>
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden