| DaveMo 2007-06-09, 1:21 pm |
| On Jun 8, 4:00 am, "David" <idstech...@noemail.noemail> wrote:
> From Microsoft Windows XP/2003 Security Target paper, 2005:http://niap.bahialab.com/cc-scheme/st/st_vid4025-st.pdf
>
> 'However, in Windows Server 2003 TOE, the AD extended schema properties
> ensures that every newly created user account automatically has the Digest
> authentication password hashed and stored as a field in the "AltSecId"
> property of the user object.'
>
> Also altsecid and atsecurityidentities appear to be identical?http://www.google.co.uk/search?hl=e...tyidentities...
>
> Our problem is that when a new domain account is created
> altsecurityidentities is not populated for that user.
>
> Thanks
>
> David
>
> "David" <idstech...@noemail.noemail> wrote in message
>
> news:et069LbqHHA.4108@TK2MSFTNGP06.phx.gbl...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> - Show quoted text -
The AltSecId attribute probably is being populated but you can't see
it. My memory is fuzzy of exactly how this got spec'd, but since the
MD5 hash of the password is essentially a secret that we wouldn't have
wanted to make publicly available (dictionary attacks and all of that)
the ACL on the attribute is probably set such that only the DC local
system accounts have access since only the DC LSA needs to be able to
retrieve this info.
The problem may be on the client side.
- What client are you using?
- What version of IE?
- Is the client joined to the same domain?
- Are you testing with a domain user logged on?
- Are you seeing a password prompt?
Dave
|