WebApp Sec mailing list archives
Smartcard-Logon and NTLM-Backward Compatability
From: "Jan P. Monsch" <jan.monsch () csnc ch>
Date: Fri, 01 Apr 2005 02:37:25 +0200
Hi! Lets have following szenario: 1) We have a Windows 2000 AD and Windows XP Clients. All users have a smartcard and logon to their windows client with the smartcard. This means that authentication with the AD happens via Kerberos and client certificate. 2) In the Intranet we have a web server (Tomcat with JCIFS) which uses NTLMv2 to authenticate the users against the AD. The web server does not support Kerberos. As far as I now NTLM does only work with username/passwords and not with smartcards. (Please correct me if I am wrong) Question: 1) Is it possible that a user with smartcard logon can login to the web server with NTLM? 2) When 1) is possible then how does the client machine know the password to be used for NTLM authentication? 3) If a password is used then I would like to know which password it is and who generated it? 4) Does the parallel use of NTLM "with smartcard" weaken the Smartcard-Logon with Kerberos. As far as I know client certificates with Kerberos is very secure. 5) If no password is used for NTLM with the web server is a Kerberos ticket passed through the NTLM mechanisms? I know that it would be best to migrate everything to Kerberos, but I have to know answers exactly to the above szenario. Thank you very much for your help! Kind regards Jan -- _____________________________________________________________ Jan P. Monsch Compass Security Network Computing AG Glärnischstrasse 7, CH-8640 Rapperswil, Switzerland Tel +41 55 214 41 67 Fax +41 55 214 41 61 jan.monsch () csnc ch http://www.csnc.ch PGP: F055 837D 2D86 1C86 C5E0 065C 0D16 B8B3 9E58 71F3 Security Review - Penetration Testing - Computer Forensics _____________________________________________________________
Current thread:
- Smartcard-Logon and NTLM-Backward Compatability Jan P. Monsch (Apr 05)
- Re: Smartcard-Logon and NTLM-Backward Compatability Saqib Ali (Apr 06)