VMware Cloud Community
Stuarty1874
Contributor
Contributor

Active Directory Authentication (Encryption Level)

I'm familiar with using the esxcfg-auth --enablead command in ESX and have successfully implemented it in a few environments.

I was asked a question by our security team that I wasn't able to answer.

What level of encryption is used to pass the credentials/password back to the ESX host when it authenticates a user against Active Directory?

Can anyone offer and advice or point me to an article that will help me get a better understanding of this?

Reply
0 Kudos
4 Replies
Texiwill
Leadership
Leadership

Hello,

Moved to Security Forum.

This depends on the AD server in use and what negotiation it does. You should be able to get that information out AD, you may be able to get this information from kinit -V, klist, but to do this you will need to install krb5-workstation. I tend to do more 'full integration' than partials which often requires me to modify krb5.conf when connecting to W2K3 AD servers.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
Stuarty1874
Contributor
Contributor

Thanks Ed.

So if I was to configure my host using esxcfg-auth --enablead, point the host to my DC, then use SSH to connect to the host.

Would the password thats being sent between the host and the DC be secure\encrypted?

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

As far as I know they should be. The issue is really what encryption is being used more than anything else. I bet it is the most basic type but that depends on your AD server and which encryption algorithms are available to ESX.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
DC_Engineers
Contributor
Contributor

Hi Guys,

I guess the thing to do is to install wireshark either on your DC (presuming it's allowed etc etc) or on a test machine connected to a SPAN / mirrored port on the switch and have a look at the packets. It will show you whether the authentication traffic is encrypted or not and should also show you which algo is used...

I might run a test later!

Cheers,

Dan

Reply
0 Kudos