Active Directory

Scott Arciszewski kobrasrealm at gmail.com
Sat Dec 7 00:24:14 EST 2013


Quick question,

I'm developing some applications that use LDAP to authenticate users (it's
a corporate environment). However, I do not have admin access to the server
that hosts LDAP and thus cannot examine the hashes, so I've been doing some
reading and talking with other devs about this... but I've reached a dead
end.

Here's what I know: AD used to use LM hashes, they migrated to Kerberos a
while back. I cannot for the life of me find out if they still store hashes
on the server, because Microsoft's documentation is equal parts
labyrinthine and sparse.

Questions:
Does Kerberos mitigate the need to store hashes in a database, registry, or
filesystem?
If not, how does Kerberos stack up to a password-hashing scheme like PBKDF2
or scrypt? (A quick glance at the Github page reveals that DES is still
allowed, but deprecated.)
How well do the Kerberos maintainers believe Microsoft implemented the
protocol for Active Directory?

Thanks for your time, if you don't have time to write out an answer but
know of links to refer to me to, I'd greatly appreciate the help!

Scott


More information about the krbdev mailing list