Inline. :-)

> Does anyone have a good reference on the differences between
> LanMan, NTLM, NTLMv2 and Kerberos?

These are a good start:

http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx#
EEAA

http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerber
os.a
sp

http://www.isi.edu/gost/brian/security/kerberos.html

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standa
rd/p
roddocs/ens/Default.asp?url=/resources/documentation/WindowsServ/2003/st
anda
rd/proddocs/en-us/sag_RASS_MSCHAPv2.asp
(click around on the other protocols in the navigation pane; the links are
refusing to copy to my clipboard. <G>)

I can give you a bazillion or so more, so let me know if you want additional
links. I also have a couple of documents that I wrote about Kerberos (very,
erm, goofy analogies but still technically accurate), and I can probably dig
'em up if you need them. I suspect the above will probably give you plenty,
however.

> Also, is there any
> restriction on the length of a password used across a
> network/LAN for authentication?

In which operating systems? In another reply, I addressed much of this, but
if there's a specific set of operating systems you're referencing, we can
dig in a little deeper. For example, DOS obviously has "issues". ;-)

> I'm aware in NT/2K/XP/2003
> the max length of a password is 127 characters, but am
> curious if this is still true for network/domain authentication.

Are you asking if these long passwords work across the network for
authentication? If so, then yes. I have tested 127 character passwords for
both VPN and interactive logon, from machines that were in the domain and
from machines that were not in the domain (in the case of the VPN). One
thing, however- the Remote Desktops UI "sticks" at 96 characters, in my
experience. Again, the 127 character password works just fine, but not when
used from the Remote Desktops MMC. This could just be a glitch in my
experience, but that is my experience, nonetheless.
>
> Lastly, I have heard (and would like confirmation/denial)
> that authenticating to a domain-based machine from a machine
> outside the domain causes an otherwise normally encrypted
> password to be sent cleartext when authenticating with an IIS
> server.

Absolutely not. What you were most likely told was a misunderstanding on
somebody's part of the following:

If you are connecting to a RAS server that is not a member of a domain, or
to a third-party RAS device, because these machines cannot "do" domain
authentication, then in order to authenticate via those RAS servers using
CHAP, you would need to enable reversible encryption so that the RAS server
could decrypt your password. Reversibly-encrypted passwords are not stored
in clear text, but because they are _reversible_, they are trivial to
attack. If you're enabling reversible encryption at the domain level, those
reversible hashes are also stored on the DC, which is a big ouch for obvious
reasons.

I can assure you, you can have a workstation that is not a member of a
domain and use that workstation to VPN in without needing to enable
reversible encryption, and without needing to use CHAP. I just re-tested to
make sure I wasn't misremembering, in fact. :-) You can VPN from a workgroup
laptop to a domain RAS server using MS-CHAPv2 with no problems at all. (I
assume you could also use MS-CHAP or even CHAP, but why would you want to?
:-) )

> Can anyone point me to references about this?

Well, I've seen various articles that could have been the source of the
misunderstanding on the part of whoever gave you the information that you
mentioned, but I'm not sure that's what you seek. :-)

HTH,

Laura

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]