| *** Subhash (ca3f7192@gateway/web/freenode/ip.202.63.113.146) has joined #wikid | 09:47 | |
| Subhash | hi | 09:47 |
|---|---|---|
| Subhash | 123456789123 | 09:48 |
| Subhash | ii am seeing the wClient connection to the server was NOT successfully established | 09:48 |
| Subhash | error | 09:48 |
| Subhash | ii am seeing the wClient connection to the server was NOT successfully established [15:19] <Subhash> error | 09:49 |
| *** Subhash has quit (Quit: Page closed) | 12:16 | |
| *** nowen (~nowen@adsl-66-184-38.asm.bellsouth.net) has joined #wikid | 13:55 | |
| *** nowen has quit (*.net *.split) | 15:20 | |
| *** nowen (~nowen@adsl-66-184-38.asm.bellsouth.net) has joined #wikid | 15:21 | |
| *** ChrisClymer (62672c03@gateway/web/freenode/ip.98.103.44.3) has joined #wikid | 18:13 | |
| ChrisClymer | Hey Nick...quick question | 18:13 |
| ChrisClymer | I'm looking into some of the ways to tie Wikid into windows logons | 18:14 |
| ChrisClymer | It sounds like IAS/NPS can be used to add two-factor auth to the windows platform | 18:15 |
| ChrisClymer | its unclear to me if that allows for adding the second factor to local or RDP window system logins | 18:15 |
| ChrisClymer | and I've also heard some rumblings that this will work for windows servers, but is problematic on Domain Controllers | 18:16 |
| ChrisClymer | any thoughts? | 18:16 |
| nowen | hey chris - still there? | 18:43 |
| ChrisClymer | yup | 18:44 |
| nowen | so, if you want to change the windows login, you have to change the GINA | 18:45 |
| nowen | the ctlr-alt-del thingy | 18:45 |
| ChrisClymer | nowen, I suppose another way for me to ask is: how would you tie WiKID into windows login | 18:45 |
| * ChrisClymer nods | 18:45 | |
| nowen | you can do that with PGINA | 18:45 |
| nowen | http://www.pgina.org/index.php/Main_Page | 18:45 |
| nowen | I tested it years and years ago | 18:45 |
| nowen | it worked | 18:45 |
| ChrisClymer | hm. but not neccesarily something you want to do on a DC | 18:46 |
| nowen | no, the other option would be to run everything through a vpn or ias | 18:47 |
| nowen | isa that is | 18:47 |
| ChrisClymer | yeah, thats the other option I was considering...surprised that there don't seem to be better solutions here | 18:48 |
| ChrisClymer | also, your name comes up in almost every search query I've done around this :D | 18:48 |
| nowen | hehe, yeah | 18:49 |
| nowen | what is the scenario? | 18:49 |
| ChrisClymer | in a nutshell just trying to put two-factor auth of some sort around RDP logins to DCs on an internal network | 18:50 |
| ChrisClymer | so a VPN solution seems overcomplicated | 18:50 |
| nowen | yeah | 18:50 |
| ChrisClymer | RSA has some agent-based solutions...and specifically reccomend not using them on DCs, which doesnt give me great confidence in the agents | 18:52 |
| ChrisClymer | I'm guessing they're doing the same thing that PGINA does | 18:52 |
| nowen | yeah | 18:53 |
| nowen | and MS has not been good about letting people change the gina | 18:54 |
| nowen | the RSA code has stored "OTP"s i think - so you can login to your laptop without network access | 18:54 |
| manonst | nowen: i found a better way | 20:26 |
| manonst | commerical though... | 20:26 |
| manonst | http://www.lsexperts.de/download/LSE_RadiusCredentialProvider_Flyer_EN_rev3.pdf | 20:26 |
| manonst | they have a separate version for GINA versus credential provider | 20:27 |
| nowen | hmm | 20:28 |
| manonst | kinda pricey | 20:29 |
| manonst | i think 250 users was like $5,600 | 20:30 |
| nowen | why is it better than pgina? | 20:37 |
| manonst | until recently pgina was kind of a dead project | 20:52 |
| manonst | they went silent from 2007 to 2010 - hopefully its being actively maintained | 20:53 |
| manonst | but that would worry me | 20:53 |
| nowen | yeah, it was dead for a while | 21:13 |
| manonst | i should check it out again, the project has completely revamped - i haven't played with 2.x | 21:20 |
| manonst | hmm RADIUS plugin link doesn't appear to work | 21:28 |
| manonst | http://www.pgina.org/index.php/Plugins | 21:28 |
| manonst | actually most links appear broken | 21:29 |
| nowen | yeah | 21:35 |
| nowen | sf recently updated a lot of stuff | 21:36 |
| nowen | http://sourceforge.net/projects/pgina/files/ | 21:36 |
| manonst | yeah found it, no documentation | 21:38 |
| manonst | but at least ldap and radius are supported under 2.x for x64 | 21:38 |
| nowen | it's interesting, but honestly most companies don't want to risk screwing with the gine | 21:40 |
| nowen | gina | 21:40 |
| manonst | yeah, i've seen a lot of issues in the past | 21:40 |
| manonst | the credential provider paradigm is different however | 21:40 |
| nowen | what do you mean? | 21:41 |
| manonst | GINA only applies to Windows versions < Vista/2k8 | 21:41 |
| nowen | oh, is windows 7 doing something different? | 21:42 |
| manonst | yep, Vista, 2k8, Win7, 2k8 R2 use a credential provider | 21:42 |
| nowen | ok - guys I'm out of here. I will be scarce next week - vacation time | 23:02 |
| *** nowen has quit (Quit: Leaving.) | 23:03 | |
| *** ChrisClymer has quit (Ping timeout: 245 seconds) | 23:12 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!