Home Forums OS X Server and Client Discussion Active Directory AD domain signing policies

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • August 23, 2006 at 4:15 pm #366890
    jaharmi
    Participant

    What specific AD policies will enable signed communications that will prevent Tiger clients with the AD Plugin from being able to communicate with domain controllers?
    I’m already aware of the SMB signing issues that are related to file servers. Are there other specific signing policies that could create a problem for Mac clients?
    We are looking at increased security within our domain level and discussing which GPOs we can safely apply to various kinds of clients (Mac vs. Windows, client vs. server vs. domain controller, laptop vs. desktop … all permutations are in play).
    Thanks!

    August 23, 2006 at 4:17 pm #366891
    jaharmi
    Participant

    BTW, if you have links to specific KB articles handy–Apple or Microsoft–and feel like dropping them in a reply, I’d appreciate that. I’ll be looking myself but it never hurts to get a pointer.
    Thanks!

    August 24, 2006 at 3:26 pm #366899
    wknight
    Participant

    (MAC) Digital signing settings which assist with the addition of Apple Mac Clients to your Network
    View products that this article applies to.
    Author:Nick Whittome MVP
    Community Solutions Content Disclaimer
    Article ID : 555652
    Last Review : June 30, 2006
    Revision : 1.0
    SUMMARY
    The following Group Policy security settings are recommended for Apple Mac Client connectivity to your Small Business Network.
    Back to the top Back to the top
    SYMPTOMS
    Without the following settings, Apple Macintosh clients may not be able to connect to your server.
    Back to the top Back to the top
    RESOLUTION
    Edit the Default Domain Controllers Policy and set the following:

    Domain Member: Digitally encrypt sign secure channel data (always): Disabled
    Domain Member: Digitally encrypt secure channel data (when possible): Enabled
    Domain Member: Digitally sign secure channel data (when possible): Enabled
    Microsoft Network Server: Digitally sign communications (always): Disabled
    Microsoft Network Server: Digitally sign communications (when possible): Enabled
    Microsoft Network Client: Digitally Sign communications (Always): Disabled.
    Microsoft Network Client: Digitally sign communications (if server agrees): Enabled
    Network Security: LAN Manager authentication level: Send LM & NTLM responses

    *I set the “Network Security” policy to “NTLMv2 only – refuse LM & NTLMv1” on a few servers that were running ExtremeZ with Kerberos enabled and/or the MS NTLM v2 module update with no problems from my Tiger systems.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.