virtal machine’s hosting DC and SAML assertion testers (showing time validation issues)


Remember, when the DC is hosted on a virtual machine using hyper-V, the host of the VMs induces the DC to change its time to sync with the host. Being a DC, it then updates all its domain hosts – which get the same (wrong) time as the hyper-v host.

image

You might think the DC host’s time as set by the domain-admin was authoritative – but its NOT!

image

Nice military attack vector, here. Assume your DC is hosted in Azure VMs = and thus a “request” to Microsoft (Azure) to re-set the time on a given DC VM could induce all sorts of “nice” effects.

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in Computer and Internet. Bookmark the permalink.