Skip navigation.
Contact Search Site Map
Photo of Technical Books

Service Links

Electronic Services

Accounts & Passwords Calendar: Meeting Maker Central Systems Course Evaluations Email Services Faculty Web Access Learning Management: Blackboard Learning Management: Moodle List Server: Majordomo Network Folders SSL Certificate Systems Status University Notices WebMail Web Server Wireless Hotspots

Other Services

Computer & Equipment Repair Computer Lab Information Courseware Development Hardware Purchase Agreements Help Desk Information Security Internet Service Providers Media Distribution Media Production People Locator Smart Classrooms Software Purchase Agreements Virus Protection

Form Links

Account Request Alumni Account Request Anonymous FTP Directory Blackboard Course Site Request Calendar Request Form Disk Quota Increase Email Account Quota Exiting Employee
Faculty Confidentiality Statement Form General (Non-faculty) Confidentiality Statement Form FrontPage Server Majordomo Administration Majordomo List Server Request Majordomo List Server Tools Meeting Maker University Notices Request Form

About Links

Chief Inforamtion Officer Academic Computing Instructional Media Services
Telecommunications and Network Services University Computing Services

Planning Links

Policy Documents Reports and Initiatives
Technology Plans University IT Committees

Tech Guide Links

Accessibility Program Connection Desktop Email Information Security Software Web Publishing
Students Faculty Staff

Tech Guides :: Information Security :: Secure Authentication

Technical Details for Authentication

There are two functions that must occur to allow a user to utilize any service. The first function is known as authentication. Authentication is the process of determining that users are who they say they are. There are many different ways to authenticate a user, however some methods are more secure or provide more functionality than others. An example of an authentication method is Kerberos, which is detailed below.

The second function necessary to allow users to utilize any service is to take the authenticated user and determine if they are allowed to access the resources. This component is referred to as authorization.

Because of the complexity and inconsistency of the various systems and applications that might need authentication and access control, a Middleware infrastructure must be developed. Middleware provides the invisible glue that allows various systems to function as a part of the campus infrastructure. The middleware infrastructure consists of numerous synchronized systems built in a high-availability environment to minimize, if not eliminate, outages and down-time. These systems consist of, but are not limited to, Kerberos, LDAP, and Windows Active Directory. The optimal Middleware solution will be selected based on service and security requirements, however this will be largely invisible to users because all the systems will share the same information.


Kerberos

The preferred method for authentication is Kerberos. Kerberos is an authentication system which issues “tickets” to authenticated users and systems. Kerberos was written by MIT to provide secure authentication without sending passwords to every system that a user wants to access. What this means is that your password is only kept on the Kerberos server, instead of on every system and application that you use. Users are only prompted to enter a password the first time they attempt to use a "Kerberized" system. At that time, a Kerberos ticket is issued. From that point on, only the ticket is passed to other cooperating systems. This means that users do not have to repeatedly type a User Name and Password. This is known as Single Sign-on. Kerberos is especially useful in that it can interoperate with Active Directory, and also allow single sign-on to multiple applications, such as those provided in a portal.


LDAP

While Kerberos is the system of choice for authentication, the Lightweight Directory Access Protocol (LDAP) is clearly the system of choice for authorization. LDAP is a highly-effective method to allow systems and applications to view database and directory information that can be used for authorization. LDAP can also be used to provide contact information for use by email clients and web-based directories.

Though Kerberos is the preferred authentication method, not all applications support it. LDAP may also be used for authentication but does not support single sign-on. The optimal authentication/authorization system uses Kerberos and LDAP together. Microsoft recognized the strengths of Kerberos and LDAP. When they built their new server operating system, Windows 2000, they based it on Kerberos and LDAP.


Desktop Authentication / Active Directory

Kerberos and LDAP can be used by many applications, such as web sites, to provide authentication and authorization information. Some operating systems can be configured to directly use LDAP and/or Kerberos for desktop authentication. However, most operating systems require a much richer set of information to allow users to access a workstation properly. Additionally, every operating system needs to access information that is unique to that operating system. By separating desktop authentication from the other aspects of campus authentication, the chance of large scale outages may be diminished. Windows XP, by far the most common operating system for computer labs and faculty/staff desktops, requires Windows Active Directory to function properly. While Mac OS X clients and other Unix/Linux operating systems can utilize LDAP, the quirks of each system make integration complex. Active Directory appears to support these operating systems "out of the box" and will allow for the use of desktop management tools built into the Windows operating system.

Related Topics

Activate Accounts

Connecting with SSH/SFTP

SSL Detail Information

© 2006 Humboldt State University : Information Technology Services : Rights & Usage
Services
Forms
About ITS
Planning
Tech Guides