Remote User Authentication Steve Hunt Systems Librarian Santa Monica College Library

Remote User Authentication What it is Why you need to do it How it works on-campus How to do it off-campus How to get somebody else to do it for you

What it really is Libraries subscribe to e-resources Examples: –EbscoHost Master File Premier –Proquest National Newspaper Index –Gale Literature Resource Center –Grove Dictionary of Art –and many, many more

What it really is Content providers require access be limited to our users Various means to authenticate Authentication is the process in which a user 's claim to an identity is checked.

Why you need to do it (Top 10) Users like it More access to information You have already paid for it Supports Distance Education Less use of Library facilities and PCs

More reasons Boss says so All the big schools are doing it Good excuse to get that new server or systems librarian you want Keeps pesky students out of the Library Alternative to keeping library open 24/7

How it works on-campus: IP Authentication Some remote access solutions use IP authentication Network devices have IP addresses IP addresses are assigned to organizations in blocks We provide a list to database vendors Vendors check the IP address

SMC IP Address List

How it works on-campus: IP Authentication IP address based authentication is relatively easy for the vendor and the customer to set up and administrator It does not allow off-campus access unless you support…

Direct Dial-in School maintains modems or telco equipment How remote access used to be provided Advantages –No remote user authentication problems for the Library or Database vendors (just for campus MIS)

Direct Dial-in Disadvantages –Expensive (SMC spends $30K/year) –Doesn’t help users With a LAN connection With a cable modem or DSL For whom campus is a long distance phone call –Users don’t want it

SMC Student Survey, Spring 2000 Almost 90% have a home PC 75% have home Internet access Only 20% use free SMC dial-up Conclusion: users can benefit from remote access

How to do it in-house Referer URL Authentication How we do it at SMC Proxy Servers Rewriting proxies Authentication protocols User data sources What to authenticate against ?

Referer URL Authentication Also called Referring or Referal URL A controlled-access web page Registered with the database vendor Vendor allows access if user selects database URL from that page

Referer URL Authentication Uses the HTTP environment variable HTTP_REFERER Passed by web browser to web server Does not use IP authentication

Referer URL Advantages Easy to set up No additional software Authentication is done by the webserver No additional hardware Relatively simple user training issues No client-side setup involved No browser version issues Just have to train them to login

Referer URL Disadvantages Not very flexible –Can’t bookmark –Difficult to link from multiple pages –Multiple database URLs from vendor Vendor may not support Referer URLs Vendor may not support multiple Referer URLs Doesn’t scale well

Referer URL Choose Referer URL Authentication if: –Small number of resources (<50) –Little need for linking to resources on other web pages –Users or staff are not motivated to handle proxy configuration issues –Summary: Referer URL is easy for users but is not very flexible for the institution and does not scale well

Referer URLs Popular Web Server software –ApacheApache –Microsoft IISMicrosoft IIS

How we do it at Santa Monica College Library Santa Monica College Library

How we do it at Santa Monica College Library Santa Monica College Library SMC Environment –Databases subscribed to: 22 –Databases that support Referrer URL: 20 –Number of Vendors: 14 (12 remote) –13,000 Student FTE but 30,000 head count We use Referer URLs Database link points to IP-checking script

How we do it at Santa Monica College Library Santa Monica College Library Login link points to a protected page on a IIS webserver Only authenticated users are allowed access Uses both Basic and NTLM authentication Users submit NT username and password to authenticate All databases on one page

Proxy Servers proxy from Merriam-Webster’s Collegiate Dictionary Online Pronunciation: 'präk-sE Inflected Form(s): plural prox·ies Etymology: Middle English procucie, contraction of procuracie, from Anglo-French, from Medieval Latin procuratia, alteration of Latin procuratio procuration Date: 15th century

Proxy Servers Proxy (cont.) 1 : the agency, function, or office of a deputy who acts as a substitute for another 2 a : authority or power to act for another b : a document giving such authority; specifically : a power of attorney authorizing a specified person to vote corporate stock 3 : a person authorized to act for another : PROCURATOR

Proxy Servers Perform web retrievals on behalf of a web browser Most often used to speed up Internet access and reduce bandwidth by caching frequently used pages Libraries use proxy servers to make off- campus web clients look like on-campus ones Authenticated users allowed to relay requests through our IP address space

Proxy Servers: Manual Configuration

Proxy Servers Drawbacks of standard browser proxy configuration –All traffic goes through proxy server –User has to manually configure and unconfigure settings

Proxy Servers Proxy Auto Configuration (PAC)PAC –Written in JavaScript –Commonly called proxy.pac –Downloaded by web browser –Allows using a proxy server for some sites but going direct for others –Look on Google for Library examplesLibrary examples

Proxy Servers: Proxy.pac Configuration

A Small proxy.pac File function FindProxyForURL(url,host) { if( shExpMatch( host, "*.umi.com")) return "PROXY library.smc.edu:3128"; if( shExpMatch( host,"*.gale.com")) return "PROXY library.smc.edu:3128"; // otherwise… return "DIRECT";}

Proxy Servers: Advantages Can place database links anywhere A single URL from the database vendor Proxy servers scale better –20 resources fit on a single page, 5000 do not

Proxy Servers: Disadvantages Some browsers don’t support PACs Problems with multiple proxy servers Problems with firewalls Requires users to be motivated and willing to install web browsers

Proxy Servers: Disadvantages Requires extensive support –ExamplesExamples User may not have permissions to change settings Potentially creates a single point of failure

Proxy Servers Popular Proxy Server software: –SquidSquid –Apache mod_proxyApache mod_proxy –Microsoft Proxy ServerMicrosoft Proxy Server –Microsoft Internet Acceleration and Security ServerMicrosoft Internet Acceleration and Security Server

Proxy Servers: Summary Proxy servers are relatively easy and flexible for the institution, but require a lot from users For most larger libraries they are the only possible solution

Rewriting proxy Dynamically rewrites URLs in HTML documents URLs look like: – cgi?” No browser configuration issues No browser support issues Examples –EZProxyEZProxy –Apache::RewritingProxyApache::RewritingProxy

Authentication protocols Basic Authentication –Supported by almost all web browsers, web servers and proxy servers –Used to protect access to resources

Basic Authentication: Basic Problem Sends usernames and passwords unencrypted Sends them with every page request Solution: Use SSL

Basic Authentication and SSL Secure Socket Layer (SSL) SSL works in combination with Basic Authentication to encrypt pages URLs show rather than Netscape: padlock in the bottom left hand corner Internet Explorer, a yellow lock at the middle of the status bar

Basic Authentication and SSL Supported by: –Netscape Navigator (versions 2.0 and above), –Internet Explorer (version 3.0 and above) –AOL (AOL 3.0 and above)

Basic Authentication and SSL Problems with SSL –Encryption makes things slower –Must buy certificates or… –Can create your own certificates –Can’t use SSL and Basic authentication to authenticate to a proxy server

Alternatives to Basic Authentication NTLM (Windows NT Lan Manager) –Also known as NTCR. Now called Integrated Windows Authentication –Passwords are encrypted –Requires NT or Microsoft Networking client on Win9x as client OS –Requires IE 3.x or greater browser –Cannot pass through a proxy server

Alternatives to Basic Authentication Digest –Netscape 4.x still sends password in clear text with Digest –Netscape 6 will support digest authentication

Authentication Protocol Problems We want a protocol that is –Free –Secure –Works over the Internet –Works with any browser –With any operating system There is no such protocol!

Authentication Set-up Examples Microsoft Internet Information Server Microsoft Proxy Server Apache web server Squid proxy server

Authentication Set-up in IIS

Basic Authentication in MS Proxy

Authentication Set-up in Apache AuthName “SMCLAuthentication" AuthType Basic PerlSetVar myPDC ROMULUS PerlSetVar myBDC REMUS PerlSetVar myDOMAIN STUDENT PerlAuthenHandler Apache::AuthenSmb require valid-user

Authentication Set-up in Squid Proxy Relevant lines from Squid.conf: acl ourusers proxy_auth REQUIRED http_access allow ourusers authenticate_program /usr/local/squid/bin/msntauth

Authentication Set-up in Squid Proxy Msntauth.conf: server newton romulus student server thor remus smc

User data sources Where is your user data? –Campus registration system –Network OS user database –Library automation system – user database

User data sources What user data do you want to use? –Network username and password –Student ID number –Library patron barcode number –Passwords, PINs, SSN, Phone number

User data sources Make a list –What user data do you want to use –Where is this user data –What software does this system use –How will you query the system –Or will you extract the data

SMC User Data Sources SMC Registration System “WebISIS” Library Automation System Windows NT User Database

SMC User Data Sources SMC Registration System “WebISIS” –Uses Oracle –Sends student data to NT User Database –Sends student data to Library System –Use SQL or Perl-DBI to query –Is staff data easily available? –Student NT account names assigned?

SMC User Data Sources SMC Library Automation System –Sirsi Unicorn –Write shell/Perl script to check User ID and PIN against user database? –Students might not know User ID/PIN –Inconsistent assignment of staff IDs

SMC User Data Sources Windows NT User Database –Info for almost all students and staff –Can easily query domain controllers –Well-integrated with MS-IIS webserver –Also supported by Apache/Squid plug-ins

Authenticate against what? Apache and Squid –Support authentication plug-ins –Plug-ins available for: Windows NT user database LDAP, Radius, MySQL, NCSA, NIS, Unix password files –Or write your own in Perl, C, etc.

Authenticate against what? MS IIS, Proxy Server and ISAS –Windows NT user database –Support authentication plug-ins –Write your own?

How to get somebody else to do it Campus MIS Library Automation Vendor Database Vendor Commercial solutions

How to get somebody else to do it Campus MIS –Campus-wide authentication project? Remote access? Library needs? –Ask for anything we have discussed so far –Tell them This Is Important To The Library And To The School

How to get somebody else to do it Library Automation Vendor –Some support remote authentication EpixTech (Ameritech) Innovative Interfaces –Some systems can be cajoled into authenticating via scripts DRA Sirsi

How to get somebody else to do it Library Automation Vendor Advantages For some libraries this is their only user database Integration with other services provided to users Easy user interface (or interface user is familiar with)

How to get somebody else to do it Library Automation Vendor Disadvantages –You are tied to your ILS vendor’s system –Your ILS vendor may not support this –Not all of your database s may be supported by your vendor

How to get somebody else to do it Database Vendor Authentication –Provide them a list of user IDs –Patron barcode begins with … –Institutional username and password for each product

How to get somebody else to do it Database Vendor Authentication: Advantages –Easy to implement Database Vendor Authentication: Disadvantages –Lack of consistency

How to get somebody else to do it Use database vendor authentication methods if –Small number of products (<5) –Small number of users (<5000) –Or no support staff for anything better

How to get somebody else to do it Third-party remote access authentication products and services –EZProxyEZProxy –ObviaObvia –EfixaEfixa

Why is it so hard? All the user wants is access to the database All the vendor wants to know is that this remote user has some connection with your institution All the Library wants is to make the vendor and the user happy

Why is it so hard? Each site has a unique set of local information systems –Campus IS, –Library automation, –Network OS –Web servers –Locally developed means of transferring data

Why is it so hard? No web authentication method that is –Widely-supported –Inexpensive –Secure

Why is it so hard? Off-campus users have a wide variety of –Web browsers –Operating systems –Means of accessing the Internet –Levels of computer expertise

Recommendations There is no one right solution Research and test any solution –Find out what other libraries are doing –Test web browsers and operating systems –Provide web page support for your users –Train library staff on support

Remote User Authentication More resources at This presentation at