Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 1999 Clemson University Research Foundation. All rights reserved. Authentication Server Idea born in interdepartmental task force Too many.

Published byAndrew George Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 1999 Clemson University Research Foundation. All rights reserved. Authentication Server Idea born in interdepartmental task force Too many."— Presentation transcript:

1 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Authentication Server Idea born in interdepartmental task force Too many userid/password combinations for each user to remember Need central set of secure servers that all systems use for authentication Clemson University Personal ID (CUPID) Prototyped/tested in late ‘95/spring ‘96 Production on July 1, 1996

2 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Authentication Server MailauthC WebauthC mainframeauthC UNIXauthC NetWareauthC SunauthC Windows NTauthC Oracle † authC

3 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Architecture Directory Services Authentication Server Agent Authentication Server Client System Integration AuthServ-Enabled Application Native Application User

4 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Architecture Possibilities Directory 1 Authentication Server Agent Authentication Server Client System Integration AuthServ-Enabled Application Native Application User Directory 2Directory 3

5 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Client Integration - System Level Applications AuthClient RACF SAF RACF API IDMS TSO DB2 ? Applications AuthClient /ETC/PASSWD PAM Login FTP Sys ? MVS Unix

6 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Client Integration - Application Level NT AuthClient DLL CGI Internet Information Server (IIS) Unix AuthClient BIN POPd

7 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Authentication Server NetWare Loadable Module (NLM) is multithreaded Clients use common code base Clients have built-in failover capability Communication based on TCP/IP sockets > 90% successful password checks complete in less than 0.1 seconds > 4 million requests serviced by primary server over a 6 week period (100,000/day)

8 AuthServ Applications

9 Copyright © 1999 Clemson University Research Foundation. All rights reserved. NDS Authentication for Large IBM Systems and Applications

10 Copyright © 1999 Clemson University Research Foundation. All rights reserved. NDS Authentication for Unix

11 Copyright © 1999 Clemson University Research Foundation. All rights reserved. NDS for Authentication POP/IMAP

12 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Firewall Authentication User Cisco PIX AuthClient Intranet / Internet Livingston Steel-Belted Radius

13 NDS Web Security via Windows NT/UNIX/???

14 Copyright © 1999 Clemson University Research Foundation. All rights reserved. NDS Authentication through Windows NT/UNIX/??? to the Web Application: Employee Information System (EIS) Type: Web Server OS: Windows NT 4.0 Server enabling app: Website/Visual Basic

15 Copyright © 1999 Clemson University Research Foundation. All rights reserved. NDS Security Across the Intranet Authenticated Client Server Auth Client Authentication Server NDS Netscape IIS 32-bit DLL AUTHAGNT.NLM NDS Page request CheckEquiv Check Security Equivalence Locate user object and run equivalence list NT 4.0

16 Copyright © 1999 Clemson University Research Foundation. All rights reserved. AuthServ as an NDS Data Gateway Application: Call tracking system Type: Web Server OS: Windows NT 4.0 Server enabling app: Website/Visual Basic Not Assigned BILL BROYLES CCR DAVE DAVIDC DHF DHFRS DON JAMBO JHALL MIKE YATES DAVIDC

17 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Web Interface to Home Directories via AUTHSERV NDS Gateway Application: Personal pages Type: Web Server OS: Linux Server enabling app: Apache/Caldera http://www.clemson.edu/~acollin

18 Copyright © 1999 Clemson University Research Foundation. All rights reserved. AuthServ Client Functions Password check Password change Resolve to fully distinguished name Check security equivalence Return group membership Get Effective Rights Others

19 Copyright © 1999 Clemson University Research Foundation. All rights reserved. WebAuth: Web Single Sign-On Workstation 3rd Party WebServer WebAuth Client AuthAgnt NLM NDS WebAuth NLM Auth Client Web Browser 1 Web Browser 2 DCIT Authentication WebServer WebAuth Trusted Client CHECK STORE Only trusted web servers prompt for userid password and set cookie in browser. Other web servers must use the cookie to determine the user. Redirect

20 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Caldera OpenLinux and Apache Web gateway to NetWare file system Caldera OpenLinux AuthC Browser AuthServer File Server File Server File Server File Server File Server

21 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Web Interface to Department Pages Application: Departmental pages Type: Web Server OS: Linux Server enabling app: Apache/Caldera http://dcitnds.clemson.edu/CSO/depts/maint

22 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Caldera OpenLinux and Apache First attempt to provide web services via Novell made use of Novell’s intraNetWare Web Server 1.0 which simply was not reliable Caldera OpenLinux provided robust UNIX connectivity to NDS and supported the industry standard Apache web server Out of the box Caldera/Apache did not provide home directory redirection and/or authentication –It did however provide the source code needed to make these modifications

23 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Caldera OpenLinux and Apache Mods Added a module that would link Apache’s user directory directive to the user’s Novell home directory –Making http://www.clemson.edu/~erich point to EMPLOYED/USR02:\USERS\U20\ERICH\PUBLIC.WWW Since Caldera is NDS aware, this also allows us to serve group web sites via their own group servers

24 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Added another module using the previously mentioned authentication server routines to provide both user and group authentication –Makes use of standard HTACCESS format with additional Novell directives Caldera OpenLinux and Apache Mods

25 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Using NDS to Secure Web Pages NovellAuth on AuthName Novell Tree AuthType Basic require user gmcochr require user kellen require group.resadmin.groups.employee.clemsonu

26 NDSNDS intraNetWare server BintraNetWare server A AUTHAGNT.NLM intraNetWare server C RACF AuthClient POPd AuthClient Web site WebApp User workstation (Windows 95/Windows NT and Mac workstation) Eudora TN3270Netscape † LOGIN.EXE AuthClient Apache WebApp AUTHAGNT.NLM OnlinesVTAM MAIL (Solaris) NT ServerOpenLinuxMainframe (MVS)

27 Design

28 Copyright © 1999 Clemson University Research Foundation. All rights reserved. AuthAdmn Win32 App AuthRslv NLM AuthAgnt NLM Agent NW Server 1 Census AuthMgr NLM Manager NW Server Master Census AuthClient ‘95/’98/NT Workstation Administrator AuthRslv NLM AuthAgnt NLM Agent NW Server 2 Census AuthRslv NLM AuthAgnt NLM Agent NW Server N Census

29 Copyright © 1999 Clemson University Research Foundation. All rights reserved. AuthAdmn Win32 App AuthRslv NLM AuthAgnt NLM Agent NW Servers Census AuthMgr NLM Manager NW Server Master Census ‘95/’98/NT Workstation Administrator AuthClient

30 Census

31 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Classic Tree Design-Organizational Corp R&D Prod ProductionAdmin Company Sales Proj1 Proj2 Mkting ActngSupport Bob Emma Fred Sally

32 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Classic Tree Design - Geographical New York LAEurope Company Asia Mkting ProdR&D Bob Emma Mkting ProdR&D Fred Sally

33 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Clemson Tree Design UsersOrganizations ClemsonU

34 Copyright © 1999 Clemson University Research Foundation. All rights reserved. CU - Every Person Has a Place A toZ A Z A Z StudentsMisc.Employee ClemsonU Organizations

35 Copyright © 1999 Clemson University Research Foundation. All rights reserved. CU - Every Group Has a Place Users AthleticsDCIT ForestryResearchDean's office CAFLSCES ClemsonU

36 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Client32 Login

37 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Novell’s Catalog Services User locatable database of directory information Query APIs The catalog object Snapin Dredger NetWare 5.x.d.employee.clemsonu

38 Copyright © 1999 Clemson University Research Foundation. All rights reserved. A Tale of Two Bobs New York LAEurope Company Asia Mkting ProdR&D Bob Emma Mkting ProdR&D Fred Sally Bob

39 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Novell’s Catalog Services - 2 Bobs bob.mkting.New York.company.prod.LA.company Duplicate keys require the user to choose his context at login time.

40 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Catalog Services Issues Catalog Object NDS Synchronization is tricky. Heterogeneous Systems can be fooled by the catalog. Heterogeneous Systems cannot handle duplicate Catalog entries. Only supported in NetWare 5.x Catalogs can only contain objects in it’s NDS tree.

41 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Census - Unique Catalog Services Catalog Services with Rules. Provide for true Universal IDs. Trawls specified sections of Tree. Periodic and On-Demand Trawls. Can Use a Catalog as Input. Not an NDS object. Supports Multiple Trees. Collisions are resolved once.

42 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Census Definitions Org Unit Recurse Expand Group (member) Org Role (occupant) User Catalog Supported Objects

43 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Big Picture Agent Resolver Census New Census Manager Census Administrator Client Auth Config Exception Report Data Flow Command Flow NDS

44 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Exceptions

45 UB=ALL User Bases UB=FACULTY UB=STAFF FACULTY STAFF ALL FACULTY Agent

46 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Mass User Management HR Directory Services UserBases MUM

47 Requirements

48 Copyright © 1999 Clemson University Research Foundation. All rights reserved. AuthAdmin Requirements Windows ‘95/’98/NT Workstation 64 MB RAM Client32

49 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Manager Server Requirements NetWare 4.11/5.x P-100 or higher (recommended) 1 MB RAM/2000 census users (free cache buffers) 1 MB Disk/10,000 census users No local replicas required.

50 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Agent Server Requirements NetWare 4.11/5.x P-166 or higher (process 25-50 concurrent requests with no local replicas) 1 MB RAM/2000 census users (free cache buffers) 1 MB Disk/10,000 census users No local replicas required. TCP/IP configured.

51 Benefits

52 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Benefits Improved computing usability. Uniform authentication security. Uniform application security across systems is now a possibility. Uniform password rules. Easy to deploy new systems. Password resets are almost non- existent.

53 Copyright © 1999 Clemson University Research Foundation. All rights reserved. More Benefits Improved Security on some systems Consistency across systems and applications. Stronger Passwords are used on all systems. Allow you to leverage the strengths of heterogeneous systems without sacrificing usability and security.

54 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Clients Supported - 3/17/99 MVS RACF Version 1.9 and later Solaris Version 2.6 and later HP/UX Version 11.0 and later Red Hat Linux Version 4.2 and later Windows NT Version 4.0 and later Windows 95 B and Windows 98

55 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Clients MVS - RACF MVS - ACF2 Solaris HP/UX Linux Windows NT Windows ‘95/’98 IRIX AIX PeopleSoft POPd Livingston Radius PIX BSD Apache Open Linux Miscellaneous Applications

56 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Comparing NDS for Solaris IPX only environment supported Pure NW 4.x environment supported Non-intrusive install into Solaris No NDS object assignments required No [Public] NDS rights assignments API available to Solaris apps Inexpensive Site license Multiple tree support is possible

57 Copyright © 1999 Clemson University Research Foundation. All rights reserved. Comparing NDS for Solaris Ensures that there are no duplicate user names across the entire NDS tree. No user migration is required. Does not require unique UNIX uids across the entire system. Supports multiple user UIDs across heterogeneous UNIX systems. Not a large leap.

Download ppt "Copyright © 1999 Clemson University Research Foundation. All rights reserved. Authentication Server Idea born in interdepartmental task force Too many."

Similar presentations

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
Chapter 7 LAN Operating Systems LAN Software Software Compatibility Network Operating System (NOP) Architecture NOP Functions NOP Trends.

Chapter 7 LAN Operating Systems LAN Software Software Compatibility Network Operating System (NOP) Architecture NOP Functions NOP Trends.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.

DT211/3 Internet Application Development Active Server Pages & IIS Web server.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Web Server Hardware and Software

Web Server Hardware and Software
Homework 3.2 Clients Hub What’s wrong with this picture? Clients Using 100TX.

Homework 3.2 Clients Hub What’s wrong with this picture? Clients Using 100TX.
Lesson 15 – INSTALL AND SET UP NETWARE 5.1. Understanding NetWare 5.1 Preparing for installation Installing NetWare 5.1 Configuring NetWare 5.1 client.

Lesson 15 – INSTALL AND SET UP NETWARE 5.1. Understanding NetWare 5.1 Preparing for installation Installing NetWare 5.1 Configuring NetWare 5.1 client.
Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.

Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.
Chapter Nine NetWare-Based Networking. Objectives Identify the advantages of using the NetWare network operating system Describe NetWare’s server hardware.

Chapter Nine NetWare-Based Networking. Objectives Identify the advantages of using the NetWare network operating system Describe NetWare’s server hardware.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Resource Sharing Over a Network

Resource Sharing Over a Network
Chapter 12 Reading assignment n From “Running Linux”, on reserve at PSU Main library (2-hour checkout) Chapter 1 (pages 1 through 41)Chapter 1 (pages 1.

Chapter 12 Reading assignment n From “Running Linux”, on reserve at PSU Main library (2-hour checkout) Chapter 1 (pages 1 through 41)Chapter 1 (pages 1.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.
The Computing Infrastructure Division of Computing and Information Technology CLEMSON U N I V E R S I T Y July 30, 1997.

The Computing Infrastructure Division of Computing and Information Technology CLEMSON U N I V E R S I T Y July 30, 1997.
Exploring Directory Services. Need for DS Multiple servers, multiple services in single network –Multiple servers for reliability, security, optimizing.

Exploring Directory Services. Need for DS Multiple servers, multiple services in single network –Multiple servers for reliability, security, optimizing.

Similar presentations

Ads by Google