DOCSLIB.ORG

Authentication

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Authentication Authentication March 2003 Authentication 1 Objectives When you have completed this module you will be able to the following: • Describe authentication options • Configure NTLM authentication • Configure Kerberos authentication • Add users • Create groups • Edit groups March 2003 Authentication 2 What is Authentication? • Authentication determines a user's identity • NetCache can authenticate Web requests • NetCache allows use of: – NetCache user database – RADIUS –LDAP – NTLM with Kerberos. • Authentication can be used in conjunction with access control to: – enforce local security domains – allocate resources – control bandwidth requirements – provide use records – enforce content control What is authentication? Authentication is the process of determining a user's identity so that the user becomes known to the system. NetCache allows you to require authentication for Web requests from clients using certain protocols, such as HTTP, FTP, NNTP and so on. NetCache also allows you to specify how that authentication is performed--for example, whether against the local NetCache user database, against a RADIUS database, or using the Microsoft Windows Kerberos protocol server. In addition to verifying a user's identity to prevent rogue clients from accessing the NetCache appliance, authentication can also be used in conjunction with access control to enforce local security domains, allocate resources, control bandwidth requirements, provide records used in protection against lawsuits (through logged data), and enable enforcement of values through content control. Authentication represents a class of functionality that is growing in demand among NetCache customers and prospects. It represents the ability of (often large) organizations to identify exactly what user is requesting what content. This information can then be used for a variety of purposes, from archival logging, to content filtering, to time and content-based access control. Traditionally, users accessing an authenticated cache must enter their user name and password at the beginning of each browser session. The name/password pair is then sent (usually unencrypted) to the proxy, which can then verify the user's identity locally or by consulting an LDAP or RADIUS server. March 2003 Authentication 3 Setup > Authentication > General Authentication – General You can specify which protocol requires authentication and the authentication database to be used. NetCache supports the following user databases: • NetCache local user and group database (on NetCache) • LDAP (Light Duty Authentication Protocol) • RADIUS (Remote Authentication Dial-In User Service) • NTLM (NT Lan Manager) with Kerberos Refer to Online Help for specific configuration information. March 2003 Authentication 4 Authentication Forwarding Setup > Authentication > General config.auth.forward = 192.56.19/24..CIDR or config.auth.forward = 192.56.19/255.255.255.0 or config.auth.forward = 192.56.19.0/255.255.255.0 March 2003 Authentication 5 Group Permissions Group Permissions Options on the Setup > Authentication > Groups page are used to add, edit, and delete groups. Additionally, these options enable you to specify authorization for access to some protocols but restrict access to others (for example, some groups can use HTTP and FTP but not Gopher). Note: System administrators cannot access the NetCache Manager utility unless the NetCache user database contains at least one user name and password. NetCache provides a default of admin for the user name and NetCache for the password. The default user name and password are case-sensitive. The NetCache group and user databases are maintained on the NetCache appliance. Refer to Online Help for specific configuration information. March 2003 Authentication 6 Defining New Groups The New Group button is used to create a group and add it to the NetCache user database. Refer to Online Help for specific configuration information. March 2003 Authentication 7 Add Users Newuser 123abc Add Users Options on the Setup > Authentication > NetCache Users page are used to configure the NetCache user database. These options are used to specify group memberships, edit existing users, and remove users from the database. Refer to Online Help for specific configuration information. March 2003 Authentication 8 Authentication Options • NetCache user (and group) database •LDAP •RADIUS • NTLM (NT LAN Manager) • Kerberos (Windows 2000) NetCache user database The native NetCache user database provides local authentication for users and administrators (clear-text authentication). LDAP authentication Lightweight Directory Access Protocol (LDAP) server databases are commonly used as employee directory databases. You can enable NetCache to retrieve user and group data from an existing LDAP server to perform clear-text authentication. RADIUS authentication Remote Authentication Dial-in User Service (RADIUS) server was originally used to authenticate people logging in to the network through a modem to remote points of presence (POPs). You can enable NetCache to retrieve user data from an existing RADIUS server to perform clear-text authentication. (RADIUS does not support groups.) NTLM (NT LAN NTLM supports NT domain access to the Microsoft Manager) Windows authentication environment. NTLM (in true mode) performs authentication using an encrypted challenge-and-response sequence between NetCache and a Windows domain controller. NTLM can be used for March 2003 Authentication 9 clear-text authentication when used with a browser other than Microsoft Internet Explorer. Kerberos (Windows 2000) Kerberos is the native authentication protocol for Windows 2000 domain access. Kerberos authentication is based on a shared secret key distribution model in which NetCache validates tickets presented by the client (user). March 2003 Authentication 10 LDAP Server • Can reduce workload of maintaining user accounts • Network load can add authentication delay • Can only authenticate to one server • Can only authenticate user, NOT administrators • Cannot use LDAP if you restrict type of requests (e.g., protocol specific) • NetCache 5.0 and later requires LDAP Version 3 Lightweight Directory Access Protocol (LDAP) server to authenticate users If you already have an LDAP server providing user authentication for your network, you can point NetCache to this server and use it to authenticate users for NetCache. Using an LDAP server to authenticate users for NetCache significantly reduces the workload of maintaining a user database for NetCache, especially if your network has several cooperating NetCache Appliances installed. Without LDAP, if you want user authentication, you must maintain a separate user database on each NetCache system. Authenticating NetCache users with an LDAP server delays a user's web request each time the user is authenticated (at most, once per hour). The amount of delay for the user depends on your network load. You can only authenticate users and groups through LDAP. Authentcating admin access locally ensures that the administrator will have access even when LDAP is down. March 2003 Authentication 11 How the NetCache LDAP client works If you enable protocol authentication for one or more protocols and point NetCache to use an LDAP server, NetCache restricts access for the authenticated protocols to those users authorized in the LDAP database. That is, all users in the LDAP database are authorized to use the NetCache authenticated protocols. If you need to configure NetCache to allow users to make only some types of requests, you must use the NetCache User Administration feature. If you configured your NetCache system to authenticate users with an LDAP server, NetCache prompts each user for a user name and password. When the user supplies the information, NetCache requests the LDAP server to authenticate the user. March 2003 Authentication 12 NTLM Authentication HTTP Internet Explorer NT or Media Player LM TP NetCache HT Origin SMB / NTLM Server NetScape WinNT, Win2K in non-native mode PDC NTLM (NT LAN Manager) Authentication Microsoft has created provisions for Microsoft Internet Explorer (MSIE) users to be authenticated by Microsoft Proxy Server (MSPS) without requiring the user to input a password every time a browser session is started. This is called “single sign-on.” Single sign-on depends upon Windows' tendency to maintain persistent password state about the user currently using the machine. When a user signs on to an NT domain, the user name and password are kept locally for later use. As applications encounter the need to prove the identity of the user to another machine, the application can request that the user name and password to transparently complete the log on process. The specifics of this technique as implemented by various versions of Windows are collectively known as NTLM (NT LAN Manager) challenge/response. The NTLM sign- on transaction normally happens when a user logs on to a workstation, or when a user signs on to a CIFS (Common Internet File System) share. It is also the same transaction used between the proxy server and PDC (Primary Domain Controller) when the proxy wants to authenticate someone. Netscape does not support NTLM authentication. MSIE running on Mac (or Unix) doesn't support it either. MSPS can be configured to accept "basic" (clear text) user/password pairs from these clients, and will then authenticate this with the PDC, using NTLM as before. March 2003 Authentication 13 Any browser can send a basic (clear text) credential to the cache, which will then turn
Load more

Recommended publications
  • NTFS • Windows Reinstallation – Bypass ACL • Administrators Privilege – Bypass Ownership
    Windows Encrypting File System Motivation • Laptops are very integrated in enterprises… • Stolen/lost computers loaded with confidential/business data • Data Privacy Issues • Offline Access – Bypass NTFS • Windows reinstallation – Bypass ACL • Administrators privilege – Bypass Ownership www.winitor.com 01 March 2010 Windows Encrypting File System Mechanism • Principle • A random - unique - symmetric key encrypts the data • An asymmetric key encrypts the symmetric key used to encrypt the data • Combination of two algorithms • Use their strengths • Minimize their weaknesses • Results • Increased performance • Increased security Asymetric Symetric Data www.winitor.com 01 March 2010 Windows Encrypting File System Characteristics • Confortable • Applying encryption is just a matter of assigning a file attribute www.winitor.com 01 March 2010 Windows Encrypting File System Characteristics • Transparent • Integrated into the operating system • Transparent to (valid) users/applications Application Win32 Crypto Engine NTFS EFS &.[ßl}d.,*.c§4 $5%2=h#<.. www.winitor.com 01 March 2010 Windows Encrypting File System Characteristics • Flexible • Supported at different scopes • File, Directory, Drive (Vista?) • Files can be shared between any number of users • Files can be stored anywhere • local, remote, WebDav • Files can be offline • Secure • Encryption and Decryption occur in kernel mode • Keys are never paged • Usage of standardized cryptography services www.winitor.com 01 March 2010 Windows Encrypting File System Availibility • At the GUI, the availibility
    [Show full text]
  • Dynamics NAV2013 Large Scale Hosting on Windows Azure
    Microsoft Dynamics NAV Large scale hosting on 2013 R2 Windows Azure Whitepaper April 2014 Contents Introduction 4 Assumptions 4 Who is the audience of this whitepaper? 4 Windows Azure components that are needed to deploy a scalable Microsoft Dynamics NAV 2013 R2 with high availability 6 What is Windows Azure? 6 The Windows Azure SLA 6 The Windows Azure Cloud Service 6 Port-forwarding endpoints 6 Load-balancing endpoints 7 Availability sets 8 Scale 8 How to deploy Microsoft Dynamics NAV 2013 R2 for multitenancy 9 Deployment scripts on the product media 9 Certificates and SSL 9 URLs 10 Load Balancing Microsoft Dynamics NAV 11 Adding/Removing Tenants 15 Adding/Removing Microsoft Dynamics NAV servers 15 ClickOnce deployment of the Microsoft Dynamics NAV Windows client 16 Application code considerations 17 Upgrade 18 Backup 19 Monitoring 19 How to deploy SQL Server with high availability and what is supported by Microsoft Dynamics NAV 2013 R2 21 SQL Server Always-On Availability Groups 21 SQL Server Always-On Failover Clusters 21 SQL Server Database Mirror 21 SQL Azure 21 NAV Service Sample Scripts 22 Main scripts 22 Helper scripts 22 Helper DLL 22 Definitions 23 The scripts 27 Helper scripts 29 Scripts deployed to Microsoft Dynamics NAV Server 29 Folder structure on the provisioning machine 30 Folder structure on the server 30 How to get started 31 2 Large scale hosting on Windows Azure Whitepaper 3 Large scale hosting on Windows Azure Whitepaper Introduction This whitepaper describes in detail how to deploy Microsoft Dynamics NAV 2013 R2 on Windows Azure so you can serve a very large number of customers with high availability.
    [Show full text]
  • Administrative Guide for Windows 10 and Windows Server Fall Creators Update (1709)
    Operational and Administrative Guidance Microsoft Windows 10 and Windows Server Common Criteria Evaluation for Microsoft Windows 10 and Windows Server Version 1903 (May 2019 Update) General Purpose Operating System Protection Profile © 2019 Microsoft. All rights reserved. Microsoft Windows 10 GP OS Administrative Guidance Copyright and disclaimer The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial VLicense (which allows redistribution of the work). To view a copy of this license, visithttp://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.
    [Show full text]
  • Microsoft Windows 10 Update Hello, Microsoft Has Begun
    Subject Line: Microsoft Windows 10 Update Hello, Microsoft has begun pushing a warning message to Windows 10 computers that a critical security update must be performed. Several clients have informed us that they are seeing the warning message. It will appear as a generic blue screen after your computer has been powered up, and it states that after April 10, 2018 Microsoft will no longer support your version of Windows 10 until the critical security update has been performed. Please note if your UAN computer has not been recently connected to the internet, you would not have received this message. UAN has confirmed that the warning message is a genuine message from Microsoft, and UAN strongly encourages all clients to perform this critical security update as soon as possible. Please note: ‐ This update is a Microsoft requirement and UAN cannot stop or delay its roll out. To perform the critical security updated select the ‘Download update’ button located within the warning message. ‐ This update is very large, for those clients that have metered internet usage at their home may want to perform the update at a different location with unmetered high speed internet, perhaps at another family member’s home. ‐ Several UAN staff members have performed the critical security update on their home computers, and the process took more than an hour to complete. To check that your computer has been updated or to force the update at a time that is convenient to you, go to the windows Start button and click on Settings (the icon that looks like a gear above the Start button) > Update and Security > Windows Update > Check for Updates and then follow the instructions on the screen.
    [Show full text]
  • © Iquila Ltd 2018-2019 - 1
    Rev-1 Joining a Client PC to a Domain Controller using iQuila Server Setup 1. Install the iQuila client software on your windows domain controller server (please note if you have more than one domain controller, you must install the iQuila client software on each domain controller in your network.) 2. Assign a static IP address to the iQuila virtual network adaptor. (Please see Help Document for using Static IP addresses) 3. Go to Control Panel then select view network status and tasks, select change adaptor settings, right click on the iQuila network adaptor (VPN – VPN Client) and client properties. 4. Select Internet protocol version v (TCP/IPv4) and click properties. Select use the following IP address and enter an IP address in your given range, i.e. 192.168.30.9. Enter your given subnet mask i.e. 255.255.255.0 Leave the default gateway setting blank Under the DNS section select use the preferred DNS server address and enter the same address as you entered for the IP address 192.168.30.9 Click ok to save IP address and click on the exit the adaptor properties window. © iQuila Ltd 2018-2019 - www.iquila.com 1 Client Setup 1. Install the iQuila client software on the client computers that you would like to join to the domain and ensure they have registered with the iQuila Cloud server. 2. You now need to set the DNS server address on the iQuila virtual adaptor or contact iQuila support and request the change of DNS address in your Virtual DHCP Server settings.
    [Show full text]
  • Pluggable Authentication Modules
    Who this book is written for This book is for experienced system administrators and developers working with multiple Linux/UNIX servers or with both UNIX and Pluggable Authentication Windows servers. It assumes a good level of admin knowledge, and that developers are competent in C development on UNIX-based systems. Pluggable Authentication Modules PAM (Pluggable Authentication Modules) is a modular and flexible authentication management layer that sits between Linux applications and the native underlying authentication system. The PAM framework is widely used by most Linux distributions for authentication purposes. Modules Originating from Solaris 2.6 ten years ago, PAM is used today by most proprietary and free UNIX operating systems including GNU/Linux, FreeBSD, and Solaris, following both the design concept and the practical details. PAM is thus a unifying technology for authentication mechanisms in UNIX. This book provides a practical approach to UNIX/Linux authentication. The design principles are thoroughly explained, then illustrated through the examination of popular modules. It is intended as a one-stop introduction and reference to PAM. What you will learn from this book From Technologies to Solutions • Install, compile, and configure Linux-PAM on your system • Download and compile third-party modules • Understand the PAM framework and how it works • Learn to work with PAM’s management groups and control fl ags • Test and debug your PAM confi guration Pluggable Authentication Modules • Install and configure the pamtester utility
    [Show full text]
  • Windows Messenger Live Msn Download
    Windows messenger live msn download Windows Live Messenger latest version: See. Hear. Share. Instantly.. Windows Live Messenger previously known as MSN Messenger, was renamed as part of. MSN Messenger is an instant messaging program that lets you send instant messages to your friends, and much more. Previously known as MSN Messenger, Windows Live Messenger is Microsoft's answer to instant messaging. While largely the same as its predecessor. Windows Live Messenger free download. on their MSN or Hotmail account, as the integration with the email accounts can be. Mobile and web: Using a public computer without Messenger? No problem! You can chat on the web from Windows Live Hotmail or use. Share photos: Look at photos together, right in the conversation window and Messenger tells you when people you know post new photos on Windows Live. Microsoft Windows live messenger free Download Link: Latest Version. Old Version of MSN (Live) Messenger. Website. Developer. Microsoft Corporation. Latest Version. Windows. Messenger, which offers the user the same functionalities as Windows Live Messenger. Windows Live Messenger Final Deutsch: Der Windows Live Messenger, Nachfolger des MSN Messenger, in der Version​: ​ - vom How to Download and Install Windows Live Messenger. Windows Live Messenger is a great way to talk to people online. You can now have a personal picture. Windows 7 by default is installed without Windows Live Messenger. So to get it, we will need to download and install it. select, like setting Bing as the default search provider and setting MSN as your browser home page. is a free, personal email service from Microsoft.
    [Show full text]
  • Contents About the Author
    Auditing Microsoft Domain Environment Contents About the Author.........................................................................................................................2 About The Microsoft Domain Environments:............................................................................3 About Auditing:...........................................................................................................................4 Gaining First User:......................................................................................................................5 Enumerating AD Users and Groups With Gained User:.............................................................8 Checking Common Vulnerabilities:..........................................................................................12 Gaining First Shell:...................................................................................................................13 Migrating Into A Process:.........................................................................................................15 Pass The Hash:..........................................................................................................................17 Dump Everything From Domain Controller:............................................................................18 Auditing Microsoft Domain Environment 1 Auditing Microsoft Domain Environment About the Author Engin Demirbilek, Computer Engineering Student Penetration Tester in Turkey at SiberAsist Cyber Security Consultancy.
    [Show full text]
  • Kerberos: an Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts’O
    Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts’o Presented by: Smitha Sundareswaran Chi Tsong Su Introduction z Kerberos: An authentication protocol based on cryptography z Designed at MIT under project Athena z Variation of Needham Schroeder protocol - Difference: Kerberos assumes all systems on the network to be synchronized z Similar function as its mythological namesake: “guards” the access to network protocols Contribution z Defines ideas of authentication, Integrity, confidentiality and Authorization z Working of Kerberos z Limitations z Utilities z How to obtain and use Kerberos z Other methods to improve security Why Kerberos? z Foils threats due to eavesdropping z More convenient than password based authentication { Allows user to avoid “authentication by assertion” z Authentication based on cryptography: attacker can’t impersonate a valid user How Kerberos Works z Distributed authentication service using a series of encrypted messages {Password doesn’t pass through the network z Timestamps to reduce the number of messages needed for authentication z “Ticket granting Service” for subsequent authentication Kerberos Authentication and Encryption zAuthentication proves that a client is running on behalf of a particular user zUses encryption key for authentication {Encryption key = Password zEncryption implemented using DES {Checksum included in message checksum and encryption provide integrity & confidentiality The Kerberos Ticket z Initially, client and Server don’t share an encryption
    [Show full text]
  • Feature Description
    NTLM Feature Description UPDATED: 19 March 2021 NTLM Copyright Notices Copyright © 2002-2021 Kemp Technologies, Inc. All rights reserved. Kemp Technologies and the Kemp Technologies logo are registered trademarks of Kemp Technologies, Inc. Kemp Technologies, Inc. reserves all ownership rights for the LoadMaster and Kemp 360 product line including software and documentation. Used, under license, U.S. Patent Nos. 6,473,802, 6,374,300, 8,392,563, 8,103,770, 7,831,712, 7,606,912, 7,346,695, 7,287,084 and 6,970,933 kemp.ax 2 Copyright 2002-2021, Kemp Technologies, All Rights Reserved NTLM Table of Contents 1 Introduction 4 1.1 Document Purpose 6 1.2 Intended Audience 6 1.3 Related Firmware Version 6 2 Configure NTLM Authentication 7 2.1 Configure Internet Options on the Client Machine 7 2.2 Configure the LoadMaster 11 2.2.1 Enable NTLM Proxy Mode 13 2.2.2 Configure the Server Side SSO Domain 13 2.2.3 Configure the Client Side SSO Domain 15 2.2.4 Configure the Virtual Service 15 2.3 Configure Firefox to Allow NTLM (if needed) 17 2.4 Troubleshooting 18 References 19 Last Updated Date 20 kemp.ax 3 Copyright 2002-2021, Kemp Technologies, All Rights Reserved NTLM 1 Introduction 1 Introduction NT LAN Manager (NTLM) is a Windows Challenge/Response authentication protocol that is often used on networks that include systems running the Windows operating system and Active Directory. Kerberos authentication adds greater security than NTLM systems on a network and provides Windows-based systems with an integrated single sign-on (SSO) mechanism.
    [Show full text]
  • Appendix a – Microsoft Windows
    Revision 4.6.0 (February 23, 2021) Appendix A – Microsoft Windows Please Read and Heed Appendix Z in order to properly configure RingCentral Meetings. Microsoft Windows, by default, resets the DSCP value of all transmitted packets to BestEffort (0). You must take positive action forcing Windows to tag RingCentral traffic with proper DSCP values. Please note that the traffic going TO RingCentral will be marked, but you must implement proper QoS in the remainder of your network to take advantage of the markings and to set the DSCP values on return traffic as it ingresses your network. This is only one element of a proper QoS implementation. This is particularly critical if you are using WiFi. Wireless Access Points depend on the DSCP marking of traffic in order to enable WMM prioritization of voice/video traffic. Without this marking a busy wireless network will not support voice / video traffic effectively. A special PowerShell script has been developed to automatically generate the QoS policy rules, removing the tedious task of manually entering the large quantity of individual rules. The script supports two action variants based on the Windows environment. 1. Windows 10 clients that are not part of a domain (must be run on each client machine using the 'Administrator' account). All required elements if a NetQosPolicy are generated. The script must be executed on each client computer!!! 2. Domain-based Windows networks (must be run on a domain controller using the 'Administrator' account). A default group QoS policy will be generated. The script should only be executed once for the entire domain.
    [Show full text]
  • Microsoft IIS Agent Installation and Configuration Guide Tables
    IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Internet Information Services Agent Version 6.3.1 Fix Pack 10 Installation and Configuration Guide IBM SC27-5656-01 IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Internet Information Services Agent Version 6.3.1 Fix Pack 10 Installation and Configuration Guide IBM SC27-5656-01 Note Before using this information and the product it supports, read the information in “Notices” on page 21. This edition applies to version 6.3.1.10 of IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Internet Information Services Agent (product number 5278 - U18) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright IBM Corporation 2008, 2016. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Tables ............... v Running as a non-administrator user ...... 15 Agent-specific installation and configuration ... 15 Chapter 1. Overview of the agent .... 1 Configuration values .......... 16 Remote installation and configuration .... 16 New in this release ............ 4 Components of the IBM Tivoli Monitoring environment .............. 4 Appendix. ITCAM for Microsoft Agent Management Services ......... 6 Applications documentation library .. 19 User interface options ........... 6 Prerequisite publications .......... 19 Data sources .............. 7 Related publications ........... 20 Tivoli Monitoring Community on Service Chapter 2. Agent installation and Management Connect ........... 20 configuration ............ 11 Other sources of documentation ....... 20 Requirements .............. 11 Language pack installation ......... 11 Notices .............. 21 Installing language packs on Windows systems 11 Trademarks .............. 23 Installing language packs on UNIX or Linux Terms and conditions for product documentation.. 23 systems............... 12 IBM Online Privacy Statement .......
    [Show full text]