Authentication

March 2003 1

Objectives When you have completed this module you will be able to the following: • Describe authentication options • Configure NTLM authentication • Configure authentication • Add users • Create groups • Edit groups

March 2003 Authentication 2 What is Authentication?

• Authentication determines a 's identity • NetCache can authenticate Web requests • NetCache allows use of: – NetCache user database – RADIUS –LDAP – NTLM with Kerberos. • Authentication can be used in conjunction with access control to: – enforce local security domains – allocate resources – control bandwidth requirements – provide use records – enforce content control

What is authentication? Authentication is the of determining a user's identity so that the user becomes known to the . NetCache allows you to require authentication for Web requests from clients using certain protocols, such as HTTP, FTP, NNTP and so on. NetCache also allows you to specify how that authentication is performed--for example, whether against the local NetCache user database, against a RADIUS database, or using the Windows Kerberos protocol . In addition to verifying a user's identity to prevent rogue clients from accessing the NetCache appliance, authentication can also be used in conjunction with access control to enforce local security domains, allocate resources, control bandwidth requirements, provide records used in protection against lawsuits (through logged data), and enable enforcement of values through content control. Authentication represents a class of functionality that is growing in demand among NetCache customers and prospects. It represents the ability of (often large) organizations to identify exactly what user is requesting what content. This information can then be used for a variety of purposes, from archival logging, to content filtering, to and content-based access control. Traditionally, users accessing an authenticated cache must enter their user name and the beginning of each browser session. The name/password pair is then sent (usually unencrypted) to the proxy, can then verify the user's identity locally or by consulting an LDAP or RADIUS server.

March 2003 Authentication 3 Setup > Authentication > General

Authentication – General You can specify which protocol requires authentication and the authentication database to be used. NetCache supports the following user databases: • NetCache local user and group database (on NetCache) • LDAP ( Duty ) • RADIUS (Remote Authentication Dial-In User Service) • NTLM (NT Lan Manager) with Kerberos Refer to Online for specific configuration information.

March 2003 Authentication 4 Authentication Forwarding

Setup > Authentication > General

config.auth.forward = 192.56.19/24..CIDR or config.auth.forward = 192.56.19/255.255.255.0 or config.auth.forward = 192.56.19.0/255.255.255.0

March 2003 Authentication 5 Group Permissions

Group Permissions Options on the Setup > Authentication > Groups are used to add, edit, and delete groups. Additionally, these options enable you to specify for access to some protocols but restrict access to others (for example, some groups can use HTTP and FTP but not Gopher). Note: System administrators cannot access the NetCache Manager utility unless the NetCache user database contains at least one user name and password. NetCache provides a default of admin for the user name and NetCache for the password. The default user name and password are case-sensitive. The NetCache group and user databases are maintained on the NetCache appliance. Refer to for specific configuration information. .

March 2003 Authentication 6

Defining New Groups The New Group is used to create a group and add it to the NetCache user database. Refer to Online Help for specific configuration information.

March 2003 Authentication 7 Add Users

Newuser 123abc

Add Users Options on the Setup > Authentication > NetCache Users page are used to configure the NetCache user database. These options are used to specify group memberships, edit existing users, and remove users from the database. Refer to Online Help for specific configuration information.

March 2003 Authentication 8 Authentication Options

• NetCache user (and group) database •LDAP •RADIUS • NTLM (NT LAN Manager) • Kerberos ()

NetCache user database The NetCache user database provides local authentication for users and administrators (clear-text authentication). LDAP authentication Lightweight Access Protocol (LDAP) server databases are commonly used as employee directory databases. You can enable NetCache to retrieve user and group data from an existing LDAP server to perform clear-text authentication. RADIUS authentication Remote Authentication Dial-in User Service (RADIUS) server was originally used to authenticate logging in to the network through a modem to remote points of presence (POPs). You can enable NetCache to retrieve user data from an existing RADIUS server to perform clear-text authentication. (RADIUS does not support groups.) NTLM (NT LAN NTLM supports NT domain access to the Microsoft Manager) Windows authentication environment. NTLM (in true mode) performs authentication using an encrypted challenge-and-response sequence between NetCache and a controller. NTLM can be used for

March 2003 Authentication 9 clear-text authentication when used with a browser other than Microsoft . Kerberos (Windows 2000) Kerberos is the native authentication protocol for Windows 2000 domain access. Kerberos authentication is based on a key distribution model in which NetCache validates tickets presented by the (user).

March 2003 Authentication 10 LDAP Server

• Can reduce workload of maintaining user accounts

• Network load can add authentication delay

• Can only authenticate to one server

• Can only authenticate user, NOT administrators

• Cannot use LDAP if you restrict of requests (e.g., protocol specific)

• NetCache 5.0 and later requires LDAP Version 3

Lightweight Directory Access Protocol (LDAP) server to authenticate users If you already have an LDAP server providing user authentication for your network, you can point NetCache to this server and use it to authenticate users for NetCache. Using an LDAP server to authenticate users for NetCache significantly reduces the workload of maintaining a user database for NetCache, especially if your network has several cooperating NetCache Appliances installed. Without LDAP, if you want user authentication, you must maintain a separate user database on each NetCache system. Authenticating NetCache users with an LDAP server delays a user's web request each time the user is authenticated (at , once per hour). The amount of delay for the user depends on your network load. You can only authenticate users and groups through LDAP. Authentcating admin access locally ensures that the administrator will have access even when LDAP is down.

March 2003 Authentication 11 How the NetCache LDAP client works If you enable protocol authentication for one or protocols and point NetCache to use an LDAP server, NetCache restricts access for the authenticated protocols to those users authorized in the LDAP database. That is, all users in the LDAP database are authorized to use the NetCache authenticated protocols. If you need to configure NetCache to allow users to make only some types of requests, you must use the NetCache User Administration feature. If you configured your NetCache system to authenticate users with an LDAP server, NetCache prompts each user for a user name and password. When the user supplies the information, NetCache requests the LDAP server to authenticate the user.

March 2003 Authentication 12 NTLM Authentication

HTTP Internet Explorer NT or Media Player LM

TP NetCache HT SMB / NTLM Server

NetScape WinNT, Win2K in non-native mode

PDC

NTLM (NT LAN Manager) Authentication Microsoft has created provisions for Microsoft Internet Explorer (MSIE) users to be authenticated by Microsoft (MSPS) without requiring the user to input a password every time a browser session is started. This is called “single sign-on.” Single sign-on depends upon Windows' tendency to maintain persistent password state about the user currently using the machine. When a user signs on to an NT domain, the user name and password are kept locally for later use. As applications encounter the need to prove the identity of the user to another machine, the application can request that the user name and password to transparently complete the log on process. The specifics of this technique as implemented by various versions of Windows are collectively known as NTLM (NT LAN Manager) challenge/response. The NTLM sign- on transaction normally happens when a user logs on to a , or when a user signs on to a CIFS (Common Internet ) . It is also the same transaction used between the proxy server and PDC (Primary ) when the proxy wants to authenticate someone. does not support NTLM authentication. MSIE running on Mac (or Unix) doesn't support it either. MSPS can be configured to accept "" (clear text) user/password pairs from these clients, and will then authenticate this with the PDC, using NTLM as before.

March 2003 Authentication 13 Any browser can send a basic (clear text) credential to the cache, which will then turn it into an encrypted NTLM request and send it to the PDC.

March 2003 Authentication 14

NTLM Authentication

HTTP Internet Explorer NT or Media Player LM

TP NetCache HT Origin SMB / NTLM Server

NetScape WinNT, Win2K in non-native mode

PDC

March 2003 Authentication 15 Setup > Authentication > NTLM and Kerberos One page with four tabs – General – Domain Controllers – Join Domain – Test Environment

Use the options on the Setup > Authentication > NTLM and Kerberos page tabs to enable NTLM and Kerberos protocol support, to join the 2000 and Windows NT domains, and to test the Windows NT4 environment.

March 2003 Authentication 16 Setup > Authentication > NTLM and Kerberos One page with four tabs – General – Domain Controllers – Join Domain – Test Environment

March 2003 Authentication 17 Setup > Authentication > NTLM and Kerberos General

General tab Allows you to enable or specify general NTLM and Kerberos options, such as: • NTLM and Kerberos as authentication methods • Caching of NTLM challenges for reuse for a period • Selected interfaces for registration with Windows Internet Name Service (WINS) • NTLM warning level

March 2003 Authentication 18

General Tab – CLI Equivalent

• Authentication protocol options – config.auth.ntlm.cache – config.auth.ntlm.enable – config.auth.ntlm.basic_machine – config.auth.ntlm.warning_level – config.auth.kerb.enable • Other miscellaneous options – config.auth.windows.wins_ifaces

March 2003 Authentication 19 Setup > Authentication > NTLM and Kerberos Domain Controllers Tab

Domain Controllers tab For Microsoft Windows NT or for Microsoft Windows 2000, specifies the domain controller (DC) to be used by this appliance for joining the domain. In addition to methods: • For Windows NT, allows you to order the list of domain controllers returned by WINS and to specify the DC using a method that does not use WINS • For Windows 2000, allows you to specify the means of gaining access to the domain services without using Domain Name Services (DNS)

March 2003 Authentication 20

Domain Controllers Tab – CLI Equivalent

• Windows NT Domain Options – config.auth.windows.pdc – config.auth.windows.bdc – config.auth.windows.prefdc

• Windows 2000 Domain Options – config.auth.windows.dc – config.auth.windows.ldap – config.auth.windows.kdc – config.auth.windows.kpasswd

March 2003 Authentication 21

Setup > Authentication > NTLM and Kerberos Join Domain Tab

• GUI interface to the windows_setup CLI command • No registry • All values commit to CIFS

Join Domain tab Specifies information required to join either a Windows 2000 domain or a Windows NT domain: • Domain name • Machine name • WINS server IP address • Windows 2000 administrator user name and password

March 2003 Authentication 22

Joining a Windows 2000 Domain Without DNS

March 2003 Authentication 23 DNS and Kerberos in Windows 2000 • DNS and Kerberos used together to – identify hosts – group them by service • SRV records in DNS map service-type to name-list • Four service categories: 1. LDAP 2. Kerberos Key Distribution Center 3. Kerberos administration 4. SMB (DC)

March 2003 Authentication 24 DNS Override Settings

• One for each SRV type – config.auth.windows.dc – config.auth.windows.ldap – config.auth.windows.kdc – config.auth.windows.kpasswd • DC and LDAP settings require (hostname, IP- address) pairs • KDC and KPASSWD settings require hostname and optionally port number

March 2003 Authentication 25 Example 1 – Domain Join using DNS • Setup > DNS > General – Put only MS DNS servers in list –Commit • Setup > Authentication > NTLM and Kerberos > Join Domain – Enter domain name, machine name, admin user and password –Commit • NetCache will join the specified domain

March 2003 Authentication 26 Example 2 – Domain Join without DNS • Setup > Authentication > NTLM and Kerberos • Domain Controllers – In KDC and KPASSWD lists enter ip-addr[:port] – In DC and LDAP, enter name:ip-addr • name must be a machine name that is listed in the domain –Commit •Join Domain – Enter domain name, machine name, Admin user and password –Commit

March 2003 Authentication 27 Notes

• These options are NetCache only • Usually, all services exported by the same server – Still have to fill in all of them • Choose servers that are close by • Can (and should) use external DNS for origin server name resolution – Be careful about collision between internal names and external names

March 2003 Authentication 28 Remote Authentication Dial-In User Service (RADIUS) • Does not support group authentication • Does not enable you to allow access for users to some protocols and deny access to other protocols

March 2003 Authentication 29

Remote Authentication Dial-In User Service (RADIUS)

Remote Authentication Dial-In User Service (RADIUS) Options on the Setup > Authentication > RADIUS page enable NetCache to retrieve user data from an existing RADIUS server directory. The RADIUS server authenticates users, grants administrative access, and applies NetCache permission settings to RADIUS users. Refer to Online Help for specific configuration information.

March 2003 Authentication 30

Authentication Exercises

• NTLM and Kerberos Configuration • Set up Kerberos Authentication with Windows 2000 • NTLM Statistics and Warnings Exercise • Configure NetCache to locate authenticating server without DNS

March 2003 Authentication 31 Authentication Exercises

• 30 minutes in length • Use breakout rooms • Instructor will all rooms • Broadcast announcement 5 minutes prior to regroup • Stay focussed, , start GUI • Share microphones, or no one else can be heard

March 2003 Authentication 32 Authentication NetCache Exercise

Objectives When you have completed this module, you will be able to do the following: • Configure authentication through the NetCache • Create Groups • Add users • Restrict access to NetCache to specific groups • Setup NTLM and Kerberos Authentication • Configure ACLs to Control Access by Windows Users • Configure NetCache to locate authenticating server without DNS

Exercise Overview The purpose of this activity is for you to gain experience in managing NetCache and setting up user and group authentication. During these exercises, you will be guided through each step in the process, and you will have an opportunity to verify that each step was successfully completed.

Time Estimate: 30 minutes

Required Hardware, , and Tools

Hardware • Workstation • NetCache machine

Software • Windows 2000 • NetCache 5.4 or later • 4.7 • .5 or later

March 2003 Authentication 33 Setup Authentication Exercise 1. NetCache Manager.

2. Select Setup > Authentication > General.

3. Select Authenticate HTTP Requests.

4. Commit changes.

5, What will this selection do?

6. Since we are now using the NetCache user database for authentication, make NetCache User Database the first option in the Authentication-Checking Order.

7. Commit changes.

8. Regardless of the authentication methods employed, why should NetCache User Database be included in the list?

March 2003 Authentication 34 Add New NetCache Group Create a group and add members as follows:

1. Open NetCache Manager.

2. Select Setup > Authentication > Groups.

3. Select the Groups tab and click on the New Group button.

4. Enter a name for your new group.

5. Select the access permissions for your new group. We recommend at least HTTP.

6. Commit changes.

7. Select Setup > Authentication > NetCache Users.

8. Ensure that your new group is displayed under Group Memberships.

March 2003 Authentication 35 Configure New User Account If you enable protocol authentication, you must specify which users are authorized to make requests of NetCache and which protocol each user is authorized to use. Add users to the NetCache user database as follows:

1. Open NetCache Manager.

2. Select Setup > Authentication > NetCache Users

3. Click the Add Users Enter a user using the following : 4. username password

Assign your new user to the new group you created. 5. Click Add Users. 6. Select Add. 7. Close all browser clients. 8. Try to access a network URL from your . 9. Were you asked for the user name and password?

Open a web browser and configure your NetCache as proxy for your browser. 10. Try accessing some URLs, including http://www.hotmail.com. 11. What happened and why?

Reconfigure your browser proxy to connect directly to the Internet. 12. Try accessing some URLs. What happened and why? 13.

March 2003 Authentication 36 NTLM and Kerberos Configuration This exercise has been written for a Windows 2000 Domain. If you enable NTLM authentication, you must add the NetCache to the Active Directory as a new .

1. Open NetCache Manager. Ensure the following configurations are correct: 2. Date, time, all match the Domain Controller.

Setup > System > Clock

DNS Nameserver for the NetCache is 10.32.70.10.

Setup > DNS > General

PDC - Internal 10.32.70 10 External 64.94.95.10

DNS domain name is the same as Windows domain name. Should be netapp.com

Select Setup > System > Feature Selector. 3. Scroll to Authentication Methods: 4. Ensure that the checkbox beside NTLM and Kerberos is checked. 5. Select Setup > Authentication > General. 6. Select Authenticate HTTP Requests and commit changes. 7. Scroll to Authentication Checking Order and configure 8. 1. Appliance database 2. NTLM 3. None 4. None: Commit changes. 9. 1.

March 2003 Authentication 37 Set up Kerberos Authentication with Windows 2000 This exercise will allow you to configure the NetCache appliance to use Windows 2000 Kerberos authentication. The first section will guide you through the configuration using the NetCache Manager and the following section using the command interface.

The procedures for this exercise are identical to the NTLM exercise. The steps of the NTLM exercise are repeated here with the variations noted for you.

1. Open NetCache Manager. Ensure the following configurations are correct: 2. • Date, time, time zone all match the Domain Controller. • DNS Nameserver for the NetCache is 10.32.70.10. • DNS domain name is the same as Windows domain name. Should be “demo.netapp.com”

Select Authentication Method 3. Select Setup > System > Feature Selector..

4. Scroll to Authentication Methods

5. Be sure that the checkbox beside NTLM and Kerberos is checked.

6. Access the NetCache Manager.

Join the domain 6. Open the Join Domain tab.

7. Enter DEMO.NETAPP.COM in the Name of the Windows domain to join text .

8. Enter the name of your assigned NetCache appliance in the Name of the appliance in the domain database text box.

9. Leave the WINS information blank (we are not using WINS).

March 2003 Authentication 38 Enter the following information into the Windows Administrator Credentials: 10. text boxes:

User: administrator

Password: cslab

Commit the changes. 11.

Enable NTLM and Kerberos Select Setup > Authentication > NTLM and Kerberos. 12.

Test the configuration Close all browser windows for both Internet Explorer and Netscape 13. Navigator.

Ensure that you are logged on as Administrator 14. Open an Internet Explorer . 15. Because Kerberos (failing over to NTLM) is checking your credentials from your logon, you should not be challenged for a username and password.

Open a Netscape window. 16. You should be challenged for a username and password, because Netscape is not a Microsoft product and it cannot use Kerberos credentials, however it can authenticate with the domain controller once you type in the correct responses.

Your responses are: 17. Username: Administrator

Password:

You should now be logged onto the browser through NetCache Kerberos authentication (failing over to NTLM if necessary).

Use Internet Explorer to access any URL. 18.

March 2003 Authentication 39 What happened? And why was there a difference between using Internet 19. Explorer and Netscape?

End of NTLM and Kerberos configuration exercise

March 2003 Authentication 40 NTLM Statistics and Warnings Exercise The exercise is intended to give you an opportunity to examine the new NTLM statistics and warnings Windows status and statistics Access the command line for your NetCache appliance. 1.

2. Enter show status.windows* Observe the information displayed. 3.

NTLM warning level Determine the current NTLM warning level by entering: 4. netcache>show config.auth.ntlm.warning_level

To reduce the number of messages change the warning level to 1 5. netcache>set config.auth.ntlm.warning_level 1

Verify your change: 6. netcache>show config.auth.ntlm.warning_level

End of NTLM Statistics and Warnings Exercise

March 2003 Authentication 41 ACLs to Control Access by Windows Users Access the NetCache Manager and ensure that http is going to be 1. authenticated (Setup -> Authentication) or do this through the CLI.

Create a global ACL that denies access to a particular website. 2. Example: deny url “http://www.abc.com”

Create another ACL that specifically permits access for one of your two new 3. users.

Example:

allow user april and url-prefix http://www.abc.com”

deny url-prefix “http://www.abc.com”

Log in as the new unique user, the one that has unlimited http access. Using 4. IE, accessing this website as this user should be allowed, transparently.

Close all browsers. 5. Open and use the new user without access. 6.

End of ACLs to Control Access by Windows Users Exercise

March 2003 Authentication 42 Configure NetCache to locate authenticating server without DNS This exercise will allow you to configure the NetCache appliance to join a Windows domain without using DNS to resolve domain controller addresses.

.Open NetCache Manager 1.

. Disable DNS Select Setup > DNS > General. 2. Remove the name server entry, or change it to any address other than 3. 10.41.72.25 (the DNS server).

Access the NetCache Manager. 4.

Configure Domain Controller Addresses Select Setup > Authentication > NTLM and Kerberos. 5. Open the Domain Controllers tab 6. Enter pdc:10.32.69.10 in the Windows 2000 Domain Controllers (overrides 7. DNS) text box.

Enter pdc:10.32.69.10 in the Windows 2000 LDAP servers (overrides DNS) 8. text box.

Enter 10.32.69.10 in the Windows 2000 KDCs (overrides DNS) text box. 9. Enter 10.32.69.10 in the Windows 2000 kpasswd servers (overrides DNS) 10. text box.

Commit the changes. 11.

Test the configuration Close all browser windows for both Internet Explorer and Netscape 12. Navigator.

March 2003 Authentication 43 Ensure that you are logged on as Administrator 13. Open a Netscape window. 14. Note that since DNS is disabled, the browser will be unable to resolve the 15. default homepage (if one appears it is in the browser’s cache).

Point the browser to your NetCache appliance. Log into the appliance if 16. prompted to do so. Your responses are:

Username: admin

Password: NetCache

You will be prompted for a network password. Your responses are: 17. User name: Demo\cslab

Password: passwd

What happened? Was your login accepted?

End of Authentication Exercises

March 2003 Authentication 44 March 2003 Authentication 45