From: Ryan L. Means (rmeans_at_law.berkeley.edu)
Date: Thu Aug 28 2003 - 10:35:34 PDT
I've also written an Apache module in mod_perl that authenticates the
user with AWS and then authorizes them with AD groups. It's working
quite well for use, except for those users that aren't in our OU yet
(and others that never will be). I'm coming up with an alternate
authentication method (AD binds, I'm thinking) for those folks. I'm sure
that IIS can be set up in a similar way.
Ryan
Mike Friedman wrote:
> On Tue Aug 26 17:27:44 2003, Eric Chamberlain, CISSP said:
>
>
>>I have a website.
>>
>>What I want:
>>Users connecting from a CalNetAD member machine can use Integrated
>>Authentication and would not get prompted for a username and password.
>>Users connecting from machines not in the domain, would get prompted to
>>enter their CalNetID and Passphrase, via Basic Authentication, so I need
>>SSL.
>
>
> Eric,
>
> It sounds like you're talking about receiving (non-domain) users' CalNet
> passphrases in your own web server (you mention Basic Authentication), which
> runs counter to the CalNet model. The main reason for having a central AWS
> is so that users send their passphrases only there and not to individual
> application servers. Even if you use SSL to protect the passphrase in
> transmission, anyone who gains access to your server could potentially
> capture the passphrases, which is a risk to other applications as well.
>
>
>>Has anyone come up with a module for IIS to use AWS for authentication,
>>instead of using Basic or Integrated Authentication? I'm looking for
>>something that would generate a Windows credential token.
>
>
> I understand that Ray Davis of ETS has an Apache plugin that may be based
> on a similar concept. It allows the web server itself to use the AWS and
> then maintain authentication state without the application having to
> do this. (This is based on my meager understanding of the thing, only
> knowing about it by hearsay). Clearly, you'd need something different for
> IIS, but maybe this can be adapted (in particular, to generate a Windows
> credential token).
>
> Mike
>
> ------------------------------------------------------------------------------
> Mike Friedman System and Network Security
> mikef_at_ack.Berkeley.EDU 2484 Shattuck Avenue
> 1-510-642-1410 University of California at Berkeley
> http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
> ------------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> For information about Micronet, including subscribing to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web site:
> <http://micronet.berkeley.edu/>.
-- Ryan L. Means Chief Technical Officer School of Law (Boalt Hall) University of California, Berkeley ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Thu Aug 28 2003 - 10:38:12 PDT