From: Greg Small (gts_at_uclink.berkeley.edu)
Date: Thu Aug 28 2003 - 13:24:31 PDT
Eric,
As I understand this, you want CalNet AD logged-in users to be able to access
AWS authenticated applications without having to reenter their ID and
passphrase.
Essentially single sign-on.
As Mike said, this must not involve capturing the CalNet ID and passphrase on
your server, so this would need to use some form of true Kerberos. So:
1) If you want this ability only for your own web servers and those servers
are IIS, then they can use AD Kerberos and LDAP ("Integrated
Authentication"?).
I would assume that this method is already available in IIS (just as NTLM
was an IIS authentication method in earlier IIS's). The problem would be
fall-back to regular AWS authentication.
This could be done with a CGI script/program. This probably allows simpler
fall-back to regular AWS.
ISAPI filters are relatively straight forward for an experienced C++ or
Virtual Basic programmer. There are several books with examples. I
wrote an
ISAPI filer for IIS 3.0 using Visual C++ for the initial SAFE Download
Service
in 1997. Unfortunately I cannot find the source.
2) If you want this ability for all AWS applications (and we do :-), then some
enhancement of the AWS service would be necessary. The CalNet Kerberos KDC
would have to grant AWS Kerberos tokens and the AWS would have to return a
web token when presented with the AWS Kerberos token. This would require a
web browser add-on as has been done by other universities that use Kerberos
authentication (check with CMU about cmukweb).
However this is done, it must be possible for certain AWS authenticated
web services to require a full AWS authentication. This is necessary
because many users will leave their workstations unattended. So blu, the
CalNet Deputy services, etc. must be able to require full AWS
authentication.
Greg Small On a network, paranoia is
Security Infrastructure Project just good thinking!
Workstation Software Support WSS/IST Systems Programmer for 36
University of California at Berkeley years and it's still fun!
0--------1---------2---------3---------4---------5---------6---------7--
The opinions or statements expressed herein should not be taken as
a position or endorsement of the University of California, Berkeley.
0--------1---------2---------3---------4---------5---------6---------7--
"http://wssg.berkeley.edu/SecurityInfrastructure/"
0--------1---------2---------3---------4---------5---------6---------7--
At 11:43 AM 8/28/2003 -0700, Eric Chamberlain, CISSP wrote:
>I've done some more research. It looks like it is possible to come up
>with an ISAPI filter for IIS 6.0 that would use AWS for authentication and
>then generate a windows token for the user. Then IIS can handle the
>authentication instead of each individual application. IIS 6.0 can
>actually get Kerberos tickets for the user, without ever receiving the
>users password. My problem now is that I have never done any ISAPI
>programming and need to find someone that could code the filter.
>
>In any case, I think someone needs to come up with a module soon, since
>IIS 6.0 can natively act as a Kerberos proxy and bypass AWS.
>
>--
>Eric Chamberlain, CISSP
>Campus Active Directory Architect
>Central Computing Services
>University of California, Berkeley
>http://calnetad.berkeley.edu
>
>
> > -----Original Message-----
> > From: rmeans_at_law.berkeley.edu [mailto:rmeans_at_law.berkeley.edu]
> > Sent: Thursday, August 28, 2003 10:36 AM
> > To: eric_at_uclink.berkeley.edu
> > Cc: Mike Friedman; micronet-list_at_uclink.berkeley.edu
> > Subject: Re: [Micronet] IIS coding question
> >
> >
> > I've also written an Apache module in mod_perl that authenticates the
> > user with AWS and then authorizes them with AD groups. It's working
> > quite well for use, except for those users that aren't in our OU yet
> > (and others that never will be). I'm coming up with an alternate
> > authentication method (AD binds, I'm thinking) for those
> > folks. I'm sure
> > that IIS can be set up in a similar way.
> >
> > Ryan
> >
> > Mike Friedman wrote:
> >
> > > On Tue Aug 26 17:27:44 2003, Eric Chamberlain, CISSP said:
> > >>I have a website.
> > >>What I want:
> > >>Users connecting from a CalNetAD member machine can use Integrated
> > >>Authentication and would not get prompted for a username
> > and password.
> > >>Users connecting from machines not in the domain, would get
> > prompted to
> > >>enter their CalNetID and Passphrase, via Basic
> > Authentication, so I need
> > >>SSL.
> > >
> > >
> > > Eric,
> > > It sounds like you're talking about receiving (non-domain) users'
> > > CalNet passphrases in your own web server (you mention Basic
> > > Authentication), which runs counter to the CalNet model. The main
> > > reason for having a central AWS is so that users send their
> > > passphrases only there and not to individual application servers.
> > > Even if you use SSL to protect the passphrase in
> > transmission, anyone
> > > who gains access to your server could potentially capture the
> > > passphrases, which is a risk to other applications as well.
> > >
> > >>Has anyone come up with a module for IIS to use AWS for
> > >>authentication, instead of using Basic or Integrated
> > Authentication?
> > >>I'm looking for something that would generate a Windows credential
> > >>token.
> > > I understand that Ray Davis of ETS has an Apache plugin that may be
> > > based on a similar concept. It allows the web server itself to use
> > > the AWS and then maintain authentication state without the
> > application
> > > having to do this. (This is based on my meager
> > understanding of the
> > > thing, only knowing about it by hearsay). Clearly, you'd need
> > > something different for IIS, but maybe this can be adapted (in
> > > particular, to generate a Windows credential token).
> > >
> > > Mike
> > >
> > >
> > --------------------------------------------------------------
> > ----------------
> > > Mike Friedman System and
> > Network Security
> > > mikef_at_ack.Berkeley.EDU 2484 Shattuck Avenue
> > > 1-510-642-1410 University of
> > California at Berkeley
> > > http://ack.Berkeley.EDU/~mikef
> > http://security.berkeley.edu
> > >
> > --
> > Ryan L. Means
> > Chief Technical Officer
> > School of Law (Boalt Hall)
> > University of California, Berkeley
> >
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Thu Aug 28 2003 - 13:31:35 PDT