Authentication at Penn State: The Present State of Affairs and Future Directions James A. Vuccolo, Manager, Software Technologies Group Phil Pishioneri,

Slides:

Advertisements

Similar presentations

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Advertisements

Access Control Chapter 3 Part 3 Pages 209 to 227.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

IWay Service Manager 6.1 Product Update Scott Hathaway iWay Software Copyright 2010, Information Builders. Slide 1.

Authorizing Access to Services at Penn State University

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Active Directory® and Apache® Using Kerberos and Apache to Authenticate via Microsoft Active Directory.

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 

Building a Portal Framework: The Penn State Student Portal Project Presented By James Leous, Program Manager James Vuccolo, Lead Research Programmer.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

Authenticating REST/Mobile clients using LDAP and OERealm

Understanding Active Directory

Penn State University College Of Education Understanding College of Education Resources.

Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group

Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.

KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

PASS Migration – Update V A Retrospective Current Issues Future Directions with Jeff D’Angelo NWOP 2008/08/18.

Current State Of NetID By Jonathan Higgins Presentation Template available from Microsoft A low cost Identity Management Implementation Guide.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

PASS Migration * PASS Migration Update Part IV * PASS Beta Test Launched – Review.

Shibboleth as Attribute Delivery for Authorization Renee Shuey Penn State University June 27, 2006.

Directory and File transfer Services By Jothi. Two key resources Lightweight Directory Access Protocol (LDAP) File Transfer protocol Secure file transfer.

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

The DSpace Course Module – User management and authentication options.

Building Secure, Flexible and Scalable Environments using LDAP - SANS Orlando Sacha Faust PricewaterhouseCoopers

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.

10.1 Silberschatz, Galvin and Gagne ©2005 Operating System Principles 10.4 File System Mounting A file system must be mounted before it can be accessed.

Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

Academic Services and Emerging Technologies Mission: Provide high-quality computing and related information technology services in support of the teaching,

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

FSU Metadirectory Project The Issue of Identity Management Executive Overview.

Samba – Good Just Keeps Getting Better The new and not so new features available in Samba, and how they benefit your organization. Copyright 2002 © Dustin.

Sakai Authentication and Directory Architecture for 1.0 and Beyond A response to an by Albert Wu and Thomas Bush 8/28/2004 Charles Severance.

Campus Experience: Pubcookie University of Alabama at Birmingham Academic Computing Zach Garner.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

Internet Documentation and Integration of Metadata (IDIOM) Presented by Ahmet E. Topcu Advisor: Prof. Geoffrey C. Fox 1/14/2009.

WEB SERVER SOFTWARE FEATURE SETS

Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

Introduction to AFS IMSA Intersession 2003 An Overview of AFS Brian Sebby, IMSA ’96 Copyright 2003 by Brian Sebby, Copies of these slides.

The Pennsylvania State University © 2007 Web-Based Access Control for ITS Web Services, Present and Future Jeffrey C. D’Angelo, Programmer/Analyst, Enabling.

Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:

Getting Your Content in the Penn State Student Portal Presented By James Leous, Program Manager James Vuccolo, Lead Research Programmer.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

DCE Deployment at PSU Steven Kellogg Director, Advanced Information Technologies Center for Academic Computing

Configuring the User and Computer Environment Using Group Policy Lesson 8.

Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,

LIGO Identity and Access Management

CollegeSource Security Application &

Introduction to LDAP Frank A. Kuse.

CAS and Web Single Sign-on at UConn

(ITI310) SESSIONS 6-7-8: Active Directory.

Shibboleth as Attribute Delivery for Authorization

EGEE Middleware: gLite Information Systems (IS)

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Authentication at Penn State: The Present State of Affairs and Future Directions James A. Vuccolo, Manager, Software Technologies Group Phil Pishioneri, Manager, UNIX Systems and Technical Solutions Group Advanced Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS)

Agenda Introduction Current State of Affairs Future Directions Wrap Up

Introduction Definitions Account Types

Definitions Authentication (AuthN) –The process of validating that a user is who he or she says they are Is the user’s Userid and Password correct? Authorization (AuthZ) –The process of deciding if a user is allowed to have access to a service Is the user allowed to view a specific Web page? Single Sign-On (SSO) –The process by which a user logs on to a site and then can visit other “protected” sites without the need to re-authenticate

Account Types Access Account –A digital identity and password that enables Penn State students, faculty, and staff to use the full range of services either on or off campus –Provides: Authentication, , PASS and an LDAP Entry Friends of Penn State Account –A digital identity and password that enables users outside of Penn State to access applications within Penn State. (Most likely for Web-based applications). –Provides: Authentication

Current State of Affairs Penn State Infrastructure Web Access Methods

Penn State Infrastructure Distributed Computing Environment (DCE) –Based on Kerberos V –Provides Authentication and Authorization Distributed File System (DFS) –Enterprise-wide file system –Also known as PASS (Penn State Access Account Storage Space)

Web Access Methods MethodAuthNAuthZSSO Mod_auth_externalYesMaybeNo Mod_auth_kerberosYesNo Mod_auth_DCEYes No FPS APIYesNo ShibbolethYes No

Demise of DCE/DFS IBM’s DCE/DFS, which is at the core of Penn State’s infrastructure no longer will be supported after April 2006 ASET/ITS is looking for replacement options –DCE = Kerberos V + LDAP –DFS = ???

Future Directions Kerberos (Authentication) LDAP (Authorization) CoSign (SSO)

Kerberos What is Kerberos? Kerberos Configuration Files Things to Know

What is Kerberos? Kerberos is: –“…a network authentication protocol. It is designed to provide strong authentication for client/server applications using secret-key cryptography” Components –Key Distribution Center (KDC) Masters (located in Computer Building) Back-ups (located off-site) –Clients –Application Servers

Kerberos Configuration Files Access Accounts [libdefaults] default_realm = dce.psu.edu default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] dce.psu.edu = { kdc = fido.aset.psu.edu:88 kdc = sparky.offsite.psu.edu:88 kdc = scooby.aset.psu.edu:88 default_domain =.psu.edu } [domain_realm].psu.edu = dce.psu.edu psu.edu = dce.psu.edu [logging] default = FILE:/var/log/krb5/krb5lib.log Friends of Penn State Accounts [libdefaults] default_realm = fops.psu.edu default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] fops.psu.edu = { kdc = fps.aset.psu.edu:88 kdc = rover.offsite.psu.edu:88 default_domain =.psu.edu } [domain_realm].psu.edu = dce.psu.edu psu.edu = dce.psu.edu [logging] default = FILE:/var/log/krb5/krb5lib.log

Things to Know Our Access Account Kerberos KDCs are fully synced with DCE using Kerberos propagation –A full copy of the Kerberos database is dumped –kprop command is used to sync the back-up KDCs –This done is every 15 minutes, so password changes are not immediate Using MIT Kerberos solves a number of problems using tools such as Java for authentication

LDAP What is it? Authorization Mechanisms –Roles –Groups Examples DCE vs. LDAP ACLs

What is it? Lightweight Directory Access Protocol (LDAP) –Is a standard technology for network directories –Network directories are specialized databases that store information about devices, applications, people and other aspects of a computer network –At Penn State, LDAP is the replacement for Ph Usage Info –Server: ldap.psu.edu –Port: 389 –Search Base: dc=psu,dc=edu

Roles Are attribute/value pairs –Examples (from my entry) eduPersonPrimaryAffiliation=STAFF eduPersonEntitlement=URN:PSU.EDU:MUSIC –Users Penn State Portal Shibboleth –Napster –Physics Class –PHEAA (Future application)

Groups DN containing a list of member DNs Types –Static –Dynamic –Hybrid –Nested Rich set of Access Control Lists (ACLs) features

Group Examples Static Group Dn: cn=AIT Staff,dc=psu,dc=edu objectClass: groupOfNames Cn: AIT Staff Member: psDirIdn=4,dc=psu,dc=edu Member: psDirIdn=5,dc=psu,dc=edu Dynamic Group Dn: ITS Staff,dc=psu,dc=edu objectClass: groupOfURLs Cn: ITS Staff memberURL: ldap:///dc=psu,dc=edu??subtree?(p sAdminArea=ITS)

DCE vs. LDAP ACLs DCE R = Read W = Write X = Execute C = Control I = Insert D = Delete LDAP R = Read W = Write S = Search C = Compare A = Add D = Delete

CoSign WebAccess WebAccess Adopters Supported Web Servers Overview of Process Sample Configurations WebAccess Login Page WebAccess in Action…

CoSign Technology behind the WebAccess service –Scheduled to be available this summer –Initially only Access Accounts – FPS to be added Developed by the University of Michigan

WebAccess Provides Single Sign-On for Web-based services Cf. FPS API –One login per session/timeout –No application coding –Password never on your Web server Can be combined with other functions to provide authorization (LDAP, local groups, etc.)

WebAccess Adopters Initial ITS Services converting to it –Penn StatePortal –Penn State WebMail –eLion –ANGEL

Supported Web Servers Apache (1 & 2) IIS (5 & 6) Tomcat

Overview of Service Login Case of person browsing to the service Web page (e.g., Similar flow if starting from the WebAccess login page Based on documents written by University of Michigan

Sample Configurations Apache IIS

Apache LoadModule cosign_module libexec/mod_cosign.so CosignProtected On CosignHostname webaccess.psu.edu CosignRedirect CosignPostErrorRedirect CosignService webconf-test CosignCrypto /psuopt/conf/ssl.key/my.key /psuopt/conf/ssl.crt/my.crt /psuopt/conf/ssl.crt

IIS C:\Program Files\IISCosign\SSL\ASET-CA.pem C:\Program Files\IISCosign\SSL\testsys.aset.psu.edu.cert PrivateKeyFilePath>C:\Program Files\IISCosign\SSL\testsys.aset.psu.edu.key C:\Program Files\IISCosign\Logs C:\Program Files\IISCosign\CookieDB webaccess.psu.edu FALSE cosign-testsys-its Protected>/protected.htm

WebAccess Login Page

WebAccess in Action…

Wrap Up Questions?