Technology Strategy
Infrastructure
Architecture: Standards and Technology
Server Operating
Systems
Currently, the following server OS's are used in production for
applications and services in ITSS:
- Sun Microsystems Solaris[tm]
- IBM AIX[tm]
- Microsoft[tm]
Windows 2000
- Microsoft[tm]
Windows NT 4.0
- Linux
Identify Management and Authentication
Identity
Management
ITSS supports a very mature, centralized and uniform user namespace
management system called SUNetID.
This system is combined with processes and integrated services
that manage the sponsorship of user identifiers propagates this user
information across a number of authentication/account schemes.
The SUNetID is being re-architected
to improve functionality, to remove dependencies on legacy systems and
to better integrate with the ITSS Registries.
Network
Authentication
An authentication system allows an operating system or application to
verify that some requesting connection is being initiated by a known
entity. In actual practice, this type of verification can
authenticate a user or service identifier and may be a strong or weak
indication of authentication. Network authentication services are
independent from any specific application or host computer
authentication scheme. As such, they are a centralized
authentication arbiter for many applications at once. ITSS
maintains several user network authentication services.
- MIT
Kerberos v4 and v5 (network authentication scheme of record)
- Microsoft[tm] Kerberos (defers to MIT Kerberos
for Microsoft[tm] clients)
- NTLM v2
(authentication against the Microsoft Windows Active Directory)
- RADIUS
(used for dial-in and virtual private network authentication)
- TACACS+
(used for network device authentication)
Single-Sign-On
(SSO)
An extremely popular feature of well integrated network and application
authentication is SSO. Ideally, a user need only respond to one
login for all services which require authentication. In order to
accomplish this quasi-magical functionality, ITSS has historically used
the S-IDENT protocol which is a variant of the ever-popular IETF RFC-1413.
The relatively slow adoption and limited application support for
Kerberos as well as the interest to incorporate support for S-IDENT
made it necessary for ITSS to develop and maintain a client-side (user
desktop) Kerberos credential and authentication broker. This
program is called PCLeland for
Microsoft[tm] Windows desktops
and MacLeland
for Apple Macintosh computers.
Web
Initial-Sign-On (WebISO) and the WebAuth Credential Server
Since the S-Ident service is not widely supported, a web authentication
server was created (WebAuth) to allow a more straight-forward
integration of web applications with the Kerberos network
authentication service. WebAuth also allows some limited Campus
Directory (LDAP) searching
Future
Authentication Directions
Efforts around leveraging existing network authentication technologies;
making them as readily integratable with applications as possible will
be a focus. The abstraction of API's for specific
authentication technologies will allow interoperability with other
authentication technologies. Proposed changes to the architecture
of WebAuth will make this type of support possible.
The need for Stanford University to build and offer service around
Public Key Infrastructure (PKI) technology will likely grow. At
this time, the X.509 specification is being used in a number of ways
and in an unregulated fashion. The is an exposure to the
University and is not a scalable model for such a authentication scheme.
Authorization
Figure
Future
Authorization Directions
Directory
Distributed File
Systems
EMail
Network Address
Registration (NetDB) and Domain Name Service (DNS)
NetDB
is a
Usenet News Service
(NNTP)
Adios muchacos compan~eros de mi vida
Last modifiedWednesday, 16-Apr-2003 01:42:17 PDT
© 2003, Stanford University. All rights reserved.
Comments about this document? Use the HelpSU submission
form.
Need computing help? Visit HelpSU or call 5-HELP (650-725-4357).
|
|
