Slide 2: Distributed Authentication Service and Cold
Fusion
Presented by
Faust Gorham, IT-CAIT
and
Doreen Meyer, IT-DCAS
dimeyer@ucdavis.edu
Slide 3: Authentication
- Who are you?
- Do you have a valid UCDLoginID and Kerberos password?
Slide 4: Authorization
- We may know who you are, but are you allowed to be here?
- Are you a member of a more restricted group?
- Pre-defined groups include:
class membership
serviceID or permit
Slide 5: Distributed Authentication Service
Description
The Distributed Authentication Service is a user-based authentication service for campus web servers and other internet services.
Slide 6: Distributed Authentication Service and Cold
Fusion
- How can IT's Distributed Authentication Service and Cold Fusion be used to provide authentication and authorization for ColdFusion-generated web pages?
Slide 7: Distributed Authentication Service Design
Principles
- Transparent: few extra steps for the user
- Scaleable: does not affect server load
- Distributable: works on UC Davis web servers
- Works with the campus infrastructure
- Secure: Passwords do not travel the network in clear text
Slide 8: Infrastructure Elements
- Kerberos KDC: validate Kerberos password and allow authentication
- AFS (Andrew File System): increase authentication security, and access restricted authorization lists. Highly recommended but not required.
- Secure Web Server: negotiate SSL session with the browser
- Directory Services: unified name space
Slide 9: Distributed Authentication Service
What does the service look like from the user's point of view?http://pubguide.ucdavis.edu/resources/logos_seals_marks.html
Slide 10: Authentication Options for Windows NT
- NT name/password
- Web server stores name/password list
- Web server stores IP address range
- Web server calls the Distributed Authentication Service (no AFS support)
- Web server supports AFS and calls the Distributed Authentication Service
Slide 11: Authentication Options of Distributed
Authentication
- Security level (cookie and AFS recommended)
- Option to allow ucdavis.edu domain without authentication (or deny IPs)
- Specify Authorization files containing the UCDLoginID (classlists)
- Request Authentication but pass successful and unsuccessful results to Cold Fusion (passthrough)
Slide 12: Authentication Options with Cold Fusion
- Distributed Authentication cgi runs, then web server calls Cold Fusion .cfm
- .cfm file is processed by Cold Fusion, then Cold Fusion calls Distributed Authentication cgi
- Cold Fusion evaluates the REMOTE_USER environmental variable
Slide 13: Web Server Options with Cold Fusion
- Web servers: Apache (perl), IIS (ISAPI), IIS (perl), Netscape (NSAPI)
- All support basic functions and high security
- Other features vary: passthrough, compatibility with Cold Fusion, the impact on a high volume server, and logging capability
Slide 14: Windows NT and Web Servers
Graphic
Slide 15: Web Sites and Database Records: Examples
- Campus site-licensed software site
- A site restricted to members of a particular class (Physics 7)
- A site with pages for a number of classes, where content may be restricted based on class membership
- A site with public information as well as information restricted to UC Davis users (Shields Library site)
Slide 16: Step 1: Next Phase
- Evaluate the service
- Recommended Solutions documents
- Certificate Service
Slide 17: Step 2: Upcoming Campus Presentations
- Distributed Authentication Service
Audience: Faculty
Location: The Arbor
Date and Time: November 19 - 10:00-11:00
- Distributed Authentication Service
Audience: Web-Team, TSC
Location: CAIT
Date and Time: December 2 - 11:00-12:00
Slide 18: Step 2: Relevent URLs
Distributed Authentication Service: http://distauth.ucdavis.edu/Authentication Service: http://www.ucdavis.edu/authentication
Slide 19: Step 3: Contact Us
- Distributed Authentication Service
distauth@ucdavis.edu
- Distributed Authentication Service Update List
afs-setup@ucdavis.edu