Presented by Doreen Meyer

Information Technology
Distributed Computing Analysis and Support

Slide 2: Distributed Authentication Service

• Project description
• Why is this service important?
• What does this service look like?
• How does it work?
• Pilot projects

Slide 3: Project Team Members

• Tom Arons, ECE/IT-DCAS - Team Leader
• Wes Hardaker, IT-DCAS
• Tim Leamy, IT-Information Resources
• Tim Metz, ECE
• Doreen Meyer, IT-DCAS
• Vicki Suter, IT-DCAS
• Ken Weiss, IT-DCAS
• Dave Zavatson, IT-Information Resources

Slide 4: Distributed Authentication Project

• One of eight projects underway as part of Information Technology's remote access & network access program for 97-98

• Timeline: May 1997-April 1998

Slide 5: What Have We Done to Restrict Document Access?

Most network security is based on IP address

Slide 6: Why is this a Problem?

We encourage UCD affiliates to access campus internet services (web, news) via a third party internet service provider.

Their resulting IP address is therefore not recognized as being a part of the UCD network.

Slide 7: The Solution

• Replace IP-based authentication
• Authenticate with respect to the user's account rather than the IP address.

Slide 8: Project Design Goals

• Transparent: Both restricted and unrestricted services can be served at the same site
• Scaleable: As a server load increases, this service will not overwhelm the web server
• Distributable: This service may be installed locally on Davis web servers

Slide 9: Your Audience

• When you post information on the internet, your audience is world-wide.
• There are times when you may want access to be restricted.
• The distributed authentication service provides a method to provide access only to UC Davis affiliates.

Slide 10: When is it Necessary to Restrict Access to Internet Services?

• Protection of copyright agreements (publications)
• Licensing and sotware distribution agreements (Melvyl database, CBT training software)
• Protection of intellectual property (course work)
• Protection of privacy rights (student records, financial records)

Slide 11: What does this service look like from the user's perspective?

Slide 12: Downloading the UC Seal

• Click on the link for the UC seal
• View "restricted document" page. Click on 'Continue'.
• Enter UCD LoginID and Kerberos password
• View "UC Seal" page

Slide 13: Accessing Physics7

• Point browser to http://www.ucdavis.edu/OLLR
• The cookie established while accessing the UC Davis seal is valid for the duration of the browser sesstion

Slide 14: Findings: The Most Common Problems for the EndUser

• The user's browser must support SSL (secure socket layer protocol)
• The user's browser must accept cookies
• The user must know their UCD LoginID and Kerberos password
• A simple test: http://www.ucdavis.edu/cgi-bin/browser-test1

Slide 15: How does this process work?

Slide 16: Step 1: User's Browser Contacts Local Web Server

• Local web server checks: Does user's browser have a cookie?
• In this example, the local web server does not find a cookie.
• The local web server redirects the user's browser to the campus's secure web server.

Slide 17: Step 2: Secure Web Server negotiates user authentication

• The secure web server requests the user's UCD LoginID and Kerberos password
• The secure web server and the user's browser support SSL, encrypting the LoginID and password

Slide 18: Step 2: Secure Web Server negotiates user authentication

• The secure web server sends the information to the Kerberos DB authentication server
• The kerberos DB authentication server decides if the login is valid

Slide 19: Step 3: The secure web server acts on the login validation

• The secure web server generates a validation file and writes it to a specific AFS directory
• The secure web server generates a cookie and sends the cookie to the user's browser
• The secure web server redirects the user's browser to the local web server

Slide 20: Step 4: The user's browser contacts the local web server

• The local web server looks for and finds the ucdavis.edu cookie, a small file stored by the user's browser.
• The local web server reads the corresponding AFS file.
• The local web server evaluates the AFS file and the cookie to determine if the cookie is valid.

Slide 21: Step 5: The local web server displays the secure page

• If the cookie is valid, the local web server displays the secure page.

Slide 22:

Flow chart graphic of Distributed Authentication Steps for Secure Web Pages

Slide 23: Restricted Access Server on Your Local Web Server

• Download cgi
• Configure cgi
• Set up a secure-docs directory outside of your root document directory
• Configure local web server to run the cgi script whenever the secure-docs directory is accessed

Slide 24: Campus Webserver Survey

• Most popular server software: NCSA, Netscape, Apache
• Most popular operating systems: WindowsNT, UNIX/ULTRIX/SunOS, MacintoshOS

Slide 25: Projects

• Secure Web Pages (Physics Course, Melvyl Database)
• Restrict access at kiosks
• Secure web service
• Improve documentation and service menu
• Campus news server

Slide 26: news.ucdavis.edu

• Authenticate via web at:
  http://www.ucdavis.edu/authentication/news.html

• Start newsreader (Netscape)

• Enter name (no password)

Slide 27: Projects

• Authorization Pilot: some services need to be restricted to a subset of campus affiliates
• Pilots (NT, Macintosh)
• Recommended Solutions document

Slide 28: Future Plans

• Certificate Service

Slide 29: Relevant URLs

• Distributed Authentication Project:
  http://distauth.ucdavis.edu

• Copyright Information:
  http://distauth.ucdavis.edu/issues/copyright.html

• Student's Privacy Rights: http://www.mrak.ucdavis.edu/web-mans/ppm/320/320-21.htm

Slide 30: Contact Us

• Project E-mail
  authentication@ucdavis.edu

• E-mail to Doreen Meyer
  dimeyer@ucdavis.edu

Slide 31: Campus Presentations

• Remote Access Mangement Program
  Time: 2-3 P.M.
  Location: MU East Conference Room
  Audience: All

• Kerberos on Campus
  Time: 2-3 P.M.
  Location: CAIT, 165 Shields Library
  Audience: Intermediate to Advanced