ÂÂ Web Service (Apache via the SPNEGO Simple and Protected GSS-API Negotiation Mechanism protocol)

ÂÂ Xgrid

ÂÂ Storing passwords in user accounts. This approach might be useful when migrating user accounts from earlier server versions. However, this approach may not support clients that require network-secure authentication protocols, such as APOP.

ÂÂ Non-Apple LDAPv3 authentication. This approach is available for environments that have LDAPv3 servers set up to authenticate users.

ÂÂ RADIUS (an authentication protocol for controlling network access by clients in mobile or fixed configurations). For more information about RADIUS in Mac OS X Server, see the online help and Mac OS X Server Resources website at www.apple.com/server/macosx/resources/.

Single Sign-On

Mac OS X Server uses Kerberos for single sign-on authentication, which relieves users from entering a user name and password separately for every service. With single sign- on, a user always enters a user name and password in the login window. Thereafter, the user does not need to enter a name and password for Apple file service, mail service, or other services that use Kerberos authentication.

To use single sign-on, users and services must be Kerberized—configured for Kerberos authentication—and must use the same Kerberos Key Distribution Center (KDC) server.

User accounts that reside in an LDAP directory of Mac OS X Server and have a password type of Open Directory use the server’s built-in KDC. These user accounts are configured for Kerberos and single sign-on.

This server’s Kerberized services also use the server’s built-in KDC and are configured for single sign-on. This Mac OS X Server KDC can also authenticate users for services provided by other servers. Having additional servers with Mac OS X Server use the Mac OS X Server KDC requires minimal configuration.

Kerberos was developed at MIT to provide secure authentication and communication over open networks like the Internet. Kerberos provides proof of identity for two parties. It enables you to prove who you are to network services you want to use.

It also proves to your applications that network services are genuine, not spoofed.

Like other authentication systems, Kerberos does not provide authorization. Each network service determines for itself what it will allow you to do based on your proven identity.

Kerberos allows a client and a server to unambiguously identify each other much more securely than the typical challenge-response password authentication methods traditionally deployed.

58

Chapter 4    Enhancing Security

Page 57 Page 59
Page 58
Image 58
Apple 10.6 manual Single Sign-On
Page 57 Page 59
Top Page Image Contents