Re: authenticating users from different domains
- From: "Ondrej Sevecek" <ondra at my_surname dot com>
- Date: Fri, 20 Jan 2006 10:38:33 +0100
probably not the whole solution, but may help.
currently, I participate in the process of implementing the
http://www.eduroam.org/ project for one of our universities and also some
government institutions. Although, this is designed to provide access to
networks for wireless roaming users, the concept of RADIUS servers
authenticating the remote users over heterogenous authentication environment
seems to me as a best one.
The core principle is the following:
you have several independent authentication networks. Each network hosts its
own RADIUS server that proxies authentication to the network's own
authentication service (AD, NDS, ...) for local users. The local RADIUS
servers know nothing about other servers with one exception, one RADIUS that
is set up as a central/root for all the networks. The root RADIUS have to
know about all other RADIUS servers.
When a remote user authenticates against a local RADIUS server, the local
RADIUS forwards the request to the central one and the root RADIUS then
forwards the request to the user's own RADIUS somewhere.
The problem will occure with your required resource access. I currently do
not know how to establish access credentials for Windows based servers
through RADIUS servers with the only exception - WebDAV file servers.
Other option would be if all your authenticating domains use Kerberos. Then
you need to only establish a trust amongst them and all resources will be
"simply" (non windows domains will require some aditional steps, such as
mapping user acounts and so).
https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/featured/kerberos/default.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/kerberos.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/d5749d76-7261-4508-9942-16f2450ac1ef.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/0cff4aac-9bc7-47db-8d13-79d876a67f0d.mspx
http://support.microsoft.com/?kbid=260123
http://support.microsoft.com/?kbid=312003
http://support.microsoft.com/kb/q266080/
http://support.microsoft.com/default.aspx?scid=kb;EN-US;311242
O.
"vassone" <vassone@xxxxxxxxx> wrote in message
news:2nVzf.533$Bx4.348@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi, could someone please offer me some advice about authenticating users
> from a different domains.
>
> Scenario: -
> A new online application that students from 5 different universities
> require
> secure access to. The number of students would be around 6000 per year.
> The
> universities have their own networks, servers etc. that their students are
> authenticated against (mostly active directory).
>
> Ideally, we would want to leave the authenication headache with the
> universities e.g. have the student login with their university
> credentials,
> which would then allow them secure access to data on a centralised server
> sitting on a complete seperate network.
>
> I would very much welcome any advice/guidance you could offer.
>
> Vassone.
>
>
.
- References:
- authenticating users from different domains
- From: vassone
- authenticating users from different domains
- Prev by Date: Re: authenticating users from different domains
- Next by Date: AT command and Scheduled tasks UI for non-admin users
- Previous by thread: Re: authenticating users from different domains
- Next by thread: AT command and Scheduled tasks UI for non-admin users
- Index(es):
Relevant Pages
|
