Re: [SQU] NDS Autentication

From: John Lauro <jlauro@dont-contact.us>
Date: Sun, 29 Oct 2000 20:25:09 -0500

Robert Collins wrote:

> > BorderManager doesn't use HTTP for the authentication process when talking
> to
> > windows machine. You have to run a special program on the workstation.
> From
> > my understanding (which might be off somewhat, but should be close....)
>
> So what happens on Citrix servers/Terminal servers? Novell has supported
> those in it's client software for years.

I would think in most cases with Citrix servers/Terminal servers you wouldn't
care because they have to log in to go out of the box, and you could then
simply authentication by IP. It would only matter if you have different
classes of users able to access different sites and thus need to know who they
authenticate as....

If you need different class of users, then it should work fine if each
Citry/terminal user is given a different IP. If they all share the same IP
then it wouldn't work so well.... I haven't done much with terminal server, so
I don't know if it's possible to configure it to give each user a different IP.

> How does BM identify a downstream proxy then? Or again TS/Citrix servers?

One way is by DNS. I think it has other ways too, but I never needed to
configure any others that required any more secure method then fixed IP.
(in all cases I needed to work with parents/children trusted each other, and
all authentication, if any was at the child proxy with the parent (and sibling)
proxys having trusts by IP).

> Single sign on requires all the applications to be used to be able to access
> the user credentials and offer them to servers *that identify themselves as
> belonging to the same organisation*. AFAIK only NTLM is supported by
> microsoft for that purpose. The use of SSH or kerberos in the unix world
> provides a very similar feel. Possibly Kerberos will be supported by IE now
> it';s part of Win2k.

Yes. The form of single-sign-on in Bordermanager is more of a short-cut
method. (Which is disappointing coming from Novell, as they ussualy get
security right, especially compared to Microsoft).

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Sun Oct 29 2000 - 18:29:05 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:02 MST