Macintosh Authentication

  • Thread starter Thread starter Cliff
  • Start date Start date
C

Cliff

Hi,

I hope someone can shed a little light on this!

I have an application which requires our macintosh workstations(OS
10.3.6)to authenticate in a windows domain. I have a question...

What constitutes Mac authentication?
- I have set up File Sharing for Macintosh and can connect to a
Win2k Server share point from the Mac once a user name and password
has been entered. Does this mean the user has been authenticated? I'm
confused because from a Windows view point of Domain authentication, I
should now be able to go to any Windows server and access shares to
which I have permission. This isn't the case, although I can access
any shares on the same server after logging on. If I log onto another
server, I can then access all shares to which I have permission on
that also. This behaviour is almost like Windows 95 sharing where you
put a password on individual shares rather than using central "User"
based authentication ie one logon. Is this as close to Windows
behaviour that it gets with a Mac, or am I doing something wrong. I am
unsure at this point as to whether the Mac hasn't authenticated
against the domain properly or whether there is a configuration
problem with the other software.

Any comments or pointers would be gratefully recieved.


Thanks in advance,

Cliff.
 
Hi,

I hope someone can shed a little light on this!

I have an application which requires our macintosh workstations(OS
10.3.6)to authenticate in a windows domain. I have a question...

What constitutes Mac authentication?
- I have set up File Sharing for Macintosh and can connect to a
Win2k Server share point from the Mac once a user name and password
has been entered. Does this mean the user has been authenticated? I'm
confused because from a Windows view point of Domain authentication, I
should now be able to go to any Windows server and access shares to
which I have permission. This isn't the case, although I can access
any shares on the same server after logging on. If I log onto another
server, I can then access all shares to which I have permission on
that also. This behaviour is almost like Windows 95 sharing where you
put a password on individual shares rather than using central "User"
based authentication ie one logon. Is this as close to Windows
behaviour that it gets with a Mac, or am I doing something wrong. I am
unsure at this point as to whether the Mac hasn't authenticated
against the domain properly or whether there is a configuration
problem with the other software.

Any comments or pointers would be gratefully recieved.


Thanks in advance,

Cliff.
Click to expand...

You should be looking into using Kerberos for authentication. If you have
an application, it should use the gssapi part of Apple's Kerberos framework
to authenticate your application to it's corresponding service on the
windows domain.

If you do this, then you will automatically get single sign on support when
the Mac has been joined to the domain using either ADmitMac or Apple's
Active Directory plug-in. When users log in, the Mac will handle
authentication with the domain, getting the user's Kerberos ticket granting
ticket.

Once the user has a TGT, then your application should be able to
authenticate using gssapi calls with whatever domain service you need. If
the user hasn't logged in using domain credentials, then your application
(if graphical) would cause the Kerberos login app to launch and authenticate
the user, asking for their username and password.

This is a very secure way to build your app, because it never has to ask for
the user's password.


If your app is connecting to a standard service, like http, ldap or cifs,
you will need to do a little work to figure out how to make use of the
gssapi calls. If the service is your own, then things get even easier
because there are some good sample client/server apps that you can use to
figure out how to use gssapi.

-
Paul Nelson
Thursby Software Systems, Inc.
 
Thanks for the swift response Paul.

I'm not sure that I actually understand everything that you've
mentioned here at the moment, however it certainly gives me a starting
point and something to work through. I think I have a bit of research
ahead of me... :-)

Thanks again,

Cliff Bennett
 
Hi Paul,
I have done some research and am still drawing a blank I'm afraid. I
was hoping you may be able to point me in the right direction?

I am now able to log onto the Mac workstaion with my Windows account.
I added the Active Directory info into the relevant area under
Directory Access. Unfortunately this doesn't appear to allow a single
logon for multiple share points. I am assuming I have configured the
AD components correctly as a Computer account is created when I
initially added the machine into the AD, as well as the fact that
Windows users can log onto the machine using their Windows User name
and password.

Is a single log on actually possible without a MAC Server configured
with Open Directory to proxy the requests? I think this is what is
being said, but not really being a MAC person I kind of struggle with
these MAC/Windows problems. As far as I can make out AdmitMAC would
resolve the issue (as well as give us many other features) but we
really only need the most basic feature, that being a single point of
authentication, not mapping of home folders, DFS etc, and I don't
think our company would be willing to spend any cash to cater for our
small Macintosh user base.

Any advice however basic would be appreciated.

Thanks,
Cliff.
 
Back
Top