This is getting weirder and weirder.
First up - the user "enters their password via the Citrix Client". This is
presumably just normal Windows auth. Normal Windows auth will only allow a
user to log onto the Citrix server based on a yes/no from an NT / Win2K
domain controller or local user lists. Which are you talking about? Local
user lists busts the central point of admin model. NT domain / Windows
Kerberos auth requires passing the auth request to a domain controller - you
can't use RADIUS auth on a router to logon to an NT box unless I'm missing
something...
Next - are you talking about a kerberized _application_? There ain't many of
those for Windows that use a Windows KDC - I can't name any, in fact.
Windows uses Kerberos where it used to use NTLM - to access file shares, log
on to local boxes, use printers etc. It does NOT kerberize all Win32 apps
that use TCP/IP.
It _sounds_ a bit like you're talking about lock and key ACLs (since you're
talking about the router being involved in the authentication pricess), but
those aren't transparent to the user - which part of the solution are you
saying talks to the router? The app that is delivered via the Citrix
session? The NT box itself? The user? Lock'n'Key is usually a two-step
process...
Have you actually done this in practice? I'm now quite interested in the
components involved...
Cheers,
ben
-----Original Message-----
From: [EMAIL PROTECTED]
To: Frank Knobbe
Cc: '[EMAIL PROTECTED]'
Sent: 18/07/00 14:07
Subject: RE: Citrx Metaframe/NT4-TSE
OK..
The router passes the auth packet to the RADIUS/TACACS+ server, which
has
both group and user profiles set up. This type of architecture provides
both high and low level authentication and authorization control at the
granular level.
The auth is done by username plus a whole bunch of other attributes one
can
setup..
/m
At 10:17 PM 7/17/00 -0500, Frank Knobbe wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, July 17, 2000 9:33 PM
> >
> > The user does nothing, all the work is done via smoke and
> > mirrors. The
> > session is initiated once the user enters their password via
> > the Citrix
> > Client, The Citrix client then requests authentication via the
> > router . The router sends a auth request to the server inside,
> > the server then initiates a kerebos session back to the router to
> > the client.
> > The client
> > does not even know what is going on around the session
>
>Okay, but how does the router authenticate the client? By IP address?
>How do you limit access?
>
>Regards,
>Frank
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP Personal Privacy 6.5.1
>Comment: PGP or S/MIME (X.509) encrypted email preferred.
>
>iQA/AwUBOXPMPERKym0LjhFcEQKM7wCfYnYJFEERYPwIVbWYMXY28Ps2pvMAn0Ia
>RS3pbTZaHZZiGol/oZL5aUya
>=b6pl
>-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
