Sam Hartman wrote: > Jeff, what we're trying to do here is determine what customers want. > In particular we're trying to determine how likely it is that the > windows username will match the kerberos username in cases where the > NIM credentials dialogue is used. IN particular I'd like to exclude > cases where MSLSA is used. Most sites synchronize the user name space between the Windows domains and the UNIX realms. At least for centralized resources. In corporations this is almost always the case. The only places where I have seen differences are the result of mergers.
For academic institutions, the centralized Windows domains and the centralized UNIX realms also have synchronized name spaces. This is often true at the school and department level when both infrastructures are in place. At the government sites where there are two disjoint namespaces, the HSPD-12 initiatives are forcing organizations to either migrate to a common name space or abandon all but one of the authentication infrastructures. This in many cases results in Active Directory being the one and only authentication database. Single Sign-on for Windows users is a significant requirement at most organizations. Users log on with their username and password, use kfwlogon.dll to obtain Kerberos credentials for the UNIX realm, and then use NIM to obtain the additional credentials for AFS, KCA, etc. At academic institutions, users with personal machines are encouraged to use the same login name as is used in the centralized authentication infrastructure to ease access to network resources. Most organizations have market-speak for the organization's Identification system. This marketing name is used because the users are expected to use this common ID name and their associated credentials through a variety of authentication interfaces. Whether it be with KFW, or Windows logon, or a Web Authentication system, or an e-mail authentication, or the VPN authentication, etc. It is unimportant to the user that the authentication is being performed using the Kerberos protocol. Instead what users are told is to open Leash or open NIM and enter their *market-speak* Username and Password. The same directions are given for the VPN client, the web mail client, etc. In many cases the *market-speak* name precedes the use of Kerberos at the institution. "Kerberos" is a technical term that has little meaning to the end user. It really is irrelevant to their lives. Some market speak names include SUNet ID, Andrew ID, Athena ID, etc. Almost every organization of significant size has one. Note that changing the dialog to prompt for SUNet ID at Stanford would not provide correct behavior because although the software is distributed centrally by Stanford , many of the User IDs that user's obtain are for realms or domains that are not part of SUNet. For example, students or faculty that perform research at SLAC or access research resources at other universities with which there are partnership relationships. Jeffrey Altman Secure Endpoints Inc.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ kfwdev mailing list kfwdev@mit.edu http://mailman.mit.edu/mailman/listinfo/kfwdev