An authentication Authentication is a process of verification of the user's identity, i.e. the verification that the user is who he says he is. The authentication of the user is performed based on something the user knows (user's name and password), what he owns (USB token, personal chip card with encryption and identification PKI key), or user's measurable biometric characteristic (fingerprint, iris scan).
...
- to use the same password to log into D2000 and Windows (NTLM authentication),
- to use the same name and password to log into several D2000 systems; the password can be changed in one system and is valid for all systems - the password into Windows (NTLM authentication),
- automatic logon into D2000 without entering the name and password based on user's logon to Windows (Kerberos authentication),
- to secure the logon of the user into D2000 by hardware means (USB token, personal chip card with encryption and identification PKI key) in such a way that these hardware means are used to log the user into Windows and then the Kerberos authentication is used for logon into D2000,
- to disable to logon of the user into D2000 by Windows user management tools,
- to set policy policies and parameters for D2000 password by Windows user management tools.
Note for Linux and Raspberry PI platforms: as of D2000 version 12.2.65 (patches from 27.5.2020 and later), Kerberos authentication is also available on Linux x64 and Raspberry PI platforms. The following steps must be performed to make it work:
- joining of Linux/Raspberry PI server to Windows domain
(with the command realm join domain_name, e.g. realm join IPSTEST.SK) - enabling access of the D2000 Server (kernel) to the /etc/krb5.keytab file. One option is to configure the D2000 Server to run as root, another - less dramatic - is to configure access rights for the group under which the D2000 Server is running. For example, if the d2users group is used, you need to run:
chgrp d2users /etc/krb5.keytab
chmod 640 /etc/krb5.keytab
On the Linux platform, authentication within one domain (IPSTEST.SK) and between two domains was tested (hi.exe run under a user in the IPESOFT.SK domain, D2000 server on a Linux server in the IPSTEST.SK domain. In both cases, the value of the AuthSecPrinc parameter was set to SRVAPP@IPSTEST.SK, where SRVAPP is the name of a Linux computer joined in the Windows domain.
| Kotva | ||||
|---|---|---|---|---|
|
...