Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Authentication methodMeaning
Anchor
auth_d2000
auth_d2000
D2000
The authentication of the user's name and password is performed by the process D2000 Server. This is the standard authentication method. It uses name and password which are saved in configuration of object User.
Logon dialog displays user's name and password:

Anchor
auth_ntlm
auth_ntlm
NTLM
The authentication subsystem Windows NTLM (NT LAN Manager) verifies the user's name and password. This subsystem is available from the Windows NT 4.0 version and the authentication is done in the domain defined by configuration parameter Domain.
After the authentication D2000 Server will obtain the information about successful / unsuccessful verification of user's name and password in the domain.
If the authentication is successful it will look for the object of User type with the same user name and check whether the NTLM authentication (parameter Authentication methods) is allowed, the domain name is the same and the logon is enabled.
Dialog box contains: user name and password, name of application, text [NTLM] in the title and the name of Windows domain the user is logging into.

Note: NTLM authentication is available on standalone computer with locally defined users (in this case Domain is computer's name) as well as in Windows domain (Domain is the name of domain). If the connection to an authentication authority failed, the user is not logged on. The NTLM authentication will change to D2000 authentication and this warning occurs: "NTLM authentication has failed. Enter your login name and password from D2000."

Anchor
auth_kerberos
auth_kerberos
Kerberos

The authentication of the user's identity is made by the authentication subsystem Windows Kerberos (available from the version Windows 2000). It verifies the identity of the user which is logged into Windows so that the logon into D2000 System is automatic without Logon dialog or entering name and password.
D2000 Server will obtain the information about user's name and domain from Windows Kerberos authentication subsystem. If the domain name matches the user's configuration parameter Domain then it will look for the object of User type with the same user name and check whether the Kerberos authentication (parameter Authentication methods) is allowed and the logon is enabled.

Note: Using Kerberos authentication method is almost as risky as using the start parameters /AN and /AP which allow to start HI process and perform auto logon without entering user's name and password if the user leaves the workstation and does not lock the desktop (usage of the start parameters /AN and /AP is even more hazardous because they allow to steal the password for later misuse, while Kerberos permits only immediate misuse but not stealing of the password).

Therefore we recommend:

  • instruct the users to lock the desktop or log off when they leave the workstation
  • use the Kerberos authentication only in secure places
  • use the hardware key to logon into Windows (USB token, security card etc), which automatically lock the desktop if the user removes the hardware key
Note: Kerberos authentication is available only in Windows domain, not on standalone computer, because it requires a software infrastructure which is installed only as a part of Windows domain controller.

Anchor
auth_spnego
auth_spnego
SPNEGO

Authentication method available for D2000 versions above 12.00.061. The authentication of the user's identity is made performed by the Windows Kerberos authentication subsystem Windows Kerberos (available from the version Windows 2000). It verifies the identity of the user which who is logged into Windows so that the logon into D2000 System is automatic without Logon dialog or and without entering name and password.
D2000 Server will obtain the information about user's name and domain from Windows Kerberos authentication subsystem. If the domain name matches the user's configuration parameter Domain then it will look for the object of User type with the same user name and check whether the SPNEGO authentication (parameter Authentication methods) is allowed and the logon is enabled.

Note: SPNEGO authentication is available only in Windows domain, not on standalone computer, because it requires a software infrastructure which is installed only as a part of Windows domain controller.

Anchor
auth_tcl
auth_tcl
TCL
Authentication method available since D2000 version 8.00.002, which can be used only by Thin clients using internet browsers supporting Kerberos authentication (e.g. Internet Explorer, Mozilla Firefox, Google Chrome), located on the company intranet and logged to a Domain. TCL authentication requires installation of authentication module tomcatspnego for Apache Tomcat webserver.
The authentication of the user's identity is performed between internet browser and properly configured web server using Windows Kerberos authentication subsystem. It verifies the identity of the user which is logged into Windows so that the logon into D2000 System is automatic without Logon dialog or entering name and password.
After the authentication ends successfully the information about user's name and domain is sent to the process D2000 Server. If the domain name matches the configuration parameter Domain then it will search the object of User type with the same user name and check whether the TCL authentication (parameter Authentication methods) is allowed and whether the logon is enabled.

Note: If the user is not logged to Windows domain or Kerberos authentication cannot be successfully performed, the login window asking for username and password will be displayed. The username and password will be used for login using D2000 authentication.
Anchor
auth_rfid
auth_rfid
RFID
This method is available from D2000 version 9.1.30. The user is identified by scanning the RFID card. RFID authentication works if RFID tag is installed on the client work station on some of serial COM ports, D2000 HI is running with the parameters (parameters of console) that ensure the handling of the RFID tag (see Console preferences - RFID parameters).

After scanning the RFID card, there can occur two situations:
  1. Any picture that implements <ENTRY OnRFID> is not opened in D2000 HI - it means that HI logs on the user with particular RFID card automatically.
  2. At least one picture that implements <ENTRY OnRFID> is opened in D2000 HI - it means that HI does not log the user but calls OnRFID entry to the all pictures, which implement this entry, and lets the application script handle this entry.

...