Manualshelf

OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
521522523524525526527528529530
DCE Security Service
the next chapter.
23.2.1 A Walkthrough of User Authentication
This section explains how DCE Security authenticates a user. DCE User authentication
can be thought of as consisting of two successive procedures:
1. Acquisition by the Security Client of a Ticket-Granting Ticket (TGT) for the user
2. Acquisition by the Security Client of a Privilege-Ticket-Granting Ticket (PTGT)
for the user
These procedures are described in the following two subsections.
Note: This feature of DCE Security requires no modification of DCE or the
applications that run on it.
23.2.1.1 How the Security Client Obtains a Ticket-Granting Ticket
This section describes the acquisition, by the Security Client, of the user’s Ticket-
Granting Ticket. Acquisition of the user’s TGT is the first of the two parts of DCE user
authentication.
There are three protocols used by DCE Security clients and servers to perform this first
part of the user-authentication process:
The third-party protocol, which provides the highest level of security.
The timestamps protocol, which is less secure .
The DCE1.0 protocol, which is is the least secure, and is provided solely to enable
DCE1.1 security servers to process requests from pre-DCE1.1 clients.
The protocol used by the security client when it makes a login request to the
Authentication Service is determined as follows:
1. Pre-DCE1.1 clients always use the DCE1.0 protocol.
2. DCE1.1 clients always use the third-party protocol, unless the host machines
session key, which the client uses to construct the request, is unavailable. It then
uses the timestamps protocol.
The protocol used by the Authentication Service to respond to the client in is determined
by:
The protocol used by the client making the login request
The value of a pre_auth_req ERA attached to the requesting principal
The Authentication Service always attempts to reply using the same protocol used by
client making the request, unless the value of the ERA "forbids" it to do so. (See the
section entitled "DCE1.1 Authentication" in the OSF DCE Administration Guide
236 Tandem Computers Incorporated 124245