I.T. Times

Volume 6, No 3 Information Technology News of the University of California, Davis November 1997


About the I.T. Times
Feature Articles
Online Exclusives
Project Updates
At Home on the Web
CommuniCAIT
Spotlight on...
Statistics of the Month
You Asked...
Back Issues
Index by Topic
Talk to us!
    

Distributed Web Authentication Project

by Richard Darsie

To protect copyright and comply with software licensing restrictions, some campus sites and services are currently restricted to access from computers with "ucdavis.edu" addresses only. Examples of sites and services so restricted include Melvyl databases, site licensed software distribution sites, some course Web sites, the campus news service, and many sites with confidential information such as financial or academic records. The current authentication method is to check the address of the incoming request for access, and to permit access only if it is coming from a campus IP (Internet Protocol) address. Unfortunately, persons using a third-party Internet Service Provider for off-campus access are not coming from a campus-based IP address, and this authentication technique will not permit them to access certain online campus resources, such as restricted Web pages and campus newsgroups. Being "authenticated" simply means that the system has verified that you are who you say you are.

To address these limitations, a team of I.T. and departmental technical staff are developing campuswide services which will allow departments to limit access to their online resources by username and password, instead of by IP address. This service will be available at the beginning of January, 1998; the testing phase is now underway. The new authentication procedure will make use of the Kerberos security server, which is already employed by such campuswide administrative services as GUI Banner and DaFIS (see "You Asked..." feature).

Doreen Meyer of Distributed Computing Analysis & Support made a presentation about this project to a roomful of Technology Support Coordinators (TSCs) on November 11. The information was presented in a non-technical fashion and is further disseminated here because of its importance to the campus. Slides from the presentation are online at http://dcas.ucdavis.edu/authentication/webauth/.

The new authentication system has potentially two levels of security: a base level open to all users, making use of Kerberos and a global "ucdavis.edu" browser cookie, and a higher level for those with access to AFS space, which additionally makes use of an AFS file check. (The terms "cookie," "authentication," "Kerberos," and "AFS" are defined here. Please note that this procedure depends on the user's browser being set to accept cookies. If you have disabled your browser's ability to accept cookies (many people do this), you will not be able to be authenticated. To check on whether your browser is set to accept cookies, and to reset the browser to accept cookies if necessary, open your browser's preferences file. Note that on this campus, the cookies created by the authentication service will not be tracked or maintained for any reason other than authentication. Elsewhere on the Web, cookies are often used for collecting information about a particular user and his/her interests.

From the user's perspective, the authentication operation will proceed as follows:

  1. The user attempts to access a restricted site using a Web browser (e.g., Netscape 2.02+, Internet Explorer). The first stop is an informational page describing the authentication process. This page also includes a link to the UC Names page, where you can choose a LoginID and a Kerberos password if necessary.
  2. Behind the scenes, the local server checks the user's authentication status by looking for a valid "ucdavis.edu" cookie set at some previous point during the current session.
  3. If the user is authenticated (i.e., if a valid "ucdavis.edu" cookie exists), the requested page loads.
  4. If the user is not authenticated, a login ID and Kerberos password are requested by the Secureweb server (an intermediary between the local server and the Kerberos server). Upon entry of valid information, the server sends a "ucdavis.edu" cookie to the user's browser and the requested page loads. The cookie self-destructs when the current browser session ends.

The next phase of the Web authentication project will include a survey of Web site managers on campus, beta testing by volunteer campus Webmasters, and the posting of Recommended Solutions documents. A Web site will soon be in place with detailed platform-specific instructions and downloads of the necessary software and files to implement this authentication procedure. The testing phase will determine which platforms will support the new procedure; there are no guarantees that all platforms will be supported, but the most widely used ones certainly will be.

Finally, this particular scheme of Web-based authentication is an interim solution, and will be active in the time frame of 18 months to two years, at which time a more robust and flexible authentication service will be in place.

For more information, visit http://cr.ucdavis.edu/projects/distributed.htm and http://dcas.ucdavis.edu/access/distauth/.

Vicki Suter and Doreen Meyer of Distributed Computing Analysis & Support (DCAS) contributed to this article.