26.2 Authentication Mechanisms
The following mechanisms can be used to authenticate managed devices to the ZENworks Management Zone:
26.2.1 Kerberos (Active Directory only)
Kerberos, an authentication protocol developed at MIT, requires entities (for example, a user and a network service) that need to communicate over an insecure network to prove their identity to one another so that secure authentication can take place.
Kerberos functionality is included natively in a Windows Active Directory environment.
Kerberos requires the use of a Key Distribution Center (KDC) to act as a trusted third party between these entities. All Kerberos server machines need a keytab file to authenticate to the Key Distribution Center (KDC). The keytab file is an encrypted, local, on-disk copy of the host's key.
When using Kerberos authentication, the Active Directory server generates a Kerberos ticket that Novell Common Authentication Services Adapter (CASA) uses to authenticate the user, rather than using a username and password for authentication.
Setting Up Kerberos in your ZENworks Environment
-
Set up a Kerberos service principal account and generate a keytab file for that account.
For more information, see the Microsoft TechNet Web site.
For example, if you created a user called atsserver in your domain, you would run the following command from the command prompt:
ktpass /princ host/atsserver.users.myserver.com@MYSERVER.COM -pass atsserver_password -mapuser domain\atsserver -out atsserver.keytab -mapOp set -ptype KRB5_NT_PRINCIPAL
This command creates a keytab file and modifies the user atsserver to be a Kerberos principal.
-
Import the keytab file into ZENworks Control Center.
-
In ZENworks Control Center, click the tab, click , then click .
-
Click
to browse to and select the keytab file.
-
Click OK to import the file.
-
Enabling Kerberos Authentication While Adding a User Source
You can enable Kerberos authentication while adding a user source. For more information see Section 25.2.1, Adding User Sources.
Enabling Kerberos Authentication on an Existing User Source
You can enable Kerberos authentication on an existing user source.
-
In ZENworks Control Center, click the tab.
-
In the User Sources panel, click the user source, then click next to in the General section.
-
Select the check box, then click .
Understanding How Kerberos Authentication and the ZENworks Login Dialog Box Interact
The following table illustrates the ZENworks user experience using Kerberos authentication with Active Directory:
Table 26-1 ZENworks Kerberos Authentication with Active Directory
|
Windows login matches user source login? |
ZENworks also uses Username/Password authentication? |
Member of same domain? |
Member of different domain? |
Windows and ZENworks credentials match? |
Can log in to Management Zone? |
ZENworks login dialog box appears? |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
Yes |
No |
|
|
|
|
|
|
Yes |
No |
|
|
|
|
|
Yes |
Yes |
|
|
|
|
|
No |
No |
|
|
|
|
|
No |
No |
|
|
|
|
|
No |
No |
|
|
|
|
|
No |
No |
|
|
|
|
|
|
Yes |
No |
|
|
|
|
|
Yes |
No |
|
|
|
|
|
Yes |
Yes |
For example, in the second row, the user’s initial login, user source, and ZENworks login credentials match. As a result, the user can log in to the ZENworks Management Zone and the ZENworks login dialog box does not appear.
As another example, in the third row, the user’s initial login credentials are using credentials from a different domain and are different than the ZENworks login credentials. As a result, the user can log in to the ZENworks Management Zone, but the ZENworks login dialog box appears.
26.2.2 Shared Secret
When using Shared Secret authentication, you must install and configure the Novell Identity Assurance Solution Client. For more information, and for a list of supported smart card readers and smart cards, see the Identity Assurance Solution Client documentation on the Novell Documentation Web site.
Authentication in to ZENworks by using Smart Card is currently supported only on Windows XP and terminal sessions of Windows Server 2003 device.
When a user uses a smart card to log in to eDirectory, the user is automatically logged in to ZENworks provided the schema of the eDirectory specified when the user source is added has been extended using novell-zenworks-configure tool.
For more information on adding the user source, see Section 25.2.1, Adding User Sources.
For more information on extending the eDirectory schema, see Extending the eDirectory Schema to enable Shared Secret Authentication.
If the eDirectory schema is not extended, then is not available as an authentication mechanism. Consequently, a ZENworks login dialog box is displayed when the user on the managed device attempts to log in to eDirectory using a smart card. After the user specifies the eDirectory username and password, that password is stored in Novell SecretStore. The next time the user uses a smart card to log in to eDirectory, the password is retrieved from SecretStore and the user is logged in to the ZENworks without having to specify the password.
Extending the eDirectory Schema to enable Shared Secret Authentication
To authenticate in to ZENworks by using Shared Secret authentication mechanism, the schema of the eDirectory specified when the user source is added must have been extended using novell-zenworks-configure tool.
Perform the following steps to extend the eDirectory schema:
-
Run the novell-zenworks-configure utility on a ZENworks Server:
On Windows: At the command prompt, change to ZENworks_installation_path\bin and enter the following command:
novell-zenworks-configure.bat -c ExtendSchemaForSmartCard
On Linux: At the console prompt, change to /opt/novell/zenworks/bin and enter the following command:
./novell-zenworks-configure -c ExtendSchemaForSmartCard
-
You are prompted to continue with the action of extending the Novell eDirectory schema and adding an optional zcmSharedSecret attribute to the user class. By default, 1 is selected. Press Enter.
-
Enter the DNS name or IP address of the Novell eDirectory server to extend the schema.
-
You are prompted to select Secure Socket Layer (SSL) or Clear Text communication for communicating with the eDirectory server. Enter 1 for SSL communication or 2 for Clear Text Communication, then press again.
-
Enter the port for communicating with the eDirectory server.
The default port for SSL communication is 636 and for Clear Text communication is 389.
-
Enter the fully distinguished name (FDN) of the Administrative User.
For example, cn=admin,o=organization
-
Enter the password for the Administrative User specified in Step 6.
-
(Optional) Enter the fully distinguished name for the ZENworks user source admin for whom the ACL would be applied.
The ZENworks user source admin is configured as a user in the ZENworks user source configuration for reading users from the user source and need not be the Administrative User specified in Step 6. If you specify the fully distinguished name of this user, the program sets ACLs at the specified containers to provide read access to zcmSharedSecret attribute for this user.
-
Enter the user containers for which you want to extend the schema.
Multiple containers can be given separated by + sign. For example, o=sales or o=sales + o=marketing.
-
Press to generate random secret for all the users within the above containers.
-
(Conditional) If you have chosen SSL communication for communicating with the eDirectory server, the server presents a certificate. Enter to accept the certificate.
26.2.3 Username/Password (eDirectory and Active Directory)
When using Username/Password authentication with a Novell eDirectory or Microsoft Active Directory user source, if the credentials the user specifies to log in to the workstation or to the domain match the ZENworks login credentials, the ZENworks login dialog box does not display and the user is authenticated to the ZENworks Management Zone.
The username and password are also stored in Secret Store. If a user later logs in to ZENworks where no username or password is available (for example, the user logged in using a smart card), the stored credentials are used and the ZENworks login dialog box is bypassed.
Enabling Username/Password Authentication While Adding a User Source
You can enable Username/Password authentication while adding a user source. For more information see Section 25.2.1, Adding User Sources.
Enabling Username/Password Authentication on an Existing User Source
You can enable Username/Password authentication on an existing user source.
-
In ZENworks Control Center, click the tab, click the user source, then click next to in the General section.
-
In the User Sources panel, click the user source, then click next to in the General section.
-
Select the check box, then click .
Understanding How Username/Password Authentication and the ZENworks Login Dialog Box Interact
The following table illustrates the ZENworks user experience using Username/Password authentication with Active Directory:
Table 26-2 ZENworks Username/Password Authentication with Active Directory
|
Windows login matches user source login? |
ZENworks also uses Kerberos authentication? |
Member of same domain? |
Member of different domain? |
Windows and ZENworks credentials match? |
Can log in to Management Zone? |
ZENworks login dialog box appears? |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
Yes |
No |
|
|
|
|
|
Yes |
No |
|
|
|
|
|
Yes |
Yes |
|
|
|
|
|
|
Yes |
No |
|
|
|
|
|
Yes |
No |
|
|
|
|
|
Yes |
No |
|
|
|
|
|
Yes |
Yes |
|
|
|
|
|
|
Yes |
Yes |
|
|
|
|
|
|
Yes |
Yes |
For example, in the first row, the user’s initial login, user source, and ZENworks login credentials match. As a result, the user can log in to the ZENworks Management Zone and the ZENworks login dialog box does not appear.
As another example, in the second row, the user’s initial login credentials are using credentials from a different domain but match the ZENworks login credentials. As a result, the user can log in to the ZENworks Management Zone, and the ZENworks login dialog box does not appear.