pGINA

Blueprints published by Sun Microsystems have a very good article about pGina, which enables you to change/alter the authentication used for Microsoft Windows PC's. I've used it in the past (extended it rather) in test environments, and it worked pretty well for me.

XPA Systems phrases pGINA as the following : As it stands, the Microsoft Windows 2000 client operating system only provides a single method of user authentication. This method calls for the availability of a machine running the Microsoft Windows 2000 Server operating system. While this method may work very well in several situations, it does not work at all in others. Should someone be looking to bring the Windows 2000 operating system into an environment where user authentication is currently being handled by something other than a Windows 2000 server, it is an extremely difficult task to allow for this single method of authentication.

For instance, should an administrator wish to use an existing Unix server, and its existing base of users, to authenticate access to Windows 2000 machines there are few options. The methods employed may range from using a Windows 2000 server for authentication and having the administrator maintain identical lists of usernames/passwords on each server, to using Samba to emulate a Windows NT 4 Server. However, each method has its drawbacks and limitations. Ideally the administrator should be able to setup a standard naming service, such as NIS (Network Information Services) or LDAP (Lightweight Directory Access Protocol), on ANY type of server and have all clients, regardless of OS revision, access that single repository.

However, Microsoft does allow for customization of its client access and authentication methods through the interface specifications and details of their GINA (Graphical Identification aNd Authentication) dynamic link library. This library “… is a replaceable DLL component that is loaded by the Winlogon executable. The GINA implements the authentication policy of the interactive logon model and is expected to perform all identification and authentication user interactions.” (MSDN)

Through the creation of a substitute GINA that can dynamically load “plugins”, where a plugin can be created to use ANY method of authentication, we propose that it is possible to systematically, and simply, provide for the authentication and login of a user via many different methods. Thereby, we are simplifying the provided GINA interface, and providing the skeleton code necessary to quickly and easily implement many different methods of user authentication. Once a plugin has been created for any particular authentication method, it can quickly and easily be installed on multiple machines and even provided for other users and institutions, without the need for an in-depth understanding of the Windows logon process or its structure.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

for everything on Identity, JCAPS, SOA, WebServices, Security, Single Signon, Federation, Provisioning, Virtualization, Optimization, Debugging, Workflows, Compliance, MySQL and more... WAY MORE....

[this is a group blog]

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today