Network Authentication Brick

Description

Network authentication includes technologies used to authenticate clients to a variety of services over computer networks. Example services include mail servers, file servers, wireless network access, workstation logins, as well as network routing systems and phone systems. Client types include users, applications, devices, and other technical components requiring authentication (often tied to a UW NetID). 

Status Table

The following table categorizes related technologies according to their current lifecycle status.

Note: Refer to the IAM Brick Reference for complete descriptions of the six status designations and common lifecycle patterns.

Comments

• Emerging
  1. UWWI Windows Azure Active Directory is emerging into the environment during the implementation of Microsoft Office 365. Further evaluation of its strategic fit as an authentication service may result in a different status designation.
• Strategic
  1. No new technologies have been identified for this designation.
• Tactical
  1. WS-Federation (Active Requestor Profile) and WS-Trust (Active Profile) protocols supported by UWWI Active Directory Federation Services (ADFS) are under "tactical" status to support rich desktop clients in Microsoft Office 365. Strategic needs to support rich desktop client access to more "claims-aware" applications may bring these technologies into the baseline and increase support levels.
• Baseline
  1. No software is designated with "baseline" status indicating the diversity of client technologies in use. Customer support for specific client software is often limited to general information for client configuration.
  2. Kerberos is a "baseline" protocol supported by two technical services: UW Kerberos (u.washington.edu realm based on MIT Kerberos) and UWWI Active Directory (netid.washington.edu realm based on Microsoft Kerberos). These duplicate implementations of the same protocol were deployed into the environment at different times for different business purposes. Therefore, support levels for some features (single sign-on, service principals, delegated authentication, cross-realm authentication) differs between services. Today, the two technical services are used for a mix of purposes including: incoming mail server (IMAP) access, outgoing mail server (SMTP) access, secure shell and file transfer (SSH, SFTP, SCP), workstation login (including UW-IT Technology Spaces), and network file sharing (SMB/CIFS, NFS). In the future, use of individual Kerberos features may be limited to one of the two technical services based on strategic fit and total cost of ownership. Further consolidation is unlikely without increased investment. 
  3. RADIUS is a "baseline" protocol supported through the UW RADIUS service primarily to internal UW-IT customers. It is used for eduRoam wireless network access and UW dial-in modem access. Support for customers outside of UW-IT is limited.
  4. TLS Client Certificate Authentication using application certificates issued by the UW Services CA is a baseline technology used to identify applications and services in many scenarios.
  5. The UW Token Authentication service based on Entrust IdentityGuard software is under "baseline". However, direct client integration is limited to UW-IT systems like the Unisys mainframe and Weblogin service. Other customers use the service for multi-factor authentication for web site authentication.
• Containment
  1. Kerberos using DES and other weak encryption types is under containment. Project investment will be required to transition service designs to retire support for weak encryption types.
  2. Nebula Domain Services are under "containment" status for access to services and other resources that require authentication of clients outside the Nebula environment.
  3. LDAP Authentication (over SSL) via UWWI Active Directory LDAP Authentication Services is under "containment" status because its use often coincides with elevated (full) permission to access UWWI user account objects for authorization. Use is limited based on business need, risk of data leakage, and the feasibility of other integration options.
  4. The SAML ECP profile relies on a Service Provider collecting a UW NetID and password and sending them to the UW IdP for verification. The  exposure of the user's credentials to a third-party (the SP) is very undesirable. Use is limited based on business need and the feasibility of other integration options. 
• Retirement
  1. The UW Windows Forest service and its windows.washington.edu domain are scheduled for retirement during 2013 for customers outside of UW-IT. To learn more refer to the UW Windows Forest service documentation.
  2.  Use of LDAP Authentication without SSL to verify passwords over unsecured network connections is deprecated by UW data security policies and will be retired.

References

• link
• link
• link

See Also

• Web Authentication Brick
• REST API Authentication
• Mobile Authentication Brick

Last Review Date

March 27, 2013