Reference8:Delegated Authentication: Difference between revisions
| Line 10: | Line 10: | ||
The main idea of how the Single Sign-on feature works is the following: | The main idea of how the Single Sign-on feature works is the following: | ||
#The browser sends user name and password to the box, using '''HTTP basic authentication'''. | #The browser sends user name and password to the box, using '''HTTP basic authentication'''. | ||
#The box then uses '''Kerberos''' to obtain a ticket on behalf of the user for its own web server. | #The box then uses '''Kerberos''' to obtain a ticket on behalf of the user from the authentication server for its own web server. | ||
If that was successful the password is valid and the user is authenticated. The ticket also contains some information whether the user is an administrator or a viewer. | If that was successful the password is valid and the user is authenticated. The ticket also contains some information whether the user is an administrator or a viewer. | ||
Revision as of 15:16, 8 June 2009
Applies to
All devices with firmware version 8 and later.
Overview
Each device has its own administrator/viewer accounts.
In version 8 and later a single device can act as an authentication server for the rest of the devices. User accounts that are managed on the authentication server can be used to login on each device in the installation. You can also configure devices to accept user accounts from a Windows domain.
Protocols
The main idea of how the Single Sign-on feature works is the following:
- The browser sends user name and password to the box, using HTTP basic authentication.
- The box then uses Kerberos to obtain a ticket on behalf of the user from the authentication server for its own web server.
If that was successful the password is valid and the user is authenticated. The ticket also contains some information whether the user is an administrator or a viewer.
Security considerations
Use HTTPS
As HTTP basic authentication transmits plaintext passwords, the use of HTTPS is mandatory. Please disable normal HTTP access to the devices or enable "Force HTTPS".