Reference8:Delegated Authentication: Difference between revisions

Applies to

All devices with firmware version 8 and later.

Overview

Each device has its own administrator/viewer accounts.

In version 8 and later a single device can act as an authentication server for the rest of the devices. User accounts that are managed on the authentication server can be used to login on each device in the installation. You can also configure devices to accept user accounts from a Windows domain.

How it works

Version 8 devices can use Kerberos to authenticate users that are not managed locally but on a remote Kerberos server.

Delegating authentication

• Kerberos server: After you configure a Server Realm the box provides authentication for its administrator and viewer accounts.
• Kerberos hosts: Boxes that join that Realm as a Kerberos host/service can delegate user authentication to the Kerberos server.

Logging in

The main idea of how the Single Sign-on feature works is the following:

1. The browser sends user name and password to the box, using HTTP basic authentication.
2. The box then uses Kerberos to obtain a ticket on behalf of the user from the Kerberos server for its own web server.

If that was successful the password is valid and the user is authenticated. The ticket also contains some information whether the user is an administrator or a viewer.

Security considerations

Use HTTPS

As HTTP basic authentication transmits plaintext passwords, the use of HTTPS is mandatory. Please disable normal HTTP access to the devices or enable "Force HTTPS".