Reference8:Delegated Authentication: Difference between revisions
Line 18: | Line 18: | ||
== Security considerations == | == Security considerations == | ||
=== Use HTTPS === | === Use HTTPS === | ||
As HTTP basic authentication transmits plaintext passwords, the use of HTTPS is mandatory. Please disable normal HTTP access to the devices or enable | As HTTP basic authentication transmits plaintext passwords, the use of HTTPS is mandatory. Please disable normal HTTP access to the devices or enable ''Force HTTPS''. | ||
[[Category:Concept|{{PAGENAME}}]] | [[Category:Concept|{{PAGENAME}}]] |
Revision as of 16:05, 8 June 2009
Applies to
All devices with firmware version 8 and later.
Overview
Each device has its own administrator/viewer accounts.
In version 8 and later a single device can act as an authentication server for the rest of the devices. User accounts that are managed on the authentication server can be used to login on each device in the installation. You can also configure devices to accept user accounts from a Windows domain.
How it works
Version 8 devices can use Kerberos to authenticate users that are not managed locally but on a remote Kerberos server.
Logging in
The main idea of how the Single Sign-on feature works is the following:
- The browser sends user name and password to the box, using HTTP basic authentication.
- The box then uses Kerberos to obtain a ticket on behalf of the user from the Kerberos server for its own web server.
If that was successful the password is valid and the user is authenticated. The ticket also contains some information whether the user is an administrator or a viewer.
Security considerations
Use HTTPS
As HTTP basic authentication transmits plaintext passwords, the use of HTTPS is mandatory. Please disable normal HTTP access to the devices or enable Force HTTPS.