Reference8:Delegated Authentication
Applies to
All devices with firmware version 8 and later.
Overview
Each device has its own administrator/viewer accounts.
In version 8 and later a single device can act as an authentication server for the rest of the devices. User accounts that are managed on the authentication server can be used to login on each device in the installation. You can also configure devices to accept user accounts from a Windows domain.
How it works
Version 8 devices can use Kerberos to authenticate users that are not managed locally but on a remote Kerberos server.
Kerberos
A Kerberos server manages users and services for a realm that is specified by a distinct name. It shares a secret password with each user and each service. Users can obtain a ticket for a service from the Kerberos server if they proove that they know their own password. Services can then authenticate users by validating tickets instead of passwords. Therefore many devices can be accessed using the same user credentials but only the Kerberos server and the user have to know it.
Logging in
The main idea of how the centralized login process works in version 8 is the following:
- The browser sends user name and password to the box, using HTTP basic authentication.
- The box then uses Kerberos to obtain a ticket on behalf of the user from the Kerberos server for its own web server.
If that was successful the password is valid and the user is authenticated.
Authorization
Tickets issued by an innovaphone Kerberos server contain some information whether the user is an administrator or a viewer.
Configuration
Configuration is done using the General/Admin page from the web administration interface. See: Reference8:Configuration/General/Admin
Setting up the Kerberos server
- Enter the name of the Server Realm.
Now the Kerberos server is running and provides authentication for the local user accounts of the box.
Setting up cross-realm authentication
- Specify the Trusted Realms and the corresponding passwords. Select the desired method of authorization for that realm.
Setting up the client devices
Note: The box that hosts the Kerberos server might also be a client device and have to join the realm.
- Configure the Server Locations of the Kerberos servers of all involved realms.
- Join the desired Kerberos realm. To do that you will need some administrator credentials from that realm.
Now the device can authenticate users of the realm.
Using it
Logging in with the web browser
To distinguish between local users and users of a Kerberos realm, the name of the realm has to be prepended to the user name, separated by a backslash ('\')
Example:
- Local user: admin
- Remote user: REALM\radmin
Security considerations
Use HTTPS
As HTTP basic authentication transmits plaintext passwords, the use of HTTPS is mandatory. Please disable normal HTTP access to the devices or enable Force HTTPS.
Use local users only for recovery purposes
Although the old local user accounts of devices can still be used to login, this should not be done.
We recommend to choose a different secure administrator password for each device. After Single Sign-On has been configured, the list of admin passwords should be locked away and used only for recovery purposes. For normal configuration only user accounts from the Kerberos realm should be used to access devices.
We recommend that because it is much easier to change the password of or delete a compromised user account on the Kerberos server than changing the local administrator passwords on each device.