Reference8:Delegated Authentication

From innovaphone wiki
Revision as of 11:55, 29 October 2009 by Msc (talk | contribs) (→‎Logging in)
Jump to navigation Jump to search
There are also other versions of this article available: Reference8 (this version) | Reference10

Applies to

All devices with firmware version 8 and later.


Each device has its own administrator/viewer accounts.

In version 8 and later a single device can act as an authentication server for the rest of the devices. User accounts that are managed on the authentication server can be used to login on each device in the installation. You can also configure devices to accept user accounts from a PBX or a Windows domain.

How it works

Version 8 devices can use Kerberos to authenticate users that are not managed locally but on a remote Kerberos server.


A Kerberos server manages users and services for a realm that is specified by a distinct name. It shares a secret password with each user and each service. Users can obtain a ticket for a service from the Kerberos server if they proove that they know their own password. Services can then authenticate users by validating tickets instead of passwords. Therefore many devices can be accessed using the same user credentials but only the Kerberos server and the user have to know it.

Logging in

The main idea of how the centralized login process works in version 8 is the following:

Login kerberos basic.png

Please note that delegated authentication works only with HTTPS connections. Using HTTP the boxes accept only local user accounts.

  1. The browser sends user name and password to the box, using HTTPS basic authentication.
  2. The box then uses Kerberos to obtain a ticket on behalf of the user from the Kerberos server for its own web server.

If that was successful the password is valid and the user is authenticated.

Cross realm authentication

Cross-realm authentication means that users from one realm/domain can login to services from another realm/domain. To do so, the realms have to trust each other and have a shared secret password to decrypt ticket from the other realm. The picture shows how cross-realm authentication is used to login with a Windows domain user at an innovaphone box.

Login kerberos basic crossrealm.png

  1. The browser sends user name and password of a Windows domain user to the box, using HTTPS basic authentication.
  2. The box authenticates with the user credentials against the Windows Kerberos server and gets back a ticket-granting ticket.
  3. The box uses the ticket-granting ticket to get a ticket for the innovaphone Kerberos server.
  4. The box uses the cross-realm ticket to obtain a ticket on behalf of the user from the innovaphone Kerberos server for its own web server.

If that was successful the password is valid and the user is authenticated.


Tickets issued by an innovaphone Kerberos server contain some information whether the user is an administrator or a viewer.

Multiple Kerberos servers on a single device

To fit all needs in a hosted PBX scenario V8 gateways are capable of hosting multiple Kerberos servers at a time:

  • a server for each PBX
  • one PBX-independent server


Setting up the Kerberos server

Configuration of the clients is done using the General/Kerberos page from the web administration interface (see Reference8:Configuration/General/Kerberos).

  1. Enter a LDAP password. This password is used to encrypt keys in the LDAP directory of the server.
  2. Configure the name of the realm.

Now the Kerberos server is running. You can now create and manage user accounts.

Also each PBX has got a Kerberos server. It is configured using the PBX/Security page (see Reference8:Administration/PBX/Security).

Setting up the client devices

Configuration of the clients is done using the General/Admin page from the web administration interface (see Reference8:Configuration/General/Admin).

Note: The box that hosts the Kerberos server might also be a client device and have to join the realm.

  1. Configure the Server Locations of the Kerberos servers of all involved realms. Don't forget servers that are needed for cross-realm authentication.
  2. Join the desired Kerberos realm. You will need administrator credentials from that realm in order to do that.

Now the device can authenticate users from the realm for HTTPS connections. You can deactivate the local user accounts on the device, if needed.

Setting up cross-realm authentication

  1. On the server device, specify the Trusted Realms, the corresponding passwords and the methods of authorization mapping.
  2. Configure the Server Location on each client device.

There are different methods of mapping authorization between realm:

  • keep (works only with innovaphone servers)
  • Grant administrator access to all users
  • Grant viewer access to all users
  • Map the Windows domain group membership from the ticket to administrator or viewer rights

If you use the latter, please specify the RID of the groups that shall have administrator or viewer rights, respectively.

Please note that only global Windows groups work with Kerberos authentication. Nested groups are not supported.

Determining the RID of a Windows domain group

The RID (relative ID) of a Windows domain group is the last numeric part of the domain group SID (secure ID).

The easiest way to determine it for a group you are a member of is using the following command:

   whoami /groups /sid
   [Group  1] = "DOMAIN\Domain-Users"  S-1-5-21-854245398-616249376-725345543-513
   [Group  2] = "DOMAIN\Admins"  S-1-5-21-854245398-616249376-725345543-1180

In this example the RID for DOMAIN\Domain-Users is 513 and the RID for DOMAIN\Admins is 1180.

Using it

Logging in with the web browser

Kerberos users are only accepted on HTTPS connections. To distinguish between local users and users of a Kerberos realm, the name of the realm has to be prepended to the user name, separated by a backslash (\). Alternatively you can prepend the realm to the user name separated by an at (@).


  • Local user: admin
  • Remote user: REALM\username or username@REALM

Security considerations


As HTTP basic authentication transmits plaintext passwords, the use of HTTPS is mandatory. Using HTTP connections you can only authenticate with local user accounts from the device.

Use local users only for recovery purposes

Although the old local user accounts of devices can still be used to login, this should not be done.

We recommend to choose a different secure administrator password for each device. After Single Sign-On has been configured, the list of admin passwords should be locked away and used only for recovery purposes. For normal configuration only user accounts from the Kerberos realm should be used to access devices.

We recommend that because it is much easier to change the password of or delete a compromised user account on the Kerberos server than changing the local administrator passwords on each device.