1 Introduction
With the rapid development of information security requirements and technologies, effective, convenient and secure authentication has become a must for many application systems. Authentication is the process of verifying the identity of an entity (user, computer or program). The process determines that an entity is the identity it claims, so that the three principles of confidentiality, integrity, and availability of data security can be properly applied. Integrated enterprise authentication combined with AD (Active Directory) directory services is becoming a popular authentication method in enterprise applications. It provides a method for access control and authentication that includes both single and dual authentication and a combination of the two.
2 Authentication Overview In the traditional way, users only need to provide the network user name and the login password associated with it to access network resources through authentication. However, network user names often appear in public information such as business cards, magazine articles, etc., or are easily guessed, even when they are entered, so network passwords become the only security mechanism to protect the company's network.
A single secret (such as a password) can be used as an effective security control. A long password of more than 10 characters consisting of random letters, numbers, and special characters is difficult to crack. Unfortunately, users are not always able to remember such passwords, in part because of the inherent limitations of humans. George A. According to a research published by Miller in The Psychological Review in 1956, the human brain has limited short-term memory and can only remember 5 to 9 random characters, averaging 7 characters. but. Most security guidelines recommend a password of at least eight characters. Since most users cannot remember the eight-character random password, many users choose to write the password on paper or set some easy-to-remember passwords, such as “p~swordâ€, which is convenient for themselves and also for attack. The person opened the door to convenience.
Binary authentication requires users to submit some form of unique token (such as a hardware token or smart card) and a personal identification number (PIN), which is significantly better than a simple username and password combination. Currently, the use of smart cards and associated PINs is an increasingly popular, reliable, and affordable form of dual authentication. It has the following main advantages:
a. It improves the attacking difficulty of attackers and strengthens the protection of sensitive data. Since smart cards use hard-to-forge digital certificates as login credentials, hackers must steal smart cards and obtain PINs to log in to the network.
b. Reduce the possibility of repudiation. Since the smart card can recognize the true identity of the logged-in user, the ability of the individual to refuse to assume responsibility for the behavior is reduced, and the credibility of the monitoring log is also improved.
3 Integrated Windows authentication Integrating Windows authentication using smart cards is a typical mode of dual authentication. The implementation of this mode mainly includes: installing root certificate, configuring integrated Windows authentication, installing server certificate and configuring SSL, enabling directory service mapping. Several key points such as the mapping of devices, digital certificates and account numbers.
3 1 Installing a third-party certificate authority (CA) root certificate If you have a Windows certificate authority in your domain, you do not need to install the CA root certificate because the root certificate of the Windows certificate authority in the same domain as the customer is automatically installed. Also if you are using an enterprise CA in your domain, you can skip this section because the enterprise root certificate is trusted in the system. However, if you choose to use a commercial CA that is not pre-installed, you must install the CA root certificate to handle the corresponding trust relationship. Only the root certificate is trusted, and the user's digital certificate may be verified.
For the root certificate of the third-party CA, we can add it to the "Trusted Root Certification Authority" through the Certificate Management Unit in the Windows2003 console. For the root certificate that has been added, it will be listed. Users should carefully carefully before installing. Check if the CA certificate of your choice has already existed.
3.2 Starting Integrated Windows Authentication Integrated Windows authentication (formerly known as NTLM authentication and Windows NT Challenge/Response authentication) can use NTLM or Kerbetas authentication, a proprietary technology from Microsoft that has been available since its inception. After several updates, although this mechanism is stable and reliable, it has a fatal flaw that cannot be delegated, which means that user credentials cannot flow to remote services (such as SQL Server). Kerberos does not have this problem. It can easily use delegation in the Windows environment while maintaining a stable and secure authentication mechanism. We will discuss this mechanism.
Kerberos requires Microsoft Active Directory in most cases because Active Directory acts as a Kerberos token grant service (TGS/TGT).
3.3 Install the server certificate and configure the SSL service server identity certificate to include the server information, public key and CA signature, and identify the identity of the certificate holder server in the network communication. Use a certificate mechanism to ensure the security of communication with other servers or users. The web server certificate is a digital certificate used by the Web Server to establish a secure connection with the user's browser. After configuration, the browser client can be required to have a digital certificate. When the communication is established, the Web server and the browser exchange certificates to verify the identity of the other party. Establish a secure connection channel. The installation of the web server certificate can guide the server certificate through secure communication in the IIs configuration.
After the server certificate is successfully installed, SSL can be set. SSL is the abbreviation of "Secure Sockets Layer", which is a set of encryption technology that provides authentication, confidentiality and data integrity. In the IIs secure communication properties, we can choose to accept the client certificate or "require client certificate". The "accept client certificate" setting needs to be negotiated between the client certificate and the browser. If it fails, it will fall back to one of the standard authentication protocols. If you want to select "Require client certificate", then you need to select "Require secure channel" first, which means that the web site will not be able to access through the H rrP protocol, only through the Hrl'I; protocol.
3.4 Enabling the Directory Service Mapper
Active Directory is a key component in implementing smart card deployment. Active Directory in Windows Server 2003 includes built-in support for implementing smart card interactive logins and the ability to map accounts to certificates. This ability to map user accounts to certificates bundles the private key on the smart card with the certificate stored in Active Directory. Providing smart card credentials when logging in requires Active Directory to match that particular card to a unique user account.
3.5 Mapping a Certificate to a User Account Map a certificate that has been issued to a user to a user account (or create an association with an account) so that the server application can use public key cryptography to verify the identity of the user who uses the certificate. If the user's identity is verified, they can log in to that user's account. The end result is the same as the user ID and password provided by the user.
Under normal circumstances, mapping digital certificates to user accounts mainly has two ways of mapping in AD and mapping in IIs servers. These two approaches have their own advantages and disadvantages, and we can flexibly choose our own mapping path.
In addition, digital certificates are mapped to user accounts in two ways: one certificate maps one user account (one-to-one mapping) or multiple certificates map to one user account (many-to-one mapping).
3.5.1 One-to-one mapping One-to-one mapping maps a single user certificate to a single user account. In practice, each user can be issued a digital certificate of their own, and then these user certificates are mapped to the employee's user account. This allows the user to connect to the web page from anywhere by providing their client certificate using SSL (Secure Sockets Layer). The user then logs into their own user account and can apply normal access control.
3.5.2 Many-to-one mapping Many-to-one mapping maps many certificates to a single user account. For example, you know an agent that provides temporary workers for your job vacancies. You may want to let the agent view a page that shows only the current job vacancies that only the company employee can see. The agent has its own certification authority that issues certificates to its employees. After installing the proxy certificate authority's root certificate as your company's trusted root certificate, you can set up a rule to map all certificates issued by the certificate authority to an account. Then set up account access entitlements so that the account has access to that web page.
4 Conclusion Using smart cards to achieve integrated Windows authentication, effectively integrates the characteristics of single secret and binary authentication technology, and achieves strong authentication and secure communication without secondary development and modification of the application system. At present, the Qingdao Municipal Government is based on Microsoft. The office system developed by NET environment uses Active Directory to store, manage user information and control access rights. Combined with the digital certificate of Shandong CA, the user can use the smart card to log in to the office system, perform identity verification and digital signature, and make the security of the system more secure. .
Round Patio Dining Set is very convenience for guest host in your home or big party in the garden.We offers generous proportions for ultra-comfortable round patio dining. The gently curved chair backs and dining tables are crafted from woven white polyethylene (HDPE) resin fibers. Sturdy powder-coated aluminum frames are concealed from sight. Dining tables are topped with tempered glass.
· RUST-FREE ALUMINUM FRAME
· ALL-WEATHER HANDWOVEN WICKER
· HIGH UV RESISTANT WICKER
· EASY TO CLEANAND CARE
· 100% WATERPROOF FABRIC
· 2 YEAR WARRANTY
Round Patio dining set has many options and size, You can choose different size and color to decorate your dining and garden.
-polyethylene rattan: it's non-toxic and safe for the environment. It's also antimicrobial, a quality that prohibits the growth of fungus and mildew. The wicker won't splinter or rot in extreme temperatures (-94°F to 176°F), making our furniture an excellent choice for almost any climate.
About us:
1.our factory is more than 20000 square meter big.
2. Our showroom is about 800 square meters.
3. we have professional sale team and more than 200 workers.
4. The capacity of our factory is 60 containers/month.
5. we attended CIFF furniture fair and canton fair.
Welcome your further inquiry for further discussion, also welcome to visit our factory to talk face to face.
Round Patio Dining Set,Rattan Round Dining Set,Wicker Round Dining Set,Garden Round Dining Set
Golden Eagle Outdoor Furniture Co., LTD. , https://www.geoutdoor.com