The very first NIM password prompt -- customer feedback needed.

[Jeffrey Altman]

Sam Hartman wrote:
> Jeff, what we're trying to do here is determine what customers want.
> In particular we're trying to determine how likely it is that the
> windows username will match the kerberos username in cases where the
> NIM credentials dialogue is used.  IN particular I'd like to exclude
> cases where MSLSA is used.
Most sites synchronize the user name space between the Windows domains
and the UNIX realms.  At least for centralized resources.  In
corporations this is almost always the case.  The only places where I
have seen differences are the result of mergers.

For academic institutions, the centralized Windows domains and the
centralized UNIX realms also have synchronized name spaces.  This is
often true at the school and department level when both infrastructures
are in place.

At the government sites where there are two disjoint namespaces, the
HSPD-12 initiatives are forcing organizations to either migrate to a
common name space or abandon all but one of the authentication
infrastructures.  This in many cases results in Active Directory being
the one and only authentication database.

Single Sign-on for Windows users is a significant requirement at most
organizations.  Users log on with their username and password, use
kfwlogon.dll to obtain Kerberos credentials for the UNIX realm, and then
use NIM to obtain the additional credentials for AFS, KCA, etc.  

At academic institutions, users with personal machines are encouraged to
use the same login name as is used in the centralized authentication
infrastructure to ease access to network resources.

Most organizations have market-speak for the organization's
Identification system.  This marketing name is used because the users
are expected to use this common ID name and their associated credentials
through a variety of authentication interfaces.  Whether it be with KFW,
or Windows logon, or a Web Authentication system, or an e-mail
authentication, or the VPN authentication, etc.  It is unimportant to
the user that the authentication is being performed using the Kerberos
protocol.  Instead what users are told is to open Leash or open NIM and
enter their *market-speak* Username and Password.  The same directions
are given for the VPN client, the web mail client, etc. 

In many cases the *market-speak* name precedes the use of Kerberos at
the institution.

"Kerberos" is a technical term that has little meaning to the end user. 
It really is irrelevant to their lives. 

Some market speak names include SUNet ID, Andrew ID, Athena ID, etc. 
Almost every organization of significant size has one. 

Note that changing the dialog to prompt for SUNet ID at Stanford would
not provide correct behavior because although the software is
distributed centrally by Stanford , many of the User IDs that user's
obtain are for realms or domains that are not part of SUNet.  For
example, students or faculty that perform research at SLAC or access
research resources at other universities with which there are
partnership relationships.

Jeffrey Altman
Secure Endpoints Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kfwdev/attachments/20070925/c4b60f31/attachment.bin