Web Service (Apache via the SPNEGO Simple and Protected GSS-API Negotiation Â
Mechanism protocol)
Xgrid Â
Â
Storing passwords in user accounts. This approach might be useful when migrating
user accounts from earlier server versions. However, this approach may not support
clients that require network-secure authentication protocols, such as APOP.
 Non-Apple LDAPv3 authentication. This approach is available for environments
that have LDAPv3 servers set up to authenticate users.
 RADIUS (an authentication protocol for controlling network access by clients
in mobile or xed congurations). For more information about RADIUS in
Mac OS X Server, see the online help and Mac OS X Server Resources website at
www.apple.com/server/macosx/resources/.
Single Sign-On
Mac OS X Server uses Kerberos for single sign-on authentication, which relieves users
from entering a user name and password separately for every service. With single sign-
on, a user always enters a user name and password in the login window. Thereafter,
the user does not need to enter a name and password for Apple le service, mail
service, or other services that use Kerberos authentication.
To use single sign-on, users and services must be Kerberized—congured for Kerberos
authentication—and must use the same Kerberos Key Distribution Center (KDC) server.
User accounts that reside in an LDAP directory of Mac OS X Server and have a
password type of Open Directory use the server’s built-in KDC. These user accounts are
congured for Kerberos and single sign-on.
This server’s Kerberized services also use the server’s built-in KDC and are congured
for single sign-on. This Mac OS X Server KDC can also authenticate users for services
provided by other servers. Having additional servers with Mac OS X Server use the
Mac OS X Server KDC requires minimal conguration.
Kerberos was developed at MIT to provide secure authentication and communication
over open networks like the Internet. Kerberos provides proof of identity for two
parties. It enables you to prove who you are to network services you want to use.
It also proves to your applications that network services are genuine, not spoofed.
Like other authentication systems, Kerberos does not provide authorization. Each
network service determines for itself what it will allow you to do based on your proven
identity.
Kerberos allows a client and a server to unambiguously identify each other much
more securely than the typical challenge-response password authentication methods
traditionally deployed.
58 Chapter 4 Enhancing Security
