User authentication configuration, Details, Smb authentication – AASTRA BluStar 8000i BAS-Mode Administrator Guides EN User Manual
Page 159
User Authentication Configuration
41-001391-00 Rev 03 – 04.2012
12-7
User Authentication Configuration
Overview
The system can validate some users using the local database (i.e., the DB stored on the BluStar Application Server), and
other users using the SMB (Windows domain) authentication system. If either of these matches, a password / username
combination is accepted. If for a specific username the entries in the BluStar DB, and/or the SMB DB have different pass-
words, either of the passwords can be entered to authenticate that user.
Details
The following process is followed to authenticate users:
SMB Authentication
The Server Message Block (SMB) protocol is used to access Windows file servers. Using SMB authentication, the usernames
and passwords can be validated against the values stored in a Windows NT/2000/XP or compatible server or domain user
account database. If this authentication method is to be used, the method should be enabled using the checkbox, and the
SMB Domain name and the IP address of any platform (workstation or server) that is a member of the domain should be
specified. This need not be the domain controller – any workstation can act as an authentication “proxy”. The BluStar
Application Server will attempt to list the available shares (i.e., shared directories) on the specified Windows (or other SMB)
Server.
Note:
The BluStar database password should be left blank if only external systems are to be used. In future versions of the
BluStar software, a password source will have to be specified per user.
1.
The terminal user interface prompts for a username and password.
2.
The terminal sends the username and password to the configured Primary BluStar Application Server over an encrypted
connection using the HTTPS (SSL encrypted HTTP) protocol.
3.
The web server on the Primary BluStar Application Server accepts the password and invokes the password validation
module. The Apache webserver and its SSL security module (mod_ssl) must therefore be configured, enabled, and
running, for terminals to be able to log in.
4.
The password validation module verifies the password using the following procedure:
a)
Accept a password equal to the user name (or the part before the first “.” or space in the user name) when the server
is in testing mode (see the “advanced” section below for more details on testing mode).
b)
Otherwise, attempt to validate the password using the local BluStar database. (Passwords are stored in hashed (hex
MD5) format in the database.)
c)
Otherwise, attempt to validate the password using a SMB server (if SMB authentication is enabled).
d)
Otherwise, fail.
Notes:
• Ensure that all the users to be validated have rights to list shares on the server. (For normal network configurations,
this should be the case.)
• Configure the Windows (or other SMB) authentication server to require a username and password before listing the
available shares on the server. Ensure that the authentication server does not have a guest account.
• Ensure that the Windows (or other SMB) authentication server does not have a guest account. The presence of a
guest account may allow users without valid accounts to list shares, thereby permitting BluStar users to log in with
any password.