When the User Logs In: The NetWare 4 Authentication Process
Articles and Tips: tip
01 Jun 1996
The first step to authenticating in a NetWare 4.1 environment is the identification phase, also known as the login phase. When the client first logs in to a NetWare 4.1 server he must establish his identity with the server and then proceed through the authentication phase. This is accomplished by the client broadcasting a Service Request, with the broadcast type 0x0278 if the preferred tree is set, or the broadcast type 0x0004 if the preferred server is set.
A server or router that receives this request will reply with a response. The client software will examine the response and accept the first response with the correct tree/server being sought. This gets the client a connection to begin the tree walking (resolve name operation). NDS will then search the tree to find a writeable replica of the user's object.
The following steps then occur during login and authentication phases:
Once a writeable replica is found with the User object, the user is prompted for a name and password.
After successfully proving knowledge of the password, the client receives the encrypted private key from the server.
The private key of the client is used to generate a signature.
The public key of the client is used to generate a credential.
The signature and credential are used to build a proof that is used later in this sequence.
The public key attribute of the server is read by the requesting client.
The proof previously generated is encrypted with the server's public key and sent to the server.
The server decrypts the proof with the server's private key.
The proof is verified by the server through a mathematical computation of the client's public key and the client key stored on the server.
If the proof is correct, then authentication is successful.
The finished authentication request will then call Directory Services for the user's security equivalence vector.
The login process is then passed back to Directory Services to execute the applicable login script and apply NDS access controls.
(For more information on user login and authentication, refer to Novell's October 1994 Application Notes "Identification and Authentication in NetWare 4.")
Keep in mind that the client's password is never transmitted across the wire. Therefore, it is not possible for someone to capture a password packet on the wire. In addition, the authentication data is valid only during the current login session. If a user terminates the session and then reconnects, the authentication process is repeated.
Another feature, known as Packet Signature, requires each packet to have a valid signature in order to be executed by the server. Packet signing makes it far more difficult for someone to forge NCP packets and send them on to the server for processing. [Enabling Packet Signature causes a performance hit, so you must weigh your security and performance needs.]
During the initial login process a NetWare client will identify a hosting server. Although the login process in NetWare 4.1 is performed only once, the authentication process may occur throughout the entire session in order to enable services from other servers.
Background authentication is the ongoing identification process that occurs after the initial login. If a connection needs to be made to other network services, authentication is done through the process of background authentication. Background authentication can occur because the NetWare 4.1 servers can verify the proof provided by the client from the client's public key without additional user intervention. A server making a request of another server is also considered a client. Keep in mind that the proof constructed at the client using the signature, credential, and public key.
When a user logs out of the network, the NetWare 4.1 license manager is notified and makes the license available to any other validated user needing a license. The logout includes destroying the service connection to all but one server along with all bindings that were part of the user connection. The authentication data is also destroyed on the workstation at logout.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.