Authentication is the mechanism that verifies that an individual is who they claim to be. Verification is based on 1) something known (password); 2) something carried (smart card); or 3) something the individual is (biometrics). The UI Enterprise Authentication infrastructure provides a fully integrated method for verifying the identity of all persons in the university community. As such, it is an enabler for institutional and collegiate services and is essential to campus IT security. Enterprise level directories – Enterprise Directory Services and Active Directory – provide the authentication infrastructure to improve the user and IT provider experience. Data in the authentication directory is fed from authoritative sources, making the data dependable and available for decisions. Central, uniform authentication makes the login process simpler for the user. It allows the provider to concentrate on the specifics of their service. Enterprise authentication offers opportunities for services beyond the campus boundaries where appropriate for student recruiting, patient care or alumni relationship services.
Enterprise Authentication is the service defined herein.
Enterprise Service is a service, such as e-mail or calendar, supported by any campus IT provider, that trusts the entire multi-domain enterprise authentication infrastructure as authentication for the service.
Local Service is a service, supported by any campus IT provider, that authenticates its user base to a subset of domains in the forest, or to a local accounts database.
Enterprise Directory Service (EDS) is an authoritative source for institutional data such as IDs, e-mail, service eligibility indicators, and other derived attributes. EDS consolidates identity information for support of enterprise authentication.
Microsoft Active Directory (AD) is a directory that supports Windows services. AD is Microsoft’s implementation of an LDAP directory with a number of enhancements for Kerberos support and workstation management.
Campus Active Directory uiowa.edu Forest is the shared services forest, sponsored by a partnership of ITS and HCIS, that provides the infrastructure for campus Windows servers and workstations connected to the campus network. Active Directory is the current campus production authentication engine.
Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. AD is a Kerberos implementation, with the boundaries of a domain providing the boundaries of a Kerberos realm. The terms Active Directory domain and Kerberos realm are synonymous in this context.
Hawk ID is the campus-wide standard for a unique login identifier (ID) for each person in the UI community. This Hawk ID, therefore, is the account ID used in the enterprise authentication service.
Hawk ID Password is the password associated with the Hawk ID in the enterprise authentication service.
Local Service ID is the service-specific login ID for a service not yet enabled to use enterprise authentication. Service providers are encouraged to use the Hawk ID as this local service ID.
Local Service Password is the service-specific password for a locally-authenticated service. If there are security issues in the local service, such as use of clear-text passwords, the local service password should not be synchronized with the Hawk ID password.
The Enterprise Authentication infrastructure provides a fully integrated method for verifying the electronic identity of all persons in the university community. As such, it is an enabler for institutional and collegiate services and is essential to campus IT security.
Developed through an enterprise-wide initiative, the Campus Active Directory Forest provides the account database for the production authentication service. The use of the forest for enterprise authentication is native for AD-enabled services. There are several available authentication protocols, such as NTLM, Kerberos, Radius, or LDAP, that can be used to traverse the multiple forest domains.
The fundamental underlying premise to the Enterprise Authentication Service is that there is a single unique account ID per person in the forest. That is, a person’s Hawk ID will appear in one and only one domain in the forest. This guarantees the uniqueness of the enterprise Hawk ID and Hawk ID password pair. And, in accordance with the “Enterprise Login ID Standard” policy, the account IDs in all domains of the Campus Forest will be maintained in sync with the Enterprise Directory Hawk ID assignment.
The domain administrators of each domain in the forest are committed to maintaining accounts for the persons for whom they have responsibility, in support of the enterprise authentication requirements identified by campus IT service providers.
Services using enterprise authentication are responsible for the longevity of the Hawk ID.
Enterprise Directory Service
The Enterprise Directory Service is the authoritative source for assignment and maintenance of Hawk IDs used in deployment of campus services. As a repository for key personal and application attributes from authoritative institutional sources, the directory service acts as a centralized accessible source of business rules that determine institutional roles. Domain assignments are based on current roles.
Hawk ID and Hawk ID Password
The Hawk ID is the account ID used in the enterprise authentication service. The associated password is the Hawk ID Password.
For service environments that are not able to fully utilize the enterprise authentication service, the IT provider is encouraged to use the Hawk ID as the service login ID. The associated password should be referred to as a service-specific password.
Non-Windows (Kerberos Realm) Authentication
When multiple domain authentication is not possible, an Active Directory Kerberos Realm can provide the authentication account base for non-Windows-based services. IT providers utilizing single-domain authentication should select the domain that best supports their service user base. If all users are not in a single domain, local authentication must be used in conjunction with the Kerberos Realm authentication.
Services that cannot use multiple-domain or Kerberos authentication must rely on local authentication until such time as the service can use Active Directory based authentication.
Clear-Text and Encrypted Passwords
The enterprise authentication service is intended for use by campus services that provide encrypted password streams. Legacy applications that use clear-text passwords should be evaluated for risk. Service owners for systems and applications using clear text passwords should consider upgrades that include encrypted passwords.
Service owners are responsible for educating their users of the importance of protecting their enterprise password by using an alternate password, if possible, for these services that are not integrated and which send clear-text passwords.
Future Campus Software Acquisitions, Development
Future software deployments must include these considerations:
- Support for secure authentication.
- Interoperability with Active Directory.
- Support for login IDs consistent with the “Enterprise Login ID Standard.”
Resource or Service ID Authentication
Local domain resource or service IDs, such as IDs created for applications, testing, or for departmental or generic use IDs typically assigned as web site and e-mail service IDs, may exist in Active Directory without a corresponding entry in the Enterprise Directory Service.
Resource IDs that are used to authenticate to enterprise services must not collide with existing Hawk IDs, and therefore must be registered within the Enterprise Directory Service. Domain specific test IDs with local impact only, should be created in accordance with the service ID naming conventions. (See “Enterprise Login ID Standard”.)
Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.They are incorporated into the University of Operations Manual (http://opsmanual.uiowa.edu) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources)
- Enterprise Active Directory Policy
- Enterprise Password Policy
- Enterprise Login ID Standard
- Domain Assignment / Active Directory Account Management
Nothing in this policy is intended to be in violation of FERPA or HIPPA requirements.