230 likes | 600 Views
Stanford Desktop Tools Making the Move from MacLeland and PC-Leland to Stanford Desktop Tools Ammy Hill, IT Services 23 February 2007 Tech Briefing, Turing Auditorium Short History of PC-Leland & MacLeland PC- and MacLeland Were Developed at Stanford
E N D
Stanford Desktop Tools Making the Move from MacLeland and PC-Leland to Stanford Desktop Tools Ammy Hill, IT Services 23 February 2007 Tech Briefing, Turing Auditorium
Short History of PC-Leland & MacLeland • PC- and MacLeland Were Developed at Stanford • To support the use of Stanford’s eccentric Kerberos authentication infrastructure in the early days of Windows and Mac OS • User authentication for client software like Eudora or Samson • User authentication for some web-based services (via S/Ident) • To help emphasize the importance of secure computing as part of a memorable user education campaign in the mid-90s • To provide other useful features in a single convenient package • Secure screen lock • POP mail proxy to support Kerberos 4 authentication for email • AFS file system mounting (additional software required) • GUI for managing Kerberos tickets and issuing AFS commands • SUNet ID password change functionality • No Existing Tools for Mac or PC Then Met Our Needs Tech Briefing - Stanford Desktop Tools
Why Move Away From PC-/MacLeland? • If We Build It, We Have to Maintain It • Homespun software is expensive to support: minimally customized standards-based open source solutions are a better alternative • Kerberos Authentication Has Become Widely Used • So Microsoft, Apple, other vendors, open source projects, etc., now offer plenty of Kerberos and AFS software that meets our needs • PC-/MacLeland Features Are No Longer Required • Windows and Mac OS X have built-in support for Kerberos • Windows and Mac OS now provide easy-to-use secure screen locks • The mail proxy is unneeded & shouldn’t be used: KPOP is K4 only • Because of a security flaw, S/Ident, which among other things once mimicked “single sign-on” for HTTP sessions, is no longer in use • Stanford Desktop Tools Updates ESS Software! Tech Briefing - Stanford Desktop Tools
Kerberos Authentication at Stanford • Stanford Is Retiring Its Obsolete K4 Infrastructure • As of April 2008 Stanford will be strictly a Kerberos 5 operation • SDT, which supports K5 only, is where this infrastructural change meets desktop computing • Kerberos, the 3-headed dog from Greek mythology, still has only 3 heads, though… Tech Briefing - Stanford Desktop Tools
Stanford Desktop Tools: Installation • SDT May Be Obtained from the Essential Stanford Software Web Site • http://www.stanford.edu/services/ess/pc/sdt.html • http://www.stanford.edu/services/ess/mac/sdt.html • Installing SDT Will Remove Some Older Software • Windows: PC-Leland and any old AFS software will be removed • Macintosh: MacLeland will be removed • SDT Requires Oracle Calendar Client Version 10 • http://calendar.stanford.edu/getting-started-step2.html • Kerberos for Windows is installed with SDT • Samson for Windows, now used only for access to Spires applications and databases, appears to work with KfW, but this configuration isn’t supported Tech Briefing - Stanford Desktop Tools
Stanford Desktop Tools: Authentication • SDT Provides Kerberos 5 Authentication Services • Mac OS X (as of 10.2) ships with MIT Kerberos pre-installed • SDT configures the Mac’s Kerberos software for use at Stanford • The SDT dock icon menu provides easy access to an authentication dialog box and to Kerberos ticket status information • Windows’ native Kerberos has to be supplemented • The SDT installer also installs MIT Kerberos for Windows, including Network Identity Manager (NIM), and configures it for use at Stanford • The SDT system tray icon functions like the Mac’s dock icon • SDT allows concurrent user authentication to Stanford’s WIN.STANFORD.EDU and stanford.edu Kerberos realms on machines joined to the Stanford Windows Infrastructure • NIM’s “New Credentials” dialog box replaces PC-Leland’s log-on screen • MIT Kerberos for Windows shows up as a separate software package in Add/Remove Programs • All MIT Kerberos distributions include many useful command line tools Tech Briefing - Stanford Desktop Tools
Network Identity Manager Log-on Prompt Tech Briefing - Stanford Desktop Tools
Mac Kerberos Authentication Prompt Tech Briefing - Stanford Desktop Tools
Stanford Desktop Tools: Software Update • SDT Keeps Essential Stanford Software Up-to-Date • SDT’s Software Update works the same on Mac and Windows • You configure SDT to check for updates on a schedule you prefer • The default setting is to check once per week at noon • You may specify daily, weekly or monthly checks at any hour • You also specify which applications you want to keep updated • For now SDT can only update or install a subset of all ESS software • In a coming version SDT won’t be thus limited • SDT is self-updating, unless you configure it not to be • In SDT’s main window there is a link to a web page with more information about each application that it can install or update • SDT’s System Tray or Dock Icon Is a Gateway… • To Kerberos tools, software update tools, optionally AFS tools… Tech Briefing - Stanford Desktop Tools
Stanford Desktop Tools: Main Window Tech Briefing - Stanford Desktop Tools
Stanford Desktop Tools: Preferences Tech Briefing - Stanford Desktop Tools
Stanford Desktop Tools: OpenAFS • If You Install OpenAFS, SDT Provides Quick Access • The SDT system tray or dock icon menu lets you launch the AFS Controller or mount recently accessed AFS volumes from a list • Windows: right-click the SDT system tray icon • Mac: right-click, ctrl-click, or click-hold the dock icon • OpenAFS provides context menus for both Mac OS and Windows • If you right-click or ctrl-click an AFS directory in the Mac’s Finder or in Windows Explorer, there will be an AFS menu item that you can use to view or set ACLs, etc • OpenAFS, as the name suggests, is an open source project • The GUI AFS Controller has been developed at Stanford • We have a good working relationship with the OpenAFS project team, but can only influence, not control, the direction of future development Tech Briefing - Stanford Desktop Tools
Stanford Desktop Tools: Single Sign-on • What Is Single Sign-on? • A single log-in gains you access to multiple resources, such as web applications, that require you to identify, or “authenticate,” yourself • In other words, you don’t have to enter your password so often • SDT Makes Single Sign-on Easier—but… • At present only two groups of users will benefit • Mac users, especially those whose local account’s short name and password match their SUNet ID and password exactly • Windows users whose PCs are joined to the Stanford Windows Infrastructure and who log on to their WIN account • The SDT for Windows installer configures both IE and Firefox for Stanford single sign-on • SDT for the Mac will soon also configure Firefox, while Safari requires no special configuration Tech Briefing - Stanford Desktop Tools
Single Sign-on Continued • Manual Configuration of Your Browser Is Easy • Instructions are available here: https://weblogin.stanford.edu/config.html • And once you’ve configured the browser, you’ll also need to visit another web page where you’ll click a “Test” and then an “Enable” button that sets a persistent HTTP cookie for Stanford’s weblogin servers: https://weblogin.stanford.edu/settings • Yesterday (22 February) Single Sign-on for Web Applications Became Possible for Windows Users • The 2-way cross-realm trust between Stanford’s Windows Kerberos realm and the *nix-based MIT Kerberos 5 realm is now complete • Again, only users who log on to Stanford’s WIN domain can benefit • Some web applications (Axess, e.g.) still require a separate log-on Tech Briefing - Stanford Desktop Tools
Weblogin “Advanced Settings” Tech Briefing - Stanford Desktop Tools
Weblogin “Advanced Settings” Tech Briefing - Stanford Desktop Tools
Enabling HTTP Negotiate for Weblogin Tech Briefing - Stanford Desktop Tools
On the Horizon • Many Improvements to SDT Are Coming • The ability to install and update site-licensed software that requires user authentication for download • A revamped and more “intuitive” user interface • Performance enhancements, and oh so much more! • MIT Kerberos for Windows 3.2 Expected in Spring • A friendlier user interface that better hides all the geeky stuff • Full support for Windows Vista (3.1 already runs on Vista, but it’s not supported on that platform) • The “New Credentials” dialog box will take focus as the frontmost window when authentication is required • NIM Will Be Able to Change SUNet ID Passwords • Probably by late March, once K5 is Stanford’s master realm for passwords: meanwhile it is recommended that one use the StanfordYou web site for password changes Tech Briefing - Stanford Desktop Tools
Moving to Stanford Desktop Tools • As of April 2008, When Stanford’s Kerberos 4 Realm Joins Other Forgotten Kingdoms in the Dustbin of History, No One Should Be Using PC-Leland or MacLeland • Encourage the Computer Users You Support to Adopt SDT Sooner Rather Than Later • When they get a new computer • After a big annual deadline • When other upgrades are happening • SDT Is Self-Updating: To Have It Is Always to Have the Latest Version! • As well as the latest versions of MIT Kerberos for Windows, OpenAFS (if installed), and other ESS software, with all the improvements, bug fixes, and security patches that the release of new software portends • A Tech Express Talk on SDT Is Scheduled for March 22nd Tech Briefing - Stanford Desktop Tools
Frequently Asked Questions Frequently Asked Questions and Their Answers Are Now Available on the Stanford IT Services FAQ Site:http://faq.stanford.edu Tech Briefing - Stanford Desktop Tools
Links for More Information • SDT Documentation on the ESS Site http://www.stanford.edu/services/ess/pc/docs/sdt/index.html http://www.stanford.edu/services/ess/mac/docs/sdt/index.html • SDT FAQ Pages https://tools.stanford.edu/faq/index.php?action=show&cat=23 https://tools.stanford.edu/faq/index.php?action=show&cat=24 • SDT Release Notes http://www.stanford.edu/dept/its/support/sdt/docs/release_notes.txt • MIT Kerberos http://web.mit.edu/Kerberos • OpenAFS Project http://www.openafs.org • Stanford AFS Software Download and Documentation http://www.stanford.edu/services/openafs/index.html Tech Briefing - Stanford Desktop Tools
Any questions at the present time? We’re here to help you.If you do have questions, comments orconcerns about Stanford Desktop Tools:http://helpsu.stanford.edu