External Authentication Module, NTAuth

Note: There WAS a special download of NTAuth which handled Windows Active Directory, instead the functionality has been added to the latest build of some of NetWin applications and is controlled by the ini setting, "active_directory".


Installing and Setup

This fully usable example external authentication module comes in most distribution sets that support external authentication. If you have not got a build and/or require the lastest source code it can be downloaded from the one of the links below:

Source: not available
Windows ntauth_2.0r_windows.zip 59k
Configuration options

The configuration options below go in an ntauth.ini file which is located in the same directory as the NTAuth binary OR in a directory specified by the -path command line option.

Setting Default  
user_group Users The name of the group that new users are added to. This group <b>MUST</b> have the "logon as a batch job" privilege.
user_workarea /ntauth The base directory where user files are created, these files are created in hashed directories, one file per user.
loglevel info The amount of data to log, error logs only errors, info logs errors and info, debug logs everything.
debug false If set to "true" has same effect as "loglevel debug".
domain The domain name, if set this domain name is appended to all usernames returned by all the commands. It is NOT appended to usernames added to the system.
controller . The name of the domain or server whose account database contains the account. A value of "." causes it to look on the local machine ONLY.
active_directory false Set this to true if you are using Active Directory.

 

Command Line Options

-path Tells NTAuth where to create it's logfile and where to find its config file.
-debug Sets the logging level to debug.

Step by Step

1. Download the latest release shown above.
2. Run the self extracting release file, it will create a temp directory and extract the ntauth files.
3. Edit ntauth.ini, if you are using active directory set 'active_directory true' and set the 'controller' setting to the computer name of the domain controller.
4. Test ntauth manually by running it from a command prompt window eg.

c:\nttemp>ntauth
lookup user@domain
+OK user@domain config 0
check user@domain password
+OK user@domain config 0
quit

5. If you cannot lookup or authenticate an existing account then set 'debug true' in ntauth.ini, try the test again and check the ntauth.log and the Troubleshooting section below. If you cannot resolve the problem email regan@netwinsite.com.
6. Once testing is complete and ntauth is working correctly you can move ntauth.exe and ntauth.ini to the program directory for the program you intend to use it with, and configure that program to use it, typically the setting needs to look something like:

setting_name "c:\program_directory\ntauth -path c:\program_directory\"


Supported Commands

The commands below are the list of commands that this module supports. For a full description about the command see Authentication Protocol

Command Parameters
check <user> <pass>
lookup <user>
set <user> <pass>|(NULL) [label="value"]
del <user>
search <string> [-from n] [-max m]
version
help
quit
exit

 


Troubleshooting

On windows certain permissions are required to use NTAuth, below are instructions on how to give a user those permissions. The user to give the permissions to is the user NTAuth is running as.

To set user rights in Windows NT, follow these steps:
Click "Start", point to "Programs", click "Administrative Tools (Common)",
click "User Manager"
Select the "Policies" menu,
click "User Rights"
Check "Show Advanced Rights"
Select "Act as part of operating system"
Click "Add"
Select the User or Users to give the right to...
Click "OK"

To set user rights in Windows 2000, follow these steps:
Click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Local Security Policy.
Double-click Security Settings, double-click Local Policies,
and then double-click User Rights Assignment.
Double-click the user right you want to change.
"Act as part of the operating system" Click Add, and then click the accounts to which you want to assign the right. (If you are using NTAuth with one of our servers running as a service, the user you should add is "SYSTEM")
Click OK, and then click OK again.

On a domain member server:
Administrator Tools, Active Directory Users and Computers.
Right click on your domain in tree view, and select Properties.
Go to the Group Policy tab,
Select 'Default Domain Policy' (or the policy that is in effect) and click edit.
Select Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignment
Double-click the user right you want to change.
"Act as part of the operating system" Click Add, and then click the accounts to which you want to assign the right. (If you are using NTAuth with one of our servers running as a service, the user you should add is "SYSTEM")
Click OK, and then click OK again.

In addition NTAuth needs to be running as a member of the Administrators, or Account Operators group as these users are the ONLY ones with permission to delete another Administrator account or modify any users password without first knowing the old password.