Security

Installing and configuring Novell's Modular Authentication Service, part 2

There have been some changes in the configuration process since Ron Nutter's NMAS Drill Down. Now you can get up to speed and start configuring the login process.


Since I first discussed Novell’s Modular Authentication Service (NMAS) in the Daily Drill Down “Installing and configuring Novell’s Modular Authentication Service, part 1,” several things have occurred. When the first Daily Drill Down left off, I was about to start the process of configuring the login process.

I encountered significant problems in this part of the installation process, and during several phone calls with Novell Support, I found out that the manual I had downloaded from Novell’s Web site was an early beta version that was missing several pieces of information. The first part of this Daily Drill Down will bring you up to speed with what has changed in the configuration since the last installment, and then I’ll start the process of configuring the first of several different login methods supported by NMAS.

From the top: Take 2
On the www.novell.com/products/nmas page, click the Documentation link. You should find it on the left-hand side of the page. Download the PDF files from this page.

The correct Installation and Administration Guide should have at least 55 pages. The incorrect version that I had unknowingly been using contained approximately 36 pages.

On this same page, you’ll see a link labeled Download NMAS—Starter Pack. Click that link and download the files you find there. If you downloaded the NMAS Starter Pack before the middle of May 2000, you should download the newer version and get the revised files.

Something that was unclear in the beta NMAS installation manual was that you needed to download one or more of the login methods to be able to configure the NMAS Starter Pack. On the NMAS Starter Pack download page, you’ll see the Full File header, which is the main file containing the NMAS Starter Pack. The files listed under the Partial Files header are the various authentication files that you’ll need in order to try one or more of the login methods.

One of the PDF files from the Documentation link covers the vendors currently providing login methods for NMAS. Once you’ve downloaded the login methods that you want to evaluate or use, you’ll need to review your current server configuration to make sure you’re ready to proceed.

As of August 1, 2000, you’ll find nine different authentication methods. If you currently lack some of the required hardware to implement solutions from vendors such as Activcard, RSA, or Saflink, you can start with one of the following methods: Novell_simplepwd, Novell_ndspwd, or Novell_x509. If you’ve decided to jump feet first into NMAS and have purchased the Enterprise version that allows multiple authentication methods to be used at the same time, you can go with the authentication methods enclosed on the product CD.

Your next step will be to click the More Information link to find out what modules you’ll need to install on the server. In my case, I needed to download the latest version of ConsoleOne (v1.2c) and the updated NetWare client (v3.21 for Windows 95/98 or v4.71 for Windows NT). Once you’ve applied the files that have been updated since you first downloaded NMAS, you’ll be ready to start installing one of the authentication methods.

After I installed ConsoleOne, I thought that I was ready to proceed with the installation of the updated NMAS, but contrary to the information on the updated NMAS screen, I had to download a few additional files. The information with the updated NMAS Starter Pack indicated that it would use the files I had or later versions. When I ran the updated NMAS install program, it tossed out an error message saying that it would work only with the latest Certificate Server and NICI (which I would have to download). If you have problems getting to the latest NICI (Novell International Cryptographic Infrastructure) files and you can’t get them from the Novell Software Downloads page, try going to www.novell.com/products/cryptography, and you should be able to find them there.

If, while running the NMAS Starter Pack install program, you get an error that says you need to install the latest ConsoleOne and you’ve already installed it, there are a few things you can check. First, make sure that the version you’re running is in fact the latest version. To keep things simple, I’d recommend installing ConsoleOne to the server and running it from there. If you’ve installed ConsoleOne locally and also have a copy on the server, you should make sure that you’ve updated both copies. Start ConsoleOne and check to see that the opening splash screen displays 1.2c.2 as the version number.

You should also check to be sure that you have the latest snap-ins installed. Click Help, and then click About Snap-ins. Once the About ConsoleOne Snap-ins screen appears, click each one of the Snap-ins buttons and check the version and date information on each. Most, if not all, of the modules should reference 1.2c.2.

If you need to download the updated Certificate Server and also need to download the newer ConsoleOne, you can save a little bit of time and hassle by downloading just the updated Certificate file. This file will install the newer ConsoleOne along with the Certificate Server.

Installing the NMAS Starter Pack
Once you have the updated modules installed, you can proceed with the installation of the updated NMAS Starter Pack software. Go to the NMASSERVER subdirectory under the directory where you extracted the NMAS Starter Pack software and run the INSTALL.EXE program. Due to the size of some of the files and the number of other files that those files contain, you may end up spending between one and two hours applying the newer files before you can start installing one of the login methods that you want to use with NMAS.

If you have all the dependent NLMs that NMAS uses up-to-date, you shouldn’t get any error messages about a particular module being out of date after the NMAS install program has started. After the install program has completed, you’ll need to reboot the server before continuing. If you don’t reboot the server, your first clue that you need to do so will be when you go into ConsoleOne. You won’t see an Authorized Login Methods container under the Security container in your tree.

After you reboot the server, start ConsoleOne. You should notice that some changes have been made to your NDS tree. If all the NMAS snap-ins have installed correctly, you should see a slight change in the ConsoleOne splash screen, as shown in Figure A.

Figure A
NMAS makes changes to your ConsoleOne splash screen.


There are two additional icons that should show up when ConsoleOne is starting: One is a small lock with a horizontal line background and one is a gold circle. If these two appear, you’re almost ready to start testing NMAS.

As you expand the tree in ConsoleOne, you should see an icon labeled Security. As you continue to expand to the branches below this, you should see two things: a container labeled KAP and another labeled Authorized Login Methods. If you expand the latter, you should see an object labeled NDS.

This should be installed by default as the first login method that you’ll be able to use with NMAS Starter Edition. If you don’t see this icon, don’t be alarmed—it isn’t that hard to get a login method installed.

When you downloaded the files earlier, in preparation for installing NMAS, you should have downloaded at least one, if not all, of the login methods currently supported so that you can see which of the methods you want to start with. For the purposes of this Daily Drill Down, I’ll start by going with the Novell NDS password client piece.

What isn’t made very clear in the NMAS documentation is that the various login methods work with a common directory structure. The naming structure that the methods appear to use (based on the ones I’ve worked with so far) is \NMAS\Methods\vendor_name\authentication type. In the case of the Novell NDS password login, the path will look like \NMAS\Methods\Novell\NDS.

I suggest entering a path such as F:\ when unpacking the login methods prior to enabling them in NMAS. If you do so, the unpacking program will create the directory structure I mentioned above without burying the files under a very long path that you’d have to search through when installing the various login types.

Once you’ve unpacked this login authentication type, you should right-click the Authorized Login Methods container, click New, and then click Object. When the New Object screen appears, click SAS:NMAS Login Method and then click the OK button.

When the New Login Method screen appears, click the Discovery button to the right of the Configuration File input field and browse the directory structure until you find a file labeled CONFIG.TXT under \NMAS\Methods\Novell\NDS. Click the filename, and you should be returned to the New Login Method Wizard. The input field beside the Configuration File line should now be filled in with the complete path and filename. Click Next to continue.

The next screen that appears will be an NMAS license screen. Click the Accept button and then the Next button. The screen that follows will report the method name, followed by the vendor name of the method, the grade of the authentication, and the method number. The information in the Description field should explain a little more about the authentication type that you’re installing.

Unless you have some reason for wanting to change the name of the authentication type that you’re installing, click Next to continue. Depending on the level of sophistication of the authentication method being installed, you may see one or more modules listed for this method screen. Next, you’ll need to verify that the check box in the Create Login Sequence screen is checked. It should be checked by default. Click Finish to create the login sequence for the method that you’re installing.

A Login Method Installation Summary screen will appear when the authentication method has finished installing. You might want to do a screen capture at this point to document exactly what did and didn’t happen. This is a good piece of documentation to have in case you need to talk to tech support at the vendor who is providing the login authentication piece.

Click the OK button to continue. You should now see the NDS Login authentication method under the Authorized Login Methods container. You can go into the Properties screen for any authentication method that you install, but at this point, there won’t be much to see beyond what already appeared on screen during the installation process.

Setting up the client to authenticate using NMAS
At this point, you’ve done all that is needed to log on to the server using NMAS. The rest occurs at the client. One of the files that you downloaded earlier was the latest client for NetWare for the version of the desktop operating system(s) that you’ll use. Install the updated client and reboot when the process is complete. Once you’ve done this, you should install the NICI client software, which should be at least v1.5.3.

As soon as the software has finished installing, reboot the workstation. You’ll need to install the NMAS client software, which seems to be an overlay that will change how the client login screen will appear to users when they log in.
You should write yourself a note that any time that you either update the Novell client software to the latest version or add a feature that you weren’t using before, you’ll need to reinstall the NMAS client software. This enables you to log on to the network and properly authenticate to NMAS.
If you have sufficient drive space on the workstation in question, you might want to create two directories—one for the Novell client software and one for the NMAS client software. This should allow you to install the NMAS client component in the event that you forget to do so after installing the updated client and rebooting the workstation. You’ll find this software under \NMAS\NMASClient.

When working with a Windows 95/98 desktop environment, I like to create a directory called \client and another one for nmas_client under the Windows\Options directory. This directory is present on most systems that have had the desktop OS installed by the vendor who built the system. If you don’t already have such a structure, then you should take a few minutes to create one. This can save having to hunt down the appropriate CDs when you need them.

The last step that you’ll need to take is to install any required files on the client for the authentication method you installed on the server. You can look for the client install piece under \NMAS\Methods\Novell\NDS\client (this path might vary slightly, depending on the authentication method you’re using).

Once you’ve completed this step, you should reboot the workstation. If you don’t do this, you can expect to get either a blue screen of death on NT or a message on Windows 95/98 that a particular module can’t be found or loaded.

After you have rebooted the workstation, you should notice one difference right away on the client. When the Novell Login screen appears, it will have only a UserName input field and won’t include the Password field that you’re used to seeing. Once you’ve entered the username and clicked OK or pressed [Enter], you’ll see an additional screen, similar to that shown in Figure B.

Figure B
NMAS displays an additional screen during login.


In this case, where we’ve used the NDS password login method of authentication, an NDS Authentication screen appears, where you will enter the password for the username you’re logging in with. If you want to change your password at this point, you can click the check box beside the Change Password label. Click the OK button to continue.

If this is your first time logging in after rebooting the client, you’ll notice a slight change in the tabs. The NMAS tab controls which login method to use for this particular user or workstation. Click the drop-down arrow beside Sequence and choose the authentication method for this client. In our case, you should see a sequence named NDS. Click that option and then click OK again to start the login process.

A quick review
What we have set up at this point is a very basic implementation of NMAS using the Starter Pack software that’s available for download at no charge from Novell’s Web site. We need to stop at this point and review a few things.

Depending on the level of documentation that you keep on your server’s configuration, you may want to take a few minutes to note what changes have just occurred to the server and what modules have been updated or changed. This can be a very important piece of troubleshooting information in the event that you add other software to the server and find that one or more of the modules used by NMAS or its dependent services has been downgraded and you now are experiencing problems with NMAS.

Don’t be in a big rush to upgrade software components on either the server or workstation just because they’re available. If you haven’t already started doing so, you might want to keep a test workstation available to try out the new changes before you start rolling them out to your users.

Conclusion
Future Daily Drill Downs in this series will cover most of the various login methods that are available for NMAS. Spend a few minutes and look at the many offerings that Novell and its partners have released—options such as smart cards, hardware tokens, and retina scanners, to mention just a few. Some of these options require an additional server to be present on the network to provide resources for a particular authentication method, or they may require additional hardware on the workstation that is to use a particular authentication method. Once we’ve reviewed the various authentication methods, we’ll then look at NMAS Enterprise Edition to show how you can use multiple types of authentication at the same time to have even more protection for the information on your network.

Ronald Nutter is a senior systems engineer in Lexington, KY. He's an MCSE, a Novell Master CNE, and a Compaq ASE. Ron has worked with networks ranging in size from single servers to multiserver/multi-OS setups, including NetWare, Windows NT, AS/400, 3090, and UNIX. He's also the help desk editor for Network World. If you’d like to contact Ron, send him an e-mail. (Because of the large volume of e-mail that he receives, it's impossible for him to respond to every message. However, he does read them all.)

The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks