Home > Articles > Security > Network Security

Using pGINA to Authenticate Users in Microsoft Windows Environments

By Sun Microsystems
Aug 27, 2004
Article is provided courtesy of Prentice Hall Professional

Article Contents

< Back Page 2 of 5 Next >

Sun Microsystems

Learn more…

IPsec -- A Secure Deployment Option: Sep 24, 2004
Using pGINA to Authenticate Users in Microsoft Windows Environments: Aug 27, 2004
Best Practices for Deploying the Sun StorADE Utility: Aug 20, 2004
Performing Network Solaris Installations Without a Local Boot Server: Aug 13, 2004
Using Solaris Resource Manager With Sun Ray: Aug 6, 2004
N1 Grid Architecture Realized: Strategic Flexibility: Jul 16, 2004
Global Grid Connectivity Using Globus Toolkit With Solaris Operating System: Jun 25, 2004
Building a Bootable DVD to Deploy a Solaris Flash Archive: Jun 18, 2004
Building OpenSSH--Tools and Tradeoffs, Updated for OpenSSH 3.7.1p2: Jun 18, 2004
Maximizing the Performance a Gigabit Ethernet NIC Interface: Jun 18, 2004
Dynamic Reconfiguration for High-End Servers: Part 2--Implementation Phase: Jun 11, 2004
Supporting Multiple Page Sizes in the Solaris Operating System Appendix: Jun 11, 2004
Dynamic Reconfiguration for High-End Servers: Part 1 --- Planning Phase: Jun 4, 2004
Supporting Multiple Page Sizes in the Solaris Operating System: Jun 4, 2004
Data Center Best Practices for High-End Servers: May 28, 2004
Understanding Tuning TCP: May 28, 2004
Sun Ray Deployment On Shared Networks: Apr 30, 2004
LDAP Triggers: A Framework for Sun Java System Directory Server: Apr 23, 2004
Taming Your Emu to Improve Application Performance: Apr 23, 2004
Best Practices for Deploying the Sun StorADE Utility: Apr 16, 2004
Sun Fire 15K/12K Auto Diagnosis and Recovery: Apr 16, 2004
Dynamic Reconfiguration and Oracle 9i Dynamically Resizeable SGA: Apr 9, 2004
Solaris Operating System Availability Features: Apr 2, 2004
Design, Features, and Applicability of Solaris File Systems: Mar 26, 2004
Securing the Sun Fire 12K/15K System Controller: Mar 19, 2004
Securing the Sun Fire 12K/15K Domains: Mar 12, 2004
Enterprise Network Design Patterns: High Availability: Feb 20, 2004
Performance Forensics: Feb 13, 2004
Migrating to the Solaris Operating System: Migrating From Tru64 UNIX: Feb 6, 2004
Tuning ORACLE to Minimize Recovery Time: For Solaris Operating System on SPARC: Feb 6, 2004
Securing Linux Systems With Host-Based Firewalls Implemented With Linux iptables: Jan 30, 2004
Securing Web Applications through a Secure Reverse Proxy: Jan 30, 2004
Hardware Replication Challenges: Jan 23, 2004
Solaris Volume Manager Performance Best Practices: Jan 23, 2004
Sun Fire 6800/4810/4800/3800 Systems Auto Diagnosis and Recovery Enhancements: Jan 16, 2004
Responding to a Customer's Security Incidents, Part 4: Processing Incident Data: Jan 9, 2004
Desktop Architecture Selection Guide: Dec 31, 2003
Sun ONE Portal Server 6 Best Practices: Dec 23, 2003
Migrating to the Solaris Operating System: Migration Strategies: Oct 31, 2003
Responding to Customer's Security Incidents--Part 3: Following Up After an Incident: Oct 31, 2003
Minimizing Domains for Sun Fire V1280, 6800, 12K, and 15K Systems, Part II: Oct 24, 2003
Using the LDAP to NIS+ Gateway: Oct 24, 2003
Deploying the Solaris Operating Environment Using a Solaris Security Toolkit CD: Oct 17, 2003
Minimizing Domains for Sun Fire V1280, 6800, 12K, and 15K Systems, Part I: Oct 17, 2003
Building Secure Sun Fire Link Interconnect Networks Using Sun Fire 15K and Sun Fire 12K Servers: Sep 26, 2003
Linux Overview for Solaris Users: Sep 26, 2003
Securing Sun Linux Systems: Part II, Network Security: Sep 26, 2003
Sun Fire V1280/Netra 1280 Server Considerations for Improving RAS: Sep 26, 2003
Sun ONE Portal Server and Lotus iNotes Integration Recipe: Sep 26, 2003
Transition Guide--Upgrading From the iPlanet Directory Server 5.1 Software to the Sun ONE Directory Server 5.2 Software: Sep 26, 2003
Capacity Planning as a Performance Tuning Tool—Case Study for a Very Large Database Environment: Sep 19, 2003
Securing Sun Linux Systems: Part I, Local Access and File Systems: Sep 19, 2003
Sun Fire 15K/12K Server Preferred Practices: Sep 19, 2003
Sun Grid Engine, Enterprise Edition—Configuration Use Cases and Guidelines: Sep 19, 2003
The IT Utility Model—Part I: Sep 19, 2003
Using filesync for Disaster Recovery, Business Continuance, and Mobility: Sep 19, 2003
Role Based Access Control and Secure Shell—A Closer Look At Two Solaris Operating Environment Security Features: Sep 12, 2003
Solaris Operating Environment Network Settings for Security: Updated for Solaris 9 Operating Environment: Sep 12, 2003
Using NTP on the Sun Fire 15K/12K Server: Sep 12, 2003
Consolidation Methodology: Sep 5, 2003
Using the Sun ONE Application Server 7 to Enable Collaborative B2B Transactions: Sep 5, 2003
An Architecture for Creating and Managing Integrated Software Stacks: Aug 29, 2003
Auditing System Security: Aug 29, 2003
Integrating the Secure Shell Software: Aug 29, 2003
Sun Cluster 3.0 Series: Guide to Installation—Part 2: Aug 29, 2003
Sun ONE Portal Server and Microsoft Exchange Integration Cookbook: Aug 29, 2003
Building a Global Compute Grid - Two Examples Using the Sun ONE Grid Engine and the Globus Toolkit: Aug 22, 2003
Configuring the Secure Shell Software: Aug 22, 2003
Responding to Customer's Security Incidents—Part 2: Executing a Policy: Aug 22, 2003
Sun Cluster 3.0 Series: Guide to Installation—Part 1: Aug 22, 2003
Sun Fire 6800/4810/4800/3800 Auto Diagnosis and Recovey Features: Aug 22, 2003
Provisioning in Replicated, Mission-Critical Environments: Aug 15, 2003
Responding to Customer's Security Incidents, Part 1: Establishing Teams and a Policy: Aug 15, 2003
Securing the Sun Fire 12K and 15K System Controllers: Aug 15, 2003
Writing an Authentication Plug-in for a Sun ONE Directory Server: Aug 15, 2003
Securing the Sun Cluster 3.x Software: Aug 8, 2003
Securing the Sun Fire 12K and 15K Domains: Aug 8, 2003
Understanding Gigabit Ethernet Performance on Sun Fire Servers: Aug 8, 2003
Using Midframe Servers to Build Secure Sun Fire Link Interconnect Networks: Aug 8, 2003
BluePrint for Benchmarking Success: Aug 1, 2003
System Management Services Software: An Inside Look: Aug 1, 2003
A Patch Management Strategy for the Solaris Operating Environment: May 23, 2003
Building OpenSSH—Tools and Tradeoffs: May 23, 2003
Configuring Databases Using Soft Links: May 23, 2003
Managing Shared Storage in a Sun Cluster 3.0 Environment With Solaris Volume Manager Software: May 23, 2003
Modeling Sun Cluster Availability: May 23, 2003
Performance Oriented System Administration For Solaris: May 23, 2003
A Strategy for Managing Performance: Apr 18, 2003
Solaris Operating Environment Security: Updated for Solaris 9 Operating Environment: Apr 18, 2003
Trust Modeling for Security Architecture Development: Apr 18, 2003
Understanding Solaris 9 Operating Environment Directory Services: Apr 18, 2003
A New Open Resource Management Architecture in the Sun HPC ClusterTools Environment: Feb 21, 2003
Campus Clusters Based on Sun Cluster Software: Feb 14, 2003
Memory Hierarchy in Cache-Based Systems: Feb 14, 2003
Designing Highly Available Architectures: A Methodology: Feb 7, 2003
Internet Protocol Network Multipathing (Update): Feb 7, 2003
Minimizing the Solaris Operating Environment for Security: Updated for Solaris 9 Operating Environment: Feb 7, 2003
Configuring Boot Disks With Solaris Volume Manager Software: Jan 24, 2003
Managing Data Centers With Sun Management Center Change Manager: Jan 24, 2003
SQL*Net Performance Tuning Using Underlying Network Protocols: Jan 24, 2003
Extending Authentication in the Solaris 9 Operating Environment Using Pluggable Authentication Modules (PAM): Part II: Jan 17, 2003
HPC Administration Tips and Techniques: Jan 17, 2003
Sun Fire Midframe Server Best Practices for Firmware Update 5.13.x: Jan 17, 2003
Extending Authentication in the Solaris 9 Operating Environment Using Pluggable Authentication Modules: Part I: Dec 27, 2002
Sun Fire Systems Design and Configuration Guide: Dec 27, 2002
Consolidation in the Data Center: Dec 20, 2002
Enterprise Network Design Patterns: High Availability: Dec 20, 2002
Introduction to the Solaris Cluster Grid - Part 2: Dec 20, 2002
Introduction to the Sun Cluster Grid, Part 1: Sep 26, 2002
Sun's Quality, Engineering, and Deployment (QED) Test Train Model: Sep 26, 2002
Customizing JumpStart Framework for Installation and Recovery: Sep 20, 2002
Sun StorEdge Instant Image 3.0 and Oracle8i Database Best Practices: Sep 20, 2002
Windows NT Server Consolidation and Performance Improvements with Solaris PC NetLink 2.0 Software: Sep 20, 2002
Sun ONE Portal Server 3.0 Rewriter Configuration and Management Guide: Sep 13, 2002
Securing the Sun Fire 12K and 15K Domains, Updated for SMS 1.2: Sep 6, 2002
Securing the Sun Fire 12K and 15K System Controllers, Updated for SMS 1.2: Sep 6, 2002
An Information Technology Management Reference Architecture Implementation: Aug 30, 2002
Reducing the Backup Window With Sun StorEdge Instant Image Software: Aug 30, 2002
An Information Technology Management Reference Architecture: Aug 16, 2002
Drill-Down Monitoring of Database Servers: Aug 16, 2002
LAN-Free Backups Using the Sun StorEdge Instant Image 3.0 Software: Aug 16, 2002
Network Storage Evaluations Using Reliability Calculations: Aug 16, 2002
Securing LDAP Through TLS/SSL: A Cookbook: Aug 16, 2002
Securing the Sun Fire Midframe System Controller: Aug 16, 2002
Deployment Considerations for Data Center Management Tools: Aug 9, 2002
Guide to Installation-Part II: Sun Cluster 3.0 Software Management Services: Aug 9, 2002
How Hackers Do It: Tricks, Tools, and Techniques: Aug 9, 2002
Metropolitan Area Sun Ray Services: Aug 9, 2002
Securing the Sun Cluster 3.0 Software: Aug 9, 2002
Guide to Installation, Part I: Sun Cluster Management Services: May 24, 2002
Service Level Agreement in the Solaris OE Data Center: May 24, 2002
Solaris OE Enterprise Management Systems Part I: Architectures and Standards: May 24, 2002
Solaris OE Storage Resource Management: A Practitioner's Approach: May 24, 2002
Sun Fire 3800-6800 Servers Dynamic Reconfiguration: May 24, 2002
Using Live Upgrade 2.0 With JumpStart Technology and Web Start Flash: May 24, 2002
Enterprise Quality of Service Part II: Enterprise Solution using Solaris Bandwidth Manager 1.6 Software: May 17, 2002
Introduction to SunTone Clustered Database Platforms: May 17, 2002
Securing the Sun Enterprise 10000 System Service Processors: May 17, 2002
Service Level Management in the Data Center: May 17, 2002
Solaris Application Performance Optimization: May 17, 2002
Using Live Upgrade 2.0 With a Logical Volume Manager: May 17, 2002
Establishing a Solaris OE Architectural Model: Apr 5, 2002
Configuring OpenSSH for the Solaris Operating Environment: Mar 22, 2002
Data Center Design Philosophy: Mar 22, 2002
Enterprise Quality of Service (QoS): Part I - Internals: Mar 22, 2002
Issues in Selecting a Job Management System: Mar 22, 2002
Managing Solaris Operating Environment Upgrades With Live Upgrade 2.0: Mar 22, 2002
Securing Sun Fire 15K Domains: Mar 22, 2002
Server Virtualization Using Trusted Solaris 8 Operating Environment: Mar 22, 2002
Sun Cluster 3.0 Implementation Guide: Hardware Setup: Mar 22, 2002

Sorry, this author hasn't posted any blogs.

Like this article? We recommend
Networking Concepts and Technology: A Designer's Resource

The Solution

The answer to this problem is to use pGINA.

Before we talk about pGINA, let's talk specifically about how things work. Windows by default, uses something called GINA for authentication.

What is GINA?

GINA stands for Graphical Identification and Authentication. GINA is a dynamic-link library (DDL) that is part of the Windows operating system. GINA is loaded early in the boot process by Winlogon.exe. Once loaded, GINA handles the following functions:

SAS Recognition – Stands for secure attention sequence recognition. The GINA can have its own SAS, and carries the responsibility of recognizing the SAS. This is not required if the GINA decides to use the Standard SAS of the WinLogon.exe (Ctrl + Alt + Del). The GINA makes the appropriate calls, depending on the current state of the station. If the GINA uses the standard SAS, the WinLogon.exe automatically calls the appropriate routine.
User Interface – Since the GINA can provide an alternative identification mechanism, it is the responsibility of GINA to display the entire user interface that is needed to perform the logon authentication. The GINA has to display the user interface to collect data needed to perform the authentication, and all other user interfaces depending on the state of the station.
Shell Creation – When a user performs a successful logon, the GINA works with WinLogon.exe to create the initial processes and assign the processes that the user's access token obtained from the WinLogon.exe. This process must start the default shell for the user. Normally, userinit.exe is started as the initial process. This program is run in the user's context and the user's desktop. It sets up the user environment by restoring the network connection, loading the user's profile (color, font, screen savers, and so on) and running logon scripts. It then activates the shell programs with the same environment as itself. The standard shell for Windows NT is Explorer.exe. This program manages the desktop, taskbar, and so on. Once the shell is created with the user's access token, all other processes created by the user automatically inherit it, thus securing the resources.

Windows Authentication Architecture

During a power-on or boot-up sequence (FIGURE 3), the Winlogon.exe process is started. This process continues to run in the background during the entire time the OS is loaded.

When a user issues the SAS to logon, the Winlogon.exe process calls the GINA DLL to handle the user identification and authorization process. GINA presents a logon dialog for the user to fill out. Using this dialog, GINA acquires the information it needs to authenticate the user.

GINA then contacts either the Active Directory or the Domain Controller. After GINA has validated the user, it returns a token and control to the Winlogon.exe process, which in turn starts a user-level shell using the permissions of the user and then creates the user's environment using the authenticated user's environment settings and appropriate scripts.

Once the user's shell and environment is set up, Winlogon.exe turns control of the shell over to the user.

FIGURE 3 Windows Authentication Architecture

What is pGINA?

pGINA stands for Pluggable Graphical Identification and Authentication.

pGINA is an add-on DLL for the standard Microsoft GINA and provides a framework that allows different methods of authentication. These are implemented by the use of authentication plug-ins

Just as pluggable authentication module (PAM) technology brings different authentication methods to UNIX, pGINA brings this same functionality to the Windows environment.

pGINA provides the skeleton code necessary to quickly and easily implement many different methods of user authentication. Once a plug-in has been created for a particular authentication method, it can be easily installed on multiple systems. The new plug-in can be made available to other users without the users needing an in-depth understanding of the Windows logon process. Some of the plug-ins that already exist for pGINA are OpenLDAP and Radius. Available plug-ins are discussed later.

Windows Authentication Architecture With pGINA

When using pGINA, the process is the same as with GINA except the user issues a SAS to logon, the WinLogon.exe process calls the pGINA DLL to handle the user identification and authorization process. pGINA presents a logon dialog box for the user to fill out. Using this dialog box, pGINA acquires the information it needs to authenticate the user. pGINA passes any information or requests that it is not configured to handle to the GINA DLL for processing.

Depending on the configuration, pGINA then authenticates the user by using whichever authentication modules are needed. If pGINA is configured to use LDAP, pGINA uses the LDAP plug-in that authenticates through LDAP on behalf of the user—typically called a bind or referred to as binding to the directory. pGINA can also be configured to chain the authentication methods so that multiple methods are used. This is represented as by ellipsis in FIGURE 3.

Once pGINA has validated the user, it passes any configuration information and returns a token and control to the WinLogon.exe process (FIGURE 4). This, in turn, starts a user-level shell with the permissions of the user logging in and then creates the user's environment by using the authenticated users environment settings and appropriate scripts, and so on. Once the user's shell and environment is set up, WinLogon.exe turns control of the shell over to the user.

FIGURE 4 Windows Authentication Architecture With pGINA

Available Plug-ins

There are currently a total of nine publicly available plug-ins from http://pgina.xpasystems.com

LDAPAuth – For authentication against an LDAP server

Chaining Plug-in – Allows you to stack individual plug-ins

PAM for pGINA – For authentication with UNIX PAM

MySQLAuth Plug-in – For authentication against a MySQL database

POP3 Plug-in – For authentication against a POP3 mail server

NIS Plug-in – For authentication against an NIS server

ACE (SecureID) Plug-in – For authentication to a domain with RSA's SecureID product

OpenAFS Plug-in – For authentication against an AFS realm

RADIUS Plug-in – For authentication and accounting with RADIUS

Good Situations for pGINA

There are several scenarios where pGINA is a good fit for a particular environment:

When you already have, or are going to implement, a mixed UNIX/Linux/Windows environment.
If you have already installed Active Directory and are struggling with it; or if you are in the planning stages of an Active Directory implementation.
If you are migrating away from Windows 95, Windows 98, or Windows Me to Windows XP or Windows Server 200X.
If you understand and appreciate the value of maintaining a single point of authentication.

Not So Good Situations for pGINA

There are also several scenarios where the implementation of pGINA might do more harm than good:

You have a Microsoft-only environment.
You don't want to use UNIX or Linux naming services.
You need Active Directory services for advanced Microsoft services such as Exchange.
You have an extremely large number of clients. While supporting a large number of clients with pGINA is not impossible, it requires more care in the implementation phase.

Things to Consider

Before installing and using pGINA, plan carefully. The following list describes some of the areas that you should take into account:

Policies – Determine which authentication policies you want to implement.
Features – What pGINA features do you plan to implement? Which plug-ins suit your needs?
Options – There are a number of options you can choose to implement. Do you want to replace the logo and other options?
Testing – Implement the plug-ins and features in a test environment before deploying to your production environment.
Piloting – It is a good idea to run a pilot program for pGINA with a select group of users.
Rollout – Finally, roll out the approved configuration. If necessary, roll it out in a phased manner.

< Back Page 2 of 5 Next >

Discussions

Make a New Comment

You must log in in order to post a comment.

Related Resources

OnSecurity (Audio + Video)

Recent Episodes

OnNetworking (Audio + Video)

Recent Episodes

See More Podcasts

Top 10 Things to Do with Your BlackBerry After Purchasing an iPhone: By Rick Kughen on August 30, 2010 No Comments; Are you the proud owner of a new iPhone? Have an old BlackBerry that you don't know what to do with? Never fear. Following are 10 ways you can still enjoy your Blackberry (albeit temporarily):

Using Fake GPS Coordinates to Spoof Facebook Places: By Seth Fogie on August 20, 2010 No Comments; With the release of Facebook Places, there has been a lot of discussion around the privacy issues. Seth Fogie takes a another position and looks at Facebook Places as the perfect way to create an alibi by spoofing the coordinates that Facebook uses to determine where you are located.

Did You Know 4.0: By John Traenkenschuh on August 14, 2010 No Comments; There's an old video on You Tube that purports to be a true indicator of massive world changes. What do you think of it?

See All Related Blogs