Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > What's the best way to verify client authentication across unrelated Web servers?
Ask The Security Expert: Questions & Answers
EMAIL THIS

What's the best way to verify client authentication across unrelated Web servers?

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 16 April 2007
Do you have any experience or opinions about maintaining online login credentials across unrelated Web servers? For example, if you log into a server (WEB1) and click a link to a Web site on WEB2, what's the best way to let WEB2 know that the client has authenticated?

>
EXPERT RESPONSE
Actually, the hardware and software used for clustering Web servers automatically refreshes authentication credentials across unrelated servers. As a security professional, it's not something you normally need to be concerned with.

If you're a software developer, on the other hand, you'll have to consider how to handle session state for the server cluster in order to preserve authentication credentials.

There are several mechanisms for doing this. One is through load balancing and the other involves the Microsoft Cluster Service (MCSC). In Windows Server 2003, MCSC integrates with Active Directory. It creates a virtual service object within Active Directory that allows Kerberos authentication. This object is used only for Kerberos authentication and can't be used for applying Group Policy Objects (GPO).

In other versions of Windows and Unix systems, more traditional load balancing systems are used. In general, these systems use load balancing software to distribute traffic across servers that are members of a cluster. The load balancer is assigned a virtual IP address that can represent any server in the cluster.

When requests are made to this virtual IP address, the session is preserved by the load balancer and distributed to member servers. Among the data in the session is a unique string of characters and numbers assigned after login. If someone is logged onto the Web site and hits a link that goes to another Web server in the cluster, as you describe, the load balancer automatically authenticates the user to the second Web server.

Load balancers are supposed to keep the session alive, even if the original server goes down. Again, the session is stored by the load balancer, so it isn't extinguished by the loss of any one server in the cluster.

In J2EE, for example, there are session objects associated with a servlet. The session can be shared across all the servers in a cluster, or just stored in a few that can be accessed as needed. There are multiple coding schemes for doing this that are beyond the scope of this brief tip.

Generally, once the user is authenticated to the cluster, the load balancer managing the cluster takes over maintaining the session state.

For more information:

  • In this SearchSecurity.com Security School lesson, Burton Group's Mark Diodati explores innovative and cost-effective user-based authentication technologies.
  • In this SearchSecurity.com Q&A, security expert Joel Dubin reveals which questions need to be asked before buying an authentication product.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Identity Management and Access Control
    What are the options for a mechanical (not electrical) door security system on a server room door?
    What's the difference between access control mechanisms and identity management techniques?
    What courses can improve fundamental knowledge of infrastructure systems (Active Directory, LDAP, etc.)?
    What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products?
    Should a new user have to confirm his or her email address before gaining access?
    Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
    What should an enterprise look for in a password token, and in a vendor?
    Is it possible to write a batch file that allows user access to the local admin group for a short time?
    IAM best practices for employees with varying degrees of access to the same computer
    What are some good pre-boot biometric user authentication tools or strategies?

    Two-Factor and Multifactor Authentication Strategy
    PKI and digital certificates: Security, authentication and implementation
    Security token and smart card authentication
    Enterprise single sign-on: Easing the authentication process
    Exploring authentication methods: How to develop secure systems
    What should an enterprise look for in a password token, and in a vendor?
    If the encryption on the Mifare Classic RFID has been cracked, are smart cards insecure?
    How do RFID-blocking passport wallets work?
    What are good features to look for when searching for new access control software?
    Quiz: The new school of enterprise authentication
    The steps of privileged account management implementation

    IIS Security
    How to stop malware in a 'Flash'
    Kaminsky: DNS flaw capable of attacks on many fronts
    Trend Micro site compromised
    What server considerations should be made when setting up an internal network's private applications?
    IT discussion: Is malware the cause of a DNS server error?
    Insider's guide to IIS Web server security
    Microsoft July updates for critical Excel, Windows and .NET flaws
    Finding and blocking Web application server attack vectors
    Microsoft to release DNS patch Tuesday
    DNS worm strikes at Microsoft flaw
    IIS Security Research

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    AAA server  (SearchSecurity.com)
    authentication  (SearchSecurity.com)
    authentication, authorization, and accounting  (SearchSecurity.com)
    federated identity management  (SearchSecurity.com)
    Kerberos  (SearchSecurity.com)
    password hardening  (SearchSecurity.com)
    typeprint analysis  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    Targeted Security Channel Tips for Resellers, Integrators and Consultants
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts