Single SignOn
Frequently Asked Questions
This page answers some of the common questions asked about the Single
SignOn feature that is shipping in OpenVMS V7.1.
For more detail on specifics, refer to the Project Description or the
Documentation. If you're already using Single SignOn and are having
difficulties, check out the Trouble-Shooting Guide.
What is Single SignOn?
Single SignOn allows a user to log on (or SignOn) to the Network, rather than
just to an individual system. Once logged on, the user can access the services
and objects within the network, on whichever system(s) they may reside,
without the need for additional signon sequences.
This functionality is being phased in to OpenVMS over a number of releases,
starting in V7.1 with the inclusion of External Authentication.
What is External Authentication?
External Authentication is the first deliverable in the Single SignOn project.
It is present in OpenVMS V7.1.
External Authentication allows a user who is logging in to OpenVMS to be
authenticated by an external entity. In other words, OpenVMS does not go to
the System Authorization File (SYSUAF) to validate the user's password.
Who can act as an External Authenticator?
In V7.1 the only supported External Authenticator is the PATHWORKS
authentication module. This module provides LAN Manager authentication
thereby allowing users to log in to the OpenVMS system using their LAN
Manager (Windows) userid and password.
Where do I get the software from?
The framework and support for External Authentication is built into the
OpenVMS V7.1 operating system.
The PATHWORKS LAN Manager authentication module is part of the
PATHWORKS V5.0E(??) kit. It is also available from the Single SignOn
Installation page.
Do users still need a SYSUAF entry?
Yes. Although the password from the SYSUAF entry is not used, in order to
create the user process OpenVMS still needs to know which UIC to use, which
privileges to grant, quotas to give, etc. These all come from the user's
SYSUAF entry.
What do I enter at the Username/Password Prompts?
At the OpenVMS username prompt, an externally authenticated user must
enter their external (or network) userid. In the case of LAN Manager this is
their Windows userid, and may or may not be the same as their OpenVMS
username.
At the OpenVMS password prompt, an externally authenticated used must
enter their external (or network) password. In the case of LAN Manager this
is their Windows password.
How is External Authentication Enabled?
External Authentication is controlled at two levels:
At the system level, it is enabled by defining the
SYS$SINGLE_SIGNON logical name. If this is not set, then external
authentication is off regardless of any other settings.
At the user level, by a new flag in the SYSUAF record. When set, the
EXTAUTH flag denotes that the user is to be externally authenticated.
By default, External Authentication is disabled at both the system and user
levels.
What if the Network is down and I can't login?
If a network connection is required for external authentication, and for some
reason the network is down, then external authentication is not possible. For
this situation, the /LOCAL qualifier exists. When placed after the username
at the login prompt, it informs OpenVMS that local authentication is to be
performed.
Since the use of /LOCAL is effectively overriding the security policy that has
been established by the system manager, it is only allowed under the following
conditions:
When the account being logged in to has SYSPRV as an authorized
privilege. This is typically how the system manager gains access when
the network is down.
When bit 1 is set in the SYS$SINGLE_SIGNON logical name. If the
network problem was going to persist then the system manager may
consider setting this bit to allow non-privileged normally externally
authenticated users to log in locally.
NOTE: Non-privileged externally authenticated users will not be able to log
in until corrective action is taken.
Which Password should be specified when using /LOCAL?
Every time a user is successfully logged in via external authentication their
network password is copied to their SYSUAF record; this is called Password
Synchronization. So as long as a user regularly logs in to the OpenVMS
system, their password in the SYSUAF will be their current network
password, and this is the password that should be specified when using
/LOCAL.
Does SET PASSWORD change my Network Password?
Yes. If you are an externally authenticated user, the DCL SET PASSWORD
command will send the password change request to the external authenticator.
Does AUTHORIZE change a Network Password?
No. The AUTHORIZE utility only manages fields in the local SYSUAF file.
Using AUTHORIZE to set a password related field for an externally
authenticated user is effectively a no-op. The one exception to this is when
the password itself is modified; in this case AUTHORIZE also sets the
MigratePwd flag (see below).
How does a System Manager change a User's Network Password?
There are two ways that a System Manager can set an externally authenticated
user's network password:
Use whatever utility is provided by the authenticating network. In the
case of LAN Manager, PATHWORKS provides a NET PASSWORD
command (type NET PASSWORD HELP for more details). Using this
method the new password is propagated out to the network
immediately.
Use AUTHORIZE. In this case AUTHORIZE will also set the
MigratePwd flag (see next question for description of MigratePwd), but
propagation of the new password will not occur until the next time the
user logs in to the OpenVMS system.
What are ExtAuth and MigratePwd?
ExtAuth and MigratePwd are two new user flags in the SYSUAF record. They
can be set/read both by the AUTHORIZE utility and by the
$GETUAI/SETUAI system services.
ExtAuth is used to indicate that the user should be externally
authenticated. Note that for an externally authenticated user to be able
to log in, single signon needs to be enabled.
MigratePwd is used to indicate that the password currently stored in
the SYSUAF record is to be migrated out to the network. When set it
effectively means that the password in the SYSUAF record is newer
than the network password, and that it should be propagated out to the
network as soon as possible. This migration will occur automatically
the next time the user logs in to the OpenVMS system. This feature is
known as Password Migration or Reverse Password Synchronization.
What if I don't want External Authentication?
External Authentication is disabled by default. If you don't want to use
External Authentication, do nothing.
Why is the Username echoing in Lowercase?
Externally authenticated users now enter their external userid at the
OpenVMS username prompt. Since it is possible that userids may be
case-sensitive, LOGINOUT can no longer force the userid to uppercase. This
is a permanent change to the way LOGINOUT behaves and occurs regardless
of if Single Signon is enabled or disabled.
Back to Single-Signon Main Page
Last Updated: 18 April 1996