Services for Macintosh Authentication

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Authentication

With Services for Macintosh, Macintosh computers need only the Macintosh operating system to function as clients; no additional software is required. You can, however, set up and distribute the Microsoft user authentication module (MSUAM), which lets Macintosh clients securely log on to computers running Services for Macintosh using the same method as Windows clients.

The Apple standard UAM provides only minimal encryption and so user passwords can be easily intercepted on the local area network (LAN) or Internet. MSUAM is a stronger password encryption method used to log on to a computer running Services for Macintosh. MSUAM encrypts passwords and stores them on the computer running Services for Macintosh. You can either set up, or instruct Macintosh users to set up, the authentication file for MSUAM on their Macintosh computers over the network. Although MSUAM is not required, it provides secure encrypted authentication to servers running Services for Macintosh.

If MSUAM is set up on a client computer, the Require strong authentication (NTLMv2) check box is selected by default. Selecting this check box requires users to authenticate to servers that implement NTLMv2. This setting prevents users from authenticating to servers that are running Windows NT 4.0 without Service Pack 3 and other operating systems that cannot authenticate using NTLMv2. However, users can clear the Require strong authentication (NTLMv2) check box to allow themselves to authenticate to servers that do not implement NTLMv2. Using NTLMv2 helps eliminate man-in-the-middle attacks in which an attacker tries to force authentication using the less secure Lan Manager (LM) Authentication protocol.

The default setting for NTLMv2 authentication is restored every time users log off. If users clear the Require strong authentication (NTLMv2) check box, a message box appears, warning them of the security risk of doing so. However, users can still clear the check box and authenticate using a weaker protocol, putting your network at risk.

With MSUAM, users can also specify a domain when they log on or change their passwords. This feature ensures that, if they have accounts in multiple domains, the correct one will be used. (To specify a domain, users type DomainName**\**UserNamein Name.)

Different versions of the Mac OS use different default authentication methods. Ensure that you check the appropriate Mac OS documentation before you configure authentication methods for Macintosh users. For information on authentication and remote access security in the Windows Server 2003 family, see Remote Access Security.