Microsoft User Authentication Module (UAM) For MacOS Classic v5.0.11 March 2002 © Microsoft Corporation, 2001-2002. All Rights Reserved. CONTENTS 1. Introduction 1.1 Benefits of using the Microsoft¨ UAM 2. Installing the Microsoft¨ UAM 2.1 Minimum Requirements 2.2 Installation 3. Keychain Notes 4. Passwords 4.1 Using passwords with extended characters 4.2 Using blank passwords 4.3 UAM Password properties for pre-Windows 2000 Servers 4.4 UAM Password properties for Windows 2000 and later Servers 4.5 Changing your password on Windows 2000 or older Servers 5. Authenticating Using Domain Credentials 6. Requiring Strong Authentication (NTLMv2) 1 Introduction The Microsoft UAM provides a superior method for encrypting the passwords that you use to log into Windows AFP Servers. The standard Apple UAM provides only minimal encryption (if any) so your password could easily be intercepted on the LAN or Internet. 1.1 Benefits of using the Microsoft¨ UAM * Password expiration notices when your password is within 14 days from expiring * You can safely and securely change your Windows domain password from your Mac! * When authenticating against Windows 2000 or later Servers, you will enjoy: - Strong 128 bit NTLMv2 encryption - Password limit of 64 characters - Case sensitive passwords 2 Installing the Microsoft¨ UAM 2.1 Minimum Requirements To use the Microsoft¨ UAM, your computer must meet the following minimum requirements: * Processor: PowerPC * Operating System: MacOS 8.5 or later 2.2 Installation To install the MS UAM, just drop the MS UAM binary inside your "AppleShare Folder" that is located inside your System Folder. If you do not have an AppleShare Folder because this is the first time you are installing the MS UAM, you will need to create one. NOTE: Make sure the Chooser and Network Browser are closed before copying the binary. Otherwise, you will need to close and restart them before you can use the new MS UAM. 3 Keychain Notes If you saved a password in your Keychain for a server, whenever you access the server you will not be presented the Microsoft¨ UAM login dialog unless there is an authentication or other failure. If you wish to see the login dialog and ignore the stored credentials in the keychain to perform another action (i.e. to change your password), then you must hold down the command key while you invoke the Microsoft¨ UAM. This will force the Microsoft¨ UAM to bypass the keychain and present the login dialog. 4 Passwords 4.1 Using passwords with extended characters The Microsoft UAM does not support changing your password to one that contains characters generated using the option key. This is because there is no way to correctly map Macintosh extended characters to Windows extended characters. 4.2 Using blank passwords For security reasons, the Microsoft UAM no longer supports blank (or null) passwords. If you are required to use a blank password, you can use the Apple standard UAM since no encryption is necessary. 4.3 UAM Password properties for pre-Windows 2000 Servers * Passwords can be no longer than 14 characters in length. * Passwords are upper-cased so they are case insensitive. 4.4 UAM Password properties for Windows 2000 and later Servers * Passwords can be up to 64 characters in length. * Passwords are case sensitive. 4.5 Changing your password on Windows 2000 or older Servers When changing your password, these servers only support password lengths no longer than 14 characters. Use a Windows Client to change your password if it is longer than 14 characters. Windows Server 2003 will support changing to a password length of up to 64 characters. 5 Authenticating Using Domain Credentials To authenticate to an SFM Server using domain credentials, enter your domain and user name in the "Name" field as follows: domain\username For example, if you belonged to the domain "seattle" and your user name was "fred", you would enter "seattle\fred" in the Name field of the UAM login dialog. Note that in most cases, you will not be required to enter in your domain name. 6 Requiring Strong Authentication (NTLMv2) As of Microsoft UAM version 5.0.10, there is a new checkbox labeled "Require strong authentication (NTLMv2)" in the main UAM login dialog. This checkbox, when checked, tells the MS UAM not to authenticate to servers that do not support the stronger NTLMv2 authentication protocol. If you uncheck this item, the Microsoft UAM will authenticate to Servers that may only support weaker protocols thereby increasing the risk of your password being compromised on the network. The Microsoft UAM will remember the setting between uses. It is recommended that this checkbox be checked by all users who are authenticating to Windows2000 or newer SFM Servers. To authenticate to SFM Servers running NT 4.0 or older, you will need to have this option unchecked.