1

I have a server that I have technicians who need to be able to access using shared credentials. However, doing that violates our security policy (!). I need each user to be able to authenticate using their own credentials, but the server in question has to be logged in with a certain login (these two requirements are clearly diametrically opposed).

I thought that this would be a great application for a RADIUS server. I know how to setup RADIUS to go from Windows --> Cisco, but I have no idea how to use RADIUS to authenticate Windows --> Windows.

Can this be done? If so, how?

mfinni
  • 36,892
drosenblatt
  • 13

3 Answers3

1

Put the machine in your domain. Leave the application login on the console session. License it as a TS server and let them login to it via RDP with their domain accounts.

/edit- OK, I didn't understand that. My solution still works - if it's in the domain (or in a domain that trusts your domain), then they can authenticate and access via CIFS/SMB, or anything else that uses Windows authentication. To have Windows actually authenticate against something other than a local SAM or a domain, you have to replace the GINA, there is no built-in functionality for selecting other sources of authentication. that's what the GINA is for - if you want to use (or build) other authentication options. MS doesn't make any other GINAs, as far as I know. pGina says it will work with RADIUS, I haven't used it myself but I know that it's been around for quite some time.

mfinni
  • 36,892
0

Hmm ... an interesting question. A quick google, I came across a forum post that gave me an idea.

Dial-up Networking, use login via dial-up networking to login over a VPN. This might allow you track logins.

JamesBarnett
  • 1,149
0

Here's a crazy idea...

Have the techs each have their own logins but then runas a explorer shell for the shared account. That way the login of each tech is can be logged in Event Viewer but they can still access ghost program under it's specific login.

Think of it as the Ghetto Window's Sudo (TM).

First:

  • Create logins for each of the techs.
  • Make sure login's & privilege use is being logged by Windows.

To change to the shared account:

  • In a command prompt type: runas /user:sharedaccount cmd (To create a command prompt running as the shared account)
  • Ctrl+Alt+delete
  • Kill the explorer.exe process
  • In the shell window type: explorer.exe

To get back to the tech's personal account:

  • Ctrl+Alt+delete
  • Kill the explorer process
  • File --> New Task --> type: explorer.exe --> Click OK
  • Click on the start menu to confirm your explorer shell is running as the tech's personal account
JamesBarnett
  • 1,149