Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

VMS authentication to Windows AD

3 views
Skip to first unread message

Michael D. Ober

unread,
Jan 22, 2004, 10:01:05 AM1/22/04
to
I need to have my users periodically change their passwords, but most of
them are computer illiterate (they have no idea what a command line is and
sometimes have a hard time logging into a Windows Domain without help). Is
there anyway to have VMS authenticate to a Windows 2000 AD Domain? I'm
reasonably sure I can train them to change their passwords when prompted by
the domain.

TCPIP SHO VER returns

Compaq TCP/IP Services for OpenVMS Alpha Version V5.3 - ECO 2
on a AlphaServer 1200 5/533 4MB running OpenVMS V7.3-1

Thanks,
Mike Ober.


Michael D. Ober

unread,
Jan 22, 2004, 2:02:38 PM1/22/04
to
I just read the Kerberos thread and will monitor it. It appears I'll have
to wait until VMS 8.2 for one network/one password integration.

Mike.

"Michael D. Ober" <obermd-.@.-alum-mit-edu-nospam> wrote in message
news:SARPb.10$1b1....@news.uswest.net...

Peter 'EPLAN' LANGSTOEGER

unread,
Jan 22, 2004, 4:21:43 PM1/22/04
to
In article <SARPb.10$1b1....@news.uswest.net>, "Michael D. Ober" <obermd-.@.-alum-mit-edu-nospam> writes:
>I need to have my users periodically change their passwords, but most of
>them are computer illiterate (they have no idea what a command line is and
>sometimes have a hard time logging into a Windows Domain without help). Is
>there anyway to have VMS authenticate to a Windows 2000 AD Domain? I'm
>reasonably sure I can train them to change their passwords when prompted by
>the domain.

Check the VMS docs for "external authentication" and/or "ACME".
This means, with the help (of a part) of the Advanced Server
VMS users can authenticate with the LanMan-Domain passwords.

PWRK$ACME_DEFAULT_DOMAIN "lanman-domain"
PWRK$ACME_MODULE SYS$SHARE:PWRK$ACME_MODULE_arch.EXE
SYS$ACME_MODULE PWRK$ACME_MODULE
SYS$SINGLE_SIGNON bitmask (eg. 3 or 80000003)

Check for /FLAG=EXTAUTH in AUTHORIZE, too

--
Peter "EPLAN" LANGSTOEGER
Network and OpenVMS system specialist
E-mail pe...@langstoeger.at
A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist

Richard B. Gilbert

unread,
Jan 22, 2004, 10:28:45 PM1/22/04
to
External authentication has been possible since VMS V7.2-1 and possibly
before then. I never tried it because:
a. I didn't need it, and
b. I'd hate to trust my security to Microsoft!

RTFM for the details.

Andrew Harrison SUNUK Consultancy

unread,
Jan 23, 2004, 5:51:22 AM1/23/04
to
Richard B. Gilbert wrote:
> External authentication has been possible since VMS V7.2-1 and possibly
> before then. I never tried it because:
> a. I didn't need it, and
> b. I'd hate to trust my security to Microsoft!
>

You don't have to.

Assuming that VMS can support external authentication using
LDAP then install a 3rd party LDAP server that has an AD
gateway, point your VMS boxes at the LDAP server and your
windows boxes at the AD server(s) and let the gateway keep
the passwords etc in sync.

Regards
Andrew Harrison

PEN

unread,
Jan 22, 2004, 11:24:03 AM1/22/04
to
Hi Mike,

Yes you can. You need to install, configure, and run Advanced Server for
OpenVMS and modify user's OpenVMS accounts (in sysuaf.dat) to include the
flag EXTAUTH.

Advanced Server for OpenVMS can participate in your Windows 2000 domain as a
Member server.

If the user's Windows domain username doesn't match their OpenVMS username,
use the command:

$ ADMIN ADD HOSTMAP <domain-username> <OVMS-username>

command to associate the two (Advanced Server must be running).

Once the extauth flag is set, the user is no longer validated against the
sysuaf username/password, but instead their Windows domain username and
password (case sensitive, of course). When they change their domain
password, the next time they login to OpenVMS, it triggers a sync of their
sysuaf account password (just in case the user stops using extauth or they
have some network (aka client/server) app that accesses sysuaf.dat directly
to verify a user's credentials).

Best of all, no license required if you use Advanced Server for extauth
only. The Advanced Server client access licenses are necessary only if you
wish to allow your Windows clients to map to file/print shares served by
Advanced Server for OpenVMS.

Highly recommend you obtain the latest/greatest release - v7.3A ECO2 -
available on the ITRC ftp site ftp://ftp.itrc.hp.com/. Look for a saveset
named

CPQ-AXPVMS-ADVANCEDSERVER-V0703-A2-1.PCSI-DCX_AXPEXE

(I can't currently get to the site to confirm ECO2 is now there)...

HTH,


Paul

"Michael D. Ober" <obermd-.@.-alum-mit-edu-nospam> wrote in message
news:SARPb.10$1b1....@news.uswest.net...

Ruslan R. Laishev

unread,
Jan 24, 2004, 3:45:31 PM1/24/04
to
Hi Michael,
RADIUS server for OpenVMS can interact with M$ Window PDC/BDC.

Have a look at www.radiusvms.com

Michael D. Ober wrote:

--
Cheers, Ruslan.
+---------------------pure personal opinion------------------------+
RADIUS Server for OpenVMS project - www.starlet.spb.ru/radiusvms/
TKD (WTF) in Russia, St.-Petersburg - www.TaeKwonDo-WTF.SPb.RU

0 new messages