Pam_Kerberos-centric, 290–92
approaches, 291–92
architectures, 292
defined, 290
Pam_LDAP-centric, 290
with AD, 290
architecture, 291
password management, 290
Pam_unix-centric, 288–89
architecture, 289
user authentication, 288–89
Passport, 241–59
account key, 245
authentication exchange, 243–46
authentication messages, recognizing, 257–58
authentication revisited, 252–54
authentication sequence, 244, 253
authentication trace, 258
cookies, 242, 248–52
credentials, 245, 246, 247
domain authority server, 246
futures, 258–59
HTTP use, 241
infrastructure, 242–43
infrastructure illustration, 243
JavaScript code use, 242
login dialog box, 246
Nexus servers, 243
registration, 247
spoofing problem, 245
SSL use, 242
SSO technology, 255
user information privacy and, 255–56
Windows Server 2003, 246–48
Windows Server 2003 integration, 256–58
Windows XP, 246–48
Passport-based authentication, 223
Passport-enabling Web technologies, 241–42
Password Reset Disk (PRD), 662
creating, 662
floppy disk, 662
private key, 663
using, 663
Passwords
credentials, 46–60
enhancing, quality, 51–60
machine, 60
policy settings, 51
quality, checking, 53–60
user, guidelines, 51–53
Password synchronization, 281–86
AIX, 282
architecture, 283, 285
defined, 282
SFU, 282–85
solutions, 286
UNIX to Windows architecture, 285
Windows to UNIX architecture, 283
Permissions
on administrator accounts, 377–78
autoenrollment, 549
CAS, 404–6
default, for self security principal, 389
default share, 359
effective, 360–61
NTFS root directory, 359
restrictive, 360
undelegating, 384
user rights vs., 380–81
Physical certificate stores, 478–80
details, 480
Group Policy container, 479
illustrated, 475
Local Computer container, 478
Registry container, 478
User Certificate container, 479
viewing, 479
See also Certificate stores
PKI-based SSO, 307–8
authentication, 307
defined, 307
solutions, 308
token-based SSO vs., 307
PKI-enabled applications (PKA), 480, 643–85
building, 605–6
EFS, 643–67
leveraging smart cards/USB tokens for, 679–85
revocation checking support, 591–92
S/MIME, 667–79
user, 574
PKINIT
defined, 186
mapping master key to, 189
trust model, 189
PKI trust models, 496–515
constrained, 502–15
hierarchical, 497–98
hybrid, 502
multiple CAs, 496–97
networked, 499–501
overview, 515
PKIView tool, 458, 459
Platform for Privacy Preferences (P3P), 256
Plugable Authentication Module (PAM), 264–66
account management modules, 265–67
architecture, 265
defined, 264
modules, 266
pam_kerberos module, 266, 290–92
pam_ldap module, 266, 290
pam_sso module, 278
pam_unix module, 266, 278, 288–89
protocols, 264
SPPI vs., 266
Policy Constraints, 512–15
defined, 512–13
inhibit policy mapping example, 514
policy constraint types, 513–14
require explicit policy example, 514
sample, 536–40
Policy.inf file
defining trust constraints using, 532
section header/tags, 533–35
syntax, 532–35
See also CAPolicy.inf file
Policy Mappings, 511–12
for cross-certified CAs example, 512
for PKI user example, 513
Preauthentication
benefits, 183
data, 183–84
defined, 183
See also Kerberos
Private key properties, 489–91
exportability, 489–90
strong protection, 490–91
Private key storage, 480–91
dedicated hardware device, 481–87
physical, 481–87
software-based, 481
Window architecture, 487–91
Privilege Attribute Certificate (PAC), 174, 181–83
content, 182
defined, 181
Property-based ACEs, 349–50
in ACL editor, 350, 351
illustrated, 349
Provisioning systems, 14–17
defined, 14
goal, 15
Microsoft (MPS), 25–26
partners, 16
software services/components, 16
solutions, 17
standardization, 17
Proxy accounts, setting up, 204
Public key infrastructure (PKI), 441–91
Active Directory, 452–59
administration/troubleshooting tools, 640–41
administrative roles, 627
administrative roles and associated tasks, 628
Backup Operator role, 629
building, 603–32
CA hierarchies, 316
certificates, 463–80
Certificate Server, 444–53
core components, 444–91
CryptoAPI, 459–63
Enrollee role, 629
extensibility, 443–44
flexibility, 443
GPO settings, 633
history, 441–42
interoperability, 443
introductory resources, 441
maintaining, 632–40
organizational needs, 604–7
policy definition, 608–10
pricing, 444
public key storage, 480–91
reduced TCO, 444
roles, assigning, 626
scalability, 443
software, reasons to use, 443–44
timeline, 442
trust, 493–543
trust terminology, 495–96
user trust management, 515–21
See also PKI trust models
Public key storage, 480–91
Pwdump3, 58