Single SignOn Frequently Asked Questions This page answers some of the common questions asked about the Single SignOn feature that is shipping in OpenVMS V7.1. For more detail on specifics, refer to the Project Description or the Documentation. If you're already using Single SignOn and are having difficulties, check out the Trouble-Shooting Guide. What is Single SignOn? Single SignOn allows a user to log on (or SignOn) to the Network, rather than just to an individual system. Once logged on, the user can access the services and objects within the network, on whichever system(s) they may reside, without the need for additional signon sequences. This functionality is being phased in to OpenVMS over a number of releases, starting in V7.1 with the inclusion of External Authentication. What is External Authentication? External Authentication is the first deliverable in the Single SignOn project. It is present in OpenVMS V7.1. External Authentication allows a user who is logging in to OpenVMS to be authenticated by an external entity. In other words, OpenVMS does not go to the System Authorization File (SYSUAF) to validate the user's password. Who can act as an External Authenticator? In V7.1 the only supported External Authenticator is the PATHWORKS authentication module. This module provides LAN Manager authentication thereby allowing users to log in to the OpenVMS system using their LAN Manager (Windows) userid and password. Where do I get the software from? The framework and support for External Authentication is built into the OpenVMS V7.1 operating system. The PATHWORKS LAN Manager authentication module is part of the PATHWORKS V5.0E(??) kit. It is also available from the Single SignOn Installation page. Do users still need a SYSUAF entry? Yes. Although the password from the SYSUAF entry is not used, in order to create the user process OpenVMS still needs to know which UIC to use, which privileges to grant, quotas to give, etc. These all come from the user's SYSUAF entry. What do I enter at the Username/Password Prompts? At the OpenVMS username prompt, an externally authenticated user must enter their external (or network) userid. In the case of LAN Manager this is their Windows userid, and may or may not be the same as their OpenVMS username. At the OpenVMS password prompt, an externally authenticated used must enter their external (or network) password. In the case of LAN Manager this is their Windows password. How is External Authentication Enabled? External Authentication is controlled at two levels: At the system level, it is enabled by defining the SYS$SINGLE_SIGNON logical name. If this is not set, then external authentication is off regardless of any other settings. At the user level, by a new flag in the SYSUAF record. When set, the EXTAUTH flag denotes that the user is to be externally authenticated. By default, External Authentication is disabled at both the system and user levels. What if the Network is down and I can't login? If a network connection is required for external authentication, and for some reason the network is down, then external authentication is not possible. For this situation, the /LOCAL qualifier exists. When placed after the username at the login prompt, it informs OpenVMS that local authentication is to be performed. Since the use of /LOCAL is effectively overriding the security policy that has been established by the system manager, it is only allowed under the following conditions: When the account being logged in to has SYSPRV as an authorized privilege. This is typically how the system manager gains access when the network is down. When bit 1 is set in the SYS$SINGLE_SIGNON logical name. If the network problem was going to persist then the system manager may consider setting this bit to allow non-privileged normally externally authenticated users to log in locally. NOTE: Non-privileged externally authenticated users will not be able to log in until corrective action is taken. Which Password should be specified when using /LOCAL? Every time a user is successfully logged in via external authentication their network password is copied to their SYSUAF record; this is called Password Synchronization. So as long as a user regularly logs in to the OpenVMS system, their password in the SYSUAF will be their current network password, and this is the password that should be specified when using /LOCAL. Does SET PASSWORD change my Network Password? Yes. If you are an externally authenticated user, the DCL SET PASSWORD command will send the password change request to the external authenticator. Does AUTHORIZE change a Network Password? No. The AUTHORIZE utility only manages fields in the local SYSUAF file. Using AUTHORIZE to set a password related field for an externally authenticated user is effectively a no-op. The one exception to this is when the password itself is modified; in this case AUTHORIZE also sets the MigratePwd flag (see below). How does a System Manager change a User's Network Password? There are two ways that a System Manager can set an externally authenticated user's network password: Use whatever utility is provided by the authenticating network. In the case of LAN Manager, PATHWORKS provides a NET PASSWORD command (type NET PASSWORD HELP for more details). Using this method the new password is propagated out to the network immediately. Use AUTHORIZE. In this case AUTHORIZE will also set the MigratePwd flag (see next question for description of MigratePwd), but propagation of the new password will not occur until the next time the user logs in to the OpenVMS system. What are ExtAuth and MigratePwd? ExtAuth and MigratePwd are two new user flags in the SYSUAF record. They can be set/read both by the AUTHORIZE utility and by the $GETUAI/SETUAI system services. ExtAuth is used to indicate that the user should be externally authenticated. Note that for an externally authenticated user to be able to log in, single signon needs to be enabled. MigratePwd is used to indicate that the password currently stored in the SYSUAF record is to be migrated out to the network. When set it effectively means that the password in the SYSUAF record is newer than the network password, and that it should be propagated out to the network as soon as possible. This migration will occur automatically the next time the user logs in to the OpenVMS system. This feature is known as Password Migration or Reverse Password Synchronization. What if I don't want External Authentication? External Authentication is disabled by default. If you don't want to use External Authentication, do nothing. Why is the Username echoing in Lowercase? Externally authenticated users now enter their external userid at the OpenVMS username prompt. Since it is possible that userids may be case-sensitive, LOGINOUT can no longer force the userid to uppercase. This is a permanent change to the way LOGINOUT behaves and occurs regardless of if Single Signon is enabled or disabled. Back to Single-Signon Main Page Last Updated: 18 April 1996