Chapter 11: Authentication

Helix Universal Proxy authentication provides a way for you to control what or who can access your Helix Universal Proxy, a colleague perusing Helix Administrator, or a user requesting content streamed by Helix Universal Proxy. With this feature, you can configure Helix Universal Proxy to require a valid user name and password before allowing a client to access a particular URL.

To limit visitors to Helix Universal Proxy via bandwidth, connection volume, or IP address, use the methods described in Chapter 9 and Chapter 10.

Overview

Authentication verifies the identity of users that send requests to Helix Universal Proxy. The verification comes in the form of asking for a name and password. To receive requests on behalf of clients, Helix Universal Proxy requires an accounting channel between the requesting client and itself. Helix Universal Proxy uses the accounting channel to request and receive authentication information.

You can require authentication for:

• Administrators —Allow certain people in your organization to use Helix Administrator. To protect changes to your Helix Universal Proxy by unauthorized users, Helix Universal Proxy is installed with authentication enabled for Helix Administrator access.
• Individual users—An additional database can be used to list all potential content users, content sites all users can view, and what type of access they have. Several additional options are available for this type of authentication.

Authentication is a feature also used by some Helix Universal Servers. As a result, some users may be asked more than once for a user name and password—once by Helix Universal Proxy, and once by the Helix Universal Server. In each case, a username and a password is determined as stored by that particular Helix Universal Proxy and Helix Universal Server.

Compatible Client Versions

RealPlayer versions 3 and earlier do not work with authentication and may display an error message. RealPlayer 4 through RealOne Player supports user authentication.

When to Use Authentication

The following are factors in deciding to use this feature:

• You want to restrict user access to content originating from specific locations.
• You want to ensure that only certain users can play streaming media that originates outside your network.
• You want to limit access to content Helix Universal Proxy streams using a more specific method than noting the client's IP address. (The access control list enables access based on the client's address.)
• You want to collect data from users before they play streamed content. (Collecting data is not necessarily part of authentication; it is just something you can require if you implement authentication.)
• You want to track how much time specific users are playing certain clips.

Understanding Authentication

The authentication feature uses two main components to validate user information and check associated permissions:

• Databases
• Realms

You must use databases and realms to require authentication in both Helix Universal Proxy areas: for Helix Administrator users, and for individual users requesting content.

Databases

Authorized users (administrators or users making media requests) are stored in separate databases. Helix Universal Proxy uses a flat file database structure in its default configuration. For large-scale implementations of authentication, Helix Universal Proxy supports ODBC and MS SQL- compliant, and mSQL databases.

The following table explains the flat file databases automatically installed with Helix Universal Proxy.

Note: Refer to "Authentication Data Storage" for details on the database structure.

Authentication Realms

Authentication realms provide a way to associate databases with a protocol to encrypt their username, passwords, and other information. When you configure a realm, you associate a database with this realm and Helix Universal Proxy references this database to verify a user's credentials.

When you create or edit a realm, you specify the following information:

• An authentication protocol for encryption of user names, passwords, etc.
• An associated database containing user information
• A realm description
• A realm ID

The default realms conform to the following format:

proxyname.RealmId

You do not have to use this convention, but you must include a period (.) in the realm ID or the realm will not work properly.

The installation process automatically creates the following authentication realms. The following table explains these realms, and their default settings on Helix Universal Proxy:

Authentication Protocols

Authentication protocols determine the password encryption method used by Helix Universal Proxy. The proxy supports three protocols for encrypting user passwords:

• Basic—encodes the user's name and password with the Base64 algorithm and sends it to Helix Universal Proxy, which then decodes the password and verifies it. This protocol sends the user's password over the network or public Internet in a simple manner.
• RealSystem 5.0—also called RN5, is RealNetworks' own encryption protocol, developed for RealServer version 5. If your material will be served to users working with RealNetworks players from version 5 and up, use this authentication protocol. This is a more sophisticated protocol than Basic authentication. For RealNetworks player versions earlier than 5, you must use the basic protocol for backwards compatibility. The earlier versions of RealNetworks players will not work with this protocol.
• Windows NT LAN Manager—this method enables Helix Universal Proxy to use the existing Windows NT or Windows 2000 database of users and groups. It also allows access control of content via NTFS file permissions.

When using NTLM authentication, you need to be aware of the following:

• All users accounts must exist on the local NT computer. NTLM authentication will not work with accounts on other servers within the domain except accounts on a domain server. In this case, you'll need to use the username input value in the form, domainname\username.
• You add all user accounts through the Windows NT User Manager.
• The built in guest account is not available for use in authentication.
• When you select NTLM authentication in Helix Administrator, if you do not specify a user group, all groups are authenticated.
• Blank passwords are not supported.

Note: This method is only available to systems using Windows NT, and Windows 2000 and requires that Helix Universal Proxy itself be installed on the Windows NT or Windows 2000 machine.

Authenticating Helix Administrator Users

At installation, Helix Universal Proxy is configured to prompt for a user name and password for a Helix Administrator user. As stated earlier, the information you enter is added to the Admin_Basic database which is associated with the SecureAdmin realm.

Helix Universal Proxy identifies incoming requests to access Helix Administrator by the protected path /admin that is in the URL request. It automatically prompts for a user name and password and verifies them against the information in the SecureAdmin realm that points to the Admin_Basic database.

You'll need to make informed decisions when modifying the SecureAdmin realm. Doing otherwise can remove your access to Helix Administrator.

To add user names for Helix Administrator authentication using the supplied realm:

1. In Helix Administrator, click Security>Realms.
2. In the Authentication Realms list, select SecureAdmin.
3. Click Add a User to Realm.
4. In the new window that appears, type the user's name in the Name box.
5. In the Password box, assign a password.
6. In the Confirm Password box, type the password again.
7. Click Okay. A message appears; click Close Window.

Tip: Optionally, you can set up a separate database and realm from the one supplied by Helix Universal Proxy during installation. In this case, refer to "Authenticating Users Requesting Content".

Authenticating Users Requesting Content

You need to set up Helix Universal Proxy if you decide to authenticate users trying to access Helix Universal Proxy to deliver either on-demand or live content. When you set up and customize authentication, you must perform the necessary steps in the correct order or authentication will not work. As you are planning your authentication model, remember the DRA (Database- Realm-Authentication) method:

1. Database: First, you must either create a new database, or you must add or verify an existing database in Helix Universal Proxy.
2. Realm: Next, you need to create or use an existing authentication realm pointing to an existing database. Then, add users to this database, (or use a pre-populated one.)
3. Authentication: Finally, you need to enable the feature, and choose a specific realm and database to authenticate users. Optionally, you can

• Identify those sites for which Helix Universal Proxy will not require authentication
• Allow users to view the same content from more than one site

Setting up Databases

Step 1: Optionally, Create a New Database

Helix Universal Proxy includes templates for common database formats. To learn more about database structure and how to use Helix Universal Proxy's database templates, refer to "Understanding Authentication Data".

Step 2: Verify or Add Your Database in Helix Universal Proxy

Any database that contains user information that you want Helix Universal Proxy to use to validate credentials must exist in the Helix Universal Proxy database list. If you plan to use the default flat file database, you simply need to verify that the setup procedure created this database and it exists in Helix Universal Proxy's database list. If you are using an ODBC, MS SQL or mSQL database, you must add it to the Helix Universal Proxy database list.

To verify a default database:

1. In Helix Administrator, select Security>User Databases.
2. Select an existing database.

• To use the default connection database, in the Databases list, verify that the Connect_RN5 database appears.

To add a new database:

Use the instructions below to choose the name and type of database that will store users' names and passwords.

Note: If you're using an ODBC or mSQL database, refer to "Setting Up Other Types of Data Storage" in Appendix C to ensure you've correctly configured your database before you add it to Helix Universal Proxy.

1. In Helix Administrator, select Security>User Databases.
2. Click the "+" icon and type the database name in the Edit Database Name box.
3. From the Database Type list, select the appropriate data storage method: flat file, ODBC, or mSQL.
4. Depending on the database type method you chose, additional information is required.

Flat File needs only the path to the main text file directory. For example, the con_r_db directory under the main Helix Universal Proxy directory. See "Understanding Authentication Data".

mSQL has two required names, and three optional items:

• Host Name—IP address or DNS name of computer where database is stored. (Required field.)
• Database Name—Name of the database. (Required field.)
• Table Name Prefix—Prefix used to make field names unique, when used with an existing database. (Optional field.)
• User Name—Name required by database application. (Optional field.)
• Password—Password required by database application. Re-enter your password in the Confirm Password box to ensure you typed it correctly. (Optional field.)

ODBC uses the same information as mSQL, but ODBC does not ask for a Host Name. (Refer to "Setting Up Other Types of Data Storage" for further instructions.)

5. After filling out the appropriate values, click Apply.

Setting up Realms

A realm contains information about the type of authentication protocol and the database where the authenticated users' names will be stored. To set up a realm for Helix Universal Proxy users, you can either use the default realm ConnectRealm, or you can create a new one.

To use the default realm, ConnectRealm:

1. In Helix Administrator, click Security>Realms.
2. Browse, add usernames and passwords. Refer to "Working with User Names and Passwords".

To create a new realm:

1. In Helix Administrator, click Security>Realms.
2. Click the "+" icon and enter a name for this realm in the Edit Realm Description box.
3. In the Realm ID box, type a name. You will use this name in other areas of Helix Administrator, so make a name that is meaningful to you. The Realm name may also appear to users as part of the name and password prompt.
4. In the Authentication Protocol list, select the authentication method you want to use for this realm:

Helix Universal Proxy has three methods of authenticating the identity of visitors. Each realm can use only one authentication method.

• Basic—encodes the user's name and password with the Base64 algorithm and sends it to Helix Universal Proxy, which then decodes the password and verifies it. You will also need to select a database in which the names and passwords of authenticated users will be stored; refer to "Setting up Databases".
• RealSystem 5.0—also called "RN5", it is RealNetworks' own authentication protocol. This is a more sophisticated protocol than Basic authentication. It provides better security than Basic because it does not send the password in a manner that can be reversed.

You will also need to select a database in which the names and passwords of authenticated users will be stored; refer to "Setting up Databases". In addition, these passwords are encrypted. To change them, refer to "Changing RealSystem 5.0 Authentication Passwords".

• Windows NT Lan Manager—this method allows Helix Universal Proxy to use an existing Windows NT database of user groups and permissions. You do not need to select a database—instead, Helix Universal Proxy will use the NTLM list of names. This protocol uses Windows NTLM authentication.

This method is only available to systems using Windows NT, Windows 2000 and requires that Helix Universal Proxy itself be installed on either a Windows NT or Windows 2000 Server. For authenticating content, it also requires a Web browser and RealNetworks RealOne Player or RealPlayer.

Use the additional steps shown here:

1. Type the appropriate provider in the Provider list, such as NTLM.
2. Optionally, type the Group name in the Group box
3. Click Apply.

Complete these last three steps if you're using Basic or RealSystem 5.0 as an authentication protocol.

1. In the Database list, select the database you want to use for this realm.
2. Browse, add usernames and passwords. Refer to "Working with User Names and Passwords".
3. Click Apply.

Setting up Authentication

To set up authentication in Helix Universal Proxy, you need to turn on the feature, and decide which realm and database to use with authentication. Optionally, you can select sites all users are allowed to visit and allow users to view content from more than one location.

Step 1: Enable the Authentication Feature.

To enable authentication:

1. In Helix Administrator, click Security>Authentication.
2. From the Enable Authentication list, select Yes.

Step 2: Select a Specific Realm

To pick a realm:

• From the Realm list, select ConnectRealm.

If you have set up another Realm, select that name here.

Step 3: Select a Specific Database

To choose a database:

• From the Database list, select Connect_RN5.

If you have set up another database, select that name here. If the realm you selected is using Windows NTLM as an authentication protocol, select None.

Step 4: Optionally Identify Permitted Sites

In this step you choose the sites which all users are allowed to visit without having to supply a user name and password.

To set up permitted sites:

1. In the No-Authenticate Rules area, click the "+" icon. A generic rule name appears.
2. In the Edit Rule Name box, type a name for this rule.
3. Click Edit.
4. In the Host box, type the name of the site to which all users will be permitted access. Use a single asterisk to avoid specificity..

   Naming Scheme for Host

   Use this form...	...to indicate these sites:
   *.org	All sites ending with .org
   example.com	The site named www.example.com,
   *.example.com	Will include www.sports.example.com among others.

Note: Use only one asterisk. For example, *.*.com is not allowed.

5. Click Apply.

Step 5: Optionally Allow Users to Log On From Multiple Locations

If you want a user to be able to use more than one client and view content from more than one location, set Allow Duplicate IDs to Yes. You can also use this option as a method of limiting access to groups. For example, you could set Allow Duplicate IDs to Yes and assign all marketing employees one user name and password, then the entire department could then use this account to view content.

Normally, when Allow Duplicate IDs is set to No, a user can view a given clip from only one computer at a time. If a user tries to log in from a second computer and view the same content, he or she will receive an error message. The user must log out at the first location before being permitted to log in at the second location. Users will still be able to view different content even though they are logged in at different locations.

To allow users to view a clip from more than one location or to permit more than one person to use a single account:

1. In Helix Administrator, select Security>Authentication.
2. From the Allow Duplicate IDs list, select Yes.
3. Click Apply.

Working with User Names and Passwords

Use the following instructions to manage the list of authorized users for any type of authentication.

Adding a User

If you are adding a user to a new database, you must add that database and associate it with the proper realm using Helix Administrator before you add a user to realm. Refer to "Setting up Databases" for more information.

Note: If you are using Windows NTLM to manage the list of users, passwords, and groups, use Windows NT User Manager or other utilities instead of the instructions below.

To add a user name and password:

1. In Helix Administrator, click Security>Realms.
2. In the Authentication Realms list, select the name of the realm to which you want to add a user:

• For Helix Administrator users, select SecureAdmin.

If you have set up another Realm for this purpose, select that name here.

• For users requesting a connection, select ConnectRealm.

If you have set up another Realm, for this purpose, select that name here.

• For any other category of authentication, select the name of the realm. (To learn more about realms, see "Setting up Realms".)

3. Click Add a User to Realm.
4. In the new window that appears, type the user's name in the Name box.
5. In the Password box, supply the user's password. Passwords are case-sensitive. RealNetworks recommends following good password practices:

• Avoid common words that are easy to guess.
• Do not use a word associated with the user, such as a first name.
• Do not use the same password for multiple users.
• For highest security, use a random combination of letters and numbers in different cases.

Tip: Keep track of the passwords you assign. Helix Administrator allows you to change passwords, but not to look them up.

6. In the Confirm Password box, type the password again.
7. Click OK.

Removing a User

The following procedure explains how to delete a user from a database. Helix Administrator does not have a bulk delete feature.

To remove a user:

1. Click Security>Realms.
2. In the Authentication Realms list, select the name of the realm in which you want to delete a user. The predefined realms are described in "Setting up Realms".
3. Click Remove a User from Realm.
4. In the new window that appears, enter the user's name in the Name box.
5. Click OK.

Browsing All User Names

The browsing feature lists all user names defined for an authentication realm.

To browse all users:

1. Click Security>Realms.
2. In the Authentication Realms list, select the realm you want to browse. The default realms are described in "Setting up Realms".
3. Click Browse Users in Realm. The pop-up window lists all user names defined for that realm.

Changing a Password

The following procedure explains how to change the password for an existing user. The Helix Administrator interface does not allow you to look up existing passwords.

To change a password:

1. Click Security>Realms.
2. In the Authentication Realms list, select the name of the realm that contains the user. The predefined realms are described in "Setting up Realms".
3. Click Change User Password.
4. In the new window that appears, enter the user's name in the Name box.
5. In the Password box, specify the user's new password.
6. In the Confirm Password box, type the password again.
7. Click OK.

Changing RealSystem 5.0 Authentication Passwords

When you use the RealSystem 5.0 authentication protocol, Helix Universal Proxy stores all passwords in an encrypted format. Passwords can be entered and changed through Helix Administrator. If you want to change the passwords manually, without using Helix Administrator, you can use the supplied password command line utility mkpnpass. It is located in the Helix Universal Proxy Bin directory.

You can also use these instructions as a basis for writing your own CGI scripts and Web pages to accomplish the same purpose automatically.

To use the password tool manually:

1. At a command line, in the Bin directory, type the following:

mkpnpass username realm

where:

username is the user name exactly as it is entered and will be stored in the authentication database or text file.

realm is the value of the Realm variable specified in the relevant list.

For Helix Administrator users, use the value of the Realm variable in the RealAdministrator_Files list within the FSMount list in the configuration file. (You must open the configuration file itself to see this value.)

2. A password prompt appears, followed by a prompt to type the password again.

The resulting encrypted password is displayed on the screen.

Helix Universal Proxy encrypts passwords with the MD5 hashing algorithm. It uses the form MD5("username:realm:new_password"). On BSD systems and some other UNIX systems, you can generate these passwords with the following command:

echo -n "username:realm:new_password" | md5

3. Add the resulting encrypted password into the appropriate field of the database:

• For flat text files, place it in the password field of the User directory (see "Users Directory").
• For databases, place it in the password field of the Users table (see "Users Table").

© 2002 RealNetworks, Inc. All rights reserved. For more information, visit RealNetworks Click here if the Table of Contents frame is not visible at the left side of your screen.