PSU GINA Phase Out Announcement
New, May 9, 2006: The date of July 1, 2006 to remove the proxy authentication from Pals has been changed to July 5, because July 1 is a Saturday.
April 28, 2005
This notice describes the planned phase out of PSU GINA at Penn State and suggested alternatives for authentication and access control for Windows XP workstations. Campuses, colleges, and departments using this software should begin planning now for the migration to new and better services. Hopefully, many will be able to migrate this summer. End of support for PSU GINA is currently scheduled for July 2006.
Contents
- History
- Limitations of PSU Gina — why it isn't as good as alternatives
- Native Authentication — why native Windows authentication is better
- Penn State Active Directory — overview and link
- Timeline — proposed timeline for removal of support
- Contacts — where to ask questions
History
GINA (Graphical Interface for Network Authentication) is a replaceable security module for Windows 2000/XP Professional provided by Microsoft for institutions to customize for their own authentication methods. A version written by CLC staff that authenticates users with their Penn State Access Account had been used in ITS labs for several years until Fall 2001, when we shifted to native authentication with shadow accounts in the win.psu.edu domain in order to provide roaming profiles, which were needed for application deployment via Group Policy.
PSU Gina is currently in use by many campuses and departments throughout Penn State. The PSU Gina software facilitates access control on Windows 2000 and XP systems using Penn State Access Accounts via a proxy authentication service. Users do not have to be joined to a local windows domain. "Generic" domain accounts, usually one lab or department, are used. More details are on the PSU Gina home page.
Limitations of PSU Gina
While this software has worked fairly well for a number of years, it has significant limitations and there are better alternatives. Limitations include:
- users are logged onto a shared "generic" account, and so do not have credentials to access resources as themselves and features such as roaming profiles cannot be used;
- users can not be assigned to security groups that would provide for access control on resources;
- the software requires the proxy authentication services of PALS; this services needs to be phased out as well in favor of the cross-realm trust to the MIT Kerberos realm now in production;
- the software does require some fixes for new releases of Windows;
- the encryption methods used were adequate at the time it was developed but there are better methods now;
- the CLC doesn't have the funding or staff to support PSU Gina.
Native Authentication
What is much better, as the CLC has demonstrated over the last 4 years, is "native" authentication with shadow accounts in a Windows domain. Until fall of 2004, it hadn't been decided how ITS would deliver that service to all University departments and campuses. Now an approved infrastructure is in place to provide such a service to all departments, colleges, and campuses.
Documentation on this service is at http://aset.its.psu.edu/docs/windows/. Note that some colleges and department have long had their own Active Directory infrastructures and separate accounts for users. The use of native Windows (or more properly, Active Directory) accounts, either separate from PSU Access Accounts or shadow accounts linked to the PSU K5 realm, has advantages over PSU Gina including:
- users are logged into XP with their own private account;
- roaming profiles can be used;
- security groups can be used to control access to resources;
- a higher level of security;
- no "home-grown" software needs to be acquired or maintained;
- the Penn State Active Directory is officially supported by ITS.
Penn State Active Directory
Please refer to the Penn State Active Directory pages for options and details. The advantages to using that service as compared to your own Active Directory include:
- Penn State Access Accounts are all there; you don't do any account management (unless you choose to have a separate forest and use a cross-realm trust, in which case shadow accounts will have to be maintained);
- user passwords are the PSU Access Account passwords;
- a support structure and dedicated support personnel are in place.
Timeline
The timeline for the phased-out support of PSU Gina may be adjusted if there are technical problems migrating to alternatives. But CLC needs to remove the PALS proxy authentication service, which PSU Gina requires, in order to migrate ourselves (win.psu.edu) to a cross-realm trust with the MIT K5 realm. The current schedule is:
- April 28, 2005: make this notice public, encourage everyone to seriously consider migrating the summer of 2005 (done).
- June 1, 2005: suspend additional registrations for access to the PSU Gina code and documentation (done).
- Fall 2005: develop support for printing from PSAD.
- Fall 2005/Spring 2006: track what departments, colleges, and campuses are using PSU Gina; refer to ASET for consultations.
- July 5, 2006: remove the PALS proxy authentication support for PSU Gina; this will render the software unusable.
- August 1, 2006: password sync from work.psu.edu to win.psu.edu discontinued.
It is strongly suggested that PSU Gina users immediately begin plans for migration away from PSU Gina. Contact the AD Team at win-ad@aset.psu.edu to discuss your plans before implementing them.
Contacts
Read the documentation at http://aset.its.psu.edu/docs/windows/active_directory/. Questions, comments and requests for assistance may be directed to the Windows AD Team at win-ad@aset.psu.edu.
Current users of PSU Gina are on the L-PSU-GINA@LISTS.PSU.EDU list and may use that list to discuss options among themselves.
Please note that CLC staff do work with the AD Team at win-ad@aset.psu.edu but are not charged with end-user support of that service.
This site maintained by the Classroom and Lab Computing group of Information Technology Services.
Suggestions and comments about this web site: CLC Webmasters; Other contacts here.
This page was last modified: 5/9/2006 11:40:12 AM.