What Is Authentication?
Authentication is the process of
identifying a user. In home environments, authentication is often as
simple as clicking a user name at the Windows 7 logon screen. However,
in enterprise environments, almost all authentication requests require
users to provide both a user name (to identify themselves) and a
password (to prove that they really are the user they claim to
be).
Windows 7 also supports authentication using a smart card. The
smart card, which is about the size of a credit card, contains a chip
with a certificate that uniquely identifies the user. So long as a
user doesn't give the smart card to someone else, inserting the smart
card into a computer sufficiently proves the user's identity.
Typically, users also need to type a password or PIN to prove that
they aren't using someone else's smart card. When you combine two
forms of authentication (such as both typing a password and providing
a smart card), it's called multifactor
authentication. Multifactor authentication is much more
secure than single-factor authentication.
Biometrics is another popular form of authentication.
Although a password proves your identity by testing "something you
know" and a smart card tests "something you have," biometrics test
"something you are" by examining a unique feature of your physiology.
Today the most common biometric authentication mechanisms are
fingerprint readers (now built into many mobile computers) and retinal
scanners.
Note
BIOMETRICS
Biometrics are the most secure and
reliable authentication method because you cannot lose or forget
your authentication. However, it's also the least commonly used.
Reliable biometric readers are too expensive for many organizations,
and some users dislike biometric readers because they feel the
devices violate their privacy.
How to Use Credential Manager
Credential Manager is a single-sign
on feature, originally for Windows Server 2003 and Windows
XP, that enables users to input user names and passwords for multiple
network resources and applications. When different resources require
authentication, Windows can then automatically provide the credentials
without requiring the user to type them.
In Windows Vista and Windows 7, Credential Manager can roam stored user names and
passwords between multiple Windows computers in an AD DS domain.
Windows stores credentials in the user's AD DS user object. This
enables users to store credentials once and use them from any logon
session within the AD DS domain. For example, if you connect to a
password-protected Web server and you select the Remember My Password
check box, Internet Explorer will be able to retrieve your saved
password later, even if you log on to a different computer running
Windows Vista or Windows 7.
Users can take advantage of Credential Manager without even
being aware of it. For example, each time a user connects to a shared
folder or printer and selects the Reconnect At Logon check box,
Windows automatically stores that user's credentials within Credential
Manager. Similarly, if a user authenticates to a Web site that
requires authentication and selects the Remember My Password check box
in the Internet Explorer authentication dialog box, Internet Explorer
stores the user name and password in Credential Manager.
Note
CREDENTIAL ROAMING
For detailed information about
credential roaming, read "Configuring and Troubleshooting
Certificate Services Client-Credential Roaming" at http://www.microsoft.com/technet/security/guidance/cryptographyetc/client-credential-roaming/implementation-differences.mspx.
Windows automatically adds credentials used to connect to shared
folders to the Credential Manager. However, you might want to add a
user name and password manually so that Windows can provide those
credentials automatically for a group of computers in a different
domain. To add a user name and password manually to Credential
Manager, follow these steps:
-
Click Start, and then click Control Panel.
-
Click the User Accounts link twice.
-
In the left pane, click the Manage Your Credentials
link.
The Credentials Manager window appears, as shown in Figure 1.
-
Click Add A Windows Credential. Note that you can also add
certificate-based credentials and generic credentials.
-
In the Internet Or Network Address box, type the server
name. You can use an asterisk (*) as a wildcard. For example, to
use the credential for all resources in the contoso.com domain, you could
type *.contoso.com.
-
In the User Name and Password boxes, type your user
credentials. Click OK.
Note
WEB SITES THAT CREDENTIAL MANAGER CAN
AUTHENTICATE TO AUTOMATICALLY
The only Web sites that Credential
Manager can authenticate to automatically are those that use
Hypertext Transfer Protocol (HTTP) authentication. When visiting the
site, the Web browser opens a dialog box to prompt for credentials.
Credential Manager cannot remember your user name and password for
Web sites that use a Hypertext Markup Language (HTML) form of
authentication (such as those that have a logon page), which is much
more common. Credential Manager can also remember .NET Passport
credentials.
You can also back up and restore credentials manually in
Credential Manager.
