Skip to main content

Cornell University

Authentication and Authorization

This article applies to: GuestIDs

On This Page


GuestIDs are stored in CornellAD and all supported methods, such as NTLM v.20 and Kerberos, can be used to authenticate against CornellAD.


By default, a GuestID will not be in any groups (not even the default CornellAD groups) except for OIT-IDM-Guests-ls group. An OU administrator must explicitly grant permissions for guests on any resources.

Administrators can use the global guest group or create their own groups and add guests. Once the groups are defined, administrators can use these groups via CUWebAuth or any other predefined means to grant authorization to their resources.


CUWebAuth can authenticate users in multiple realms, including Guests. It supports configuration parameters to specify which realms are permitted to authenticate (at all), and further authorization can be performed based on which users from those realms will have access.

For technical details, see the CUWebAuth Confluence site.


CUWebLogin works with CUWebAuth to allow access to restricted web pages by presenting a secure web form that asks for a NetID or GuestID and associated password.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.