Authentication and Authorization
This article applies to: GuestIDs
GuestIDs are stored in CornellAD and all supported methods, such as NTLM v.20 and Kerberos, can be used to authenticate against CornellAD.
By default, a GuestID will not be in any groups (not even the default CornellAD groups) except for OIT-IDM-Guests-ls group. An OU administrator must explicitly grant permissions for guests on any resources.
Administrators can use the global guest group or create their own groups and add guests. Once the groups are defined, administrators can use these groups via CUWebAuth or any other predefined means to grant authorization to their resources.
CUWebAuth can authenticate users in multiple realms, including Guests. It supports configuration parameters to specify which realms are permitted to authenticate (at all), and further authorization can be performed based on which users from those realms will have access.
For technical details, see the CUWebAuth Confluence site.
CUWebLogin works with CUWebAuth to allow access to restricted web pages by presenting a secure web form that asks for a NetID or GuestID and associated password.