SEAS: What is pGina?

For faculty and students who log into our workstations, you are greeted by a screen that claims to be pGina. What is pGina? pGina is the perfect answer to a big problem.

The School of Engineering & Applied Science was the first group to standardize on Windows NT at Miami University. NT 4 was implemented in 1996 using a domain architecture. This domain had all the problems of most domains and so workstation authentication management was replaced with Novell's Workstation Manager in 1997. As the rest of the University caught up, it became apparent that there were significant problems with the default implementation. Part of the problem was that Novell assumed a corporate setting where workers should have a consistent interface wherever they went. On the contrary, each school and even some labs wanted specific and different configurations for workstations.

The solution was stumbled upon to use an environment variable in the Workstation Manager configuration and then set the environment variable locally on each workstation to a location for the workstation profile. This worked well enough, but there was still an issue of cross-drifting administrators. In other words, someone set to be an Administrator in CAS would be an Administrator university-wide. Once Windows XP arrived, it became obvious to central IT services that Consumer Windows would need to be abandoned.

As the number of groups using Windows NT technologies increased, the problem of cross-drifting administrators became critical. A solution was found in renaming the Administrators group in each area to deptadministrators, but Windows had problems when the group was renamed. It became apparent that another solution was needed.

When Micah Cooper rejoined SEAS IT in 2001, he began looking for another way to handle enterprise desktop administration. Seeing that Novell would not be able to solve the problem, he began looking for alternatives in the form of other replacement GINAs. A GINA (Graphical Identification aNd Authentication) library provides interactive login and authentication support to Winlogon.exe, which handles establishing interactive sessions. After searching for an LDAP GINA or other possibilities, he stumbled upon a project from people facing the same problem at Pacific Lutheran University named pGina.

pGina was designed by Nathan Yocom to use plugins allowing authors to easily create authentication tests without needing to know intricacies of Windows security subsystems. He now maintains it through his own consulting business, XPA Systems. At the time, no plugin had yet been written, but Nathan provided copious documentation and direct help. Since Micah had just come from the central group supporting LDAP and had been involved in integrating several projects toward a common credential set, he tried his hand at writing an LDAP authentication plugin.

Thanks to a great deal of support from Nathan, the plugin worked with Miami's LDAP implementation on eDirectory, and in 2002 SEAS IT began deploying pGina and LDAPAuth on lab workstations. In addition, LDAPAuth was contributed back to the pGina project. Since then, pGina has grown and many others have contributed plugins. What has been most exciting are the contributions by others to LDAPAuth to help enrich it. By giving back code, what SEAS IT received was even better.

pGina is now used at many schools and universities and businesses around the world. By providing an open authentication system, security is maintained, but costs are significantly reduced. Since configuration is simple and easily maintained, management of workstations is greatly simplied. As in the case of Miami, some management ability is available that just was not possible before.

The results for SEAS IT have been phenomenal. Removing Workstation Manager has allowed more stable login experiences, greatly reduced login times, removed profile uncertainty, and has increased control over the user login experience. In addition, in 2003 the Novell Client was removed from workstations after implementation of Novell's Native File Access Pack so workstations still can map drives to Novell servers without the pain and instability of the Novell client.

So, as you login, consider the power that comes from people from different institutions around the world working together to solve a problem. Desktop management for SEAS IT would be significantly more costly in terms of time and software without pGina.

SEAS Home Page
About Seas
Undergraduate Degrees
Graduate Degrees
Departments
Faculty/Staff Directory
Dean's Corner
Contact Us
News

Computer Science and Systems Analysis
Electrical & Computer Engineering
Mechanical & Manufacturing Engineering
Paper & Chemical Engineering
Computer and Information Technology Department
Engineering Technology
Nursing
Paper Science and Engineering Foundation
SEAS IT Group
Seas Office of Development

Student Facilities
Facility Resources
IT Works
Large Format Printer
What is pGina?
Policies & Procedures
Summer 07 Projects
Resources
Servers
Labs
Supported Software
Staff Members
Updating EAS Websites
What to Buy