Operating System–Based Authentication
About OS-Based Authentication
InterSystems IRIS supports what is called operating system–based (or OS-based) authentication. With operating system authentication, InterSystems IRIS uses the operating system’s user identity to identify the user for InterSystems IRIS. When operating system authentication is enabled, the user authenticates to the operating system using according to the operating system’s protocols. For example, on UNIX®, this is traditionally a login prompt where the operating system compares a hash of the password to the value stored in the /etc/passwd file. When the user first attempts to connect to InterSystems IRIS, InterSystems IRIS acquires the process’ operating system level user identity. If this identity matches an InterSystems IRIS username, then that user is authenticated.
This capability only applies to server-side processes, such as terminal-based applications (for example, connecting through the Terminal) or batch processes started from the operating system. It is not available for an application that is connecting to InterSystems IRIS from another machine, such as when a copy of Studio on one machine is connecting to an InterSystems IRIS server on another.
This mechanism is typically used for UNIX® systems, in addition to the Windows console.
OS-based authentication is only available for local processes, namely:
-
Callin (%Service_Callin)
-
Console (%Service_Console)
-
Terminal (%Service_Terminal)
Configuring OS-Based Authentication
To set up the use of this type of authentication, the procedure is:
-
On the Authentication/Web Session Options page (System Administration > Security > System Security > Authentication/Web Session Options), select Allow Operating System authentication.
-
On to the Services page (System Administration > Security > Services) and select the service from the Name column. This displays the Edit Service page for the service.
-
On the Edit Service page, choose operating system–based (the Operating System check box).
Click Save to use the settings.
This type of authentication requires no other configuration actions.
On Windows, when logged in using a domain account, OS-based and Kerberos authentication are the same.
A Note on %Service_Console
Since the console (%Service_Console) is a Windows-based service and Windows domain logins typically use Kerberos, console’s OS-based authentication provides authentication for local logins.
A Note on %Service_Callin
With callin (%Service_Callin), OS-based authentication is only available from an OS-level prompt. When using callin programmatically, OS-based authentication is not supported — only unauthenticated access is available.