Network Computingwww.networkcomputing.com

Who Goes There? One of Net Access Manager's most distinctive (and initially the most confusing) features is its ability to glean user names from client workstations. Obviously, tracking activity by user name is more valuable than simply associating it to IP addresses. Net Access Manager presents a choice of four tools to match user names to logical addresses. In its simplest mode, user names are statically assigned to IP addresses manually in the Sequel Administrator. Although no more practical than mapping user names to IP addresses, the included Sequel Host Agent maps names to each workstation's NetBIOS name.

Net Access Manager also includes two tools for dynamically associatin g a user name with the workstation's IP address. When used in a Novell NetWare environment, a small executable called the ID Agent, runs through the system or container login script. It reports the user name and IP address to the Net Access Manager Naming Service as each user logs into a server. Alternatively, when used with Windows NT domains, Net Access Manager's Domain Controller Agent extracts user login information directly from the Domain Controller's session list (which can be viewed manually by typing "net session" as an administrative user). While NT-centric, this method of identifying users is completely dynamic (and transparent), requiring no static mappings or client involvement. With the information gleaned from the Domain Controller, Net Access Manager automatically correlates the current user's name with that workstation. When used with bundled Sequel's Directory Synchronization Service, users are automatically added to Net Access Manager's user list from a Windows NT Domain, LDAP directory, Ne tWare Bindery or NDS tree.

During my testing, the Domain Controller Agent successfully extracted user names from NT and Windows95 workstations, but an interesting situation did arise. While Net Access Manager was installed on the PDC (Primary Domain Controller), the local NT domain also included a BDC (Backup Domain Controller). I experienced transient problems with proxy authentication and monitoring results because the Backup Domain Controller (which is a slightly faster machine than the PDC) answered some authentication requests and did not inform the PDC.

Since the proxy server plug-in depends on the user name gathered from Net Access Manager (not the proxy server's own user authentication mechanism), proxy requests were successfully authenticated, but repeatedly blocked by Net Access Manager with a nebulous message describing a security policy violation--for no apparent reason. Adding the Domain Controller Agent service to the BDC solved the problem of intermittent authentication errors. Although not specifically Sequel's fault, this finding exposes a potential weakness in Domain Controller-based user name harvesting--as well as a dearth in useful error messages. A message indicating that the client was not associated with a correct user name would have helped troubleshoot the problem faster.

Dan Backman can be reached at dbackman@nwc.com.