XEROX WorkCentre
5735/5740/5745/5755/5765/5775/5790
Information Assurance Disclosure Paper
Ver. 2.00, March 2011
Page
24 of 50
3.2.
Login and Authentication Methods
There are a number of methods for different types of users to be authenticated. In addition, the
connected versions of the product also log into remote servers. A description of these behaviors follows.
3.2.1.
System Administrator Login [All product configurations]
Users must authenticate themselves to the device. To access the User Tools via the Local UI, a numerical
PIN is required. The customer can set the PIN to anywhere from 3 to 31digits in length. This PIN is
stored in the controller NVM and is inaccessible to the user. Xerox strongly recommends that this PIN be
changed from its default value immediately upon product installation. The PIN should be set to a
minimum of 8 characters in length and changed at least once per month. Longer PINs can be changed
less frequently; a 9-digit PIN would be good for a year. The same PIN is used to access the
Administration screens in the Web UI.
3.2.2.
User authentication
Users may authenticate to the device using Kerberos, LDAP, SMB Domain, or NDS authentication
protocols. Once the user is authenticated to the device, the user may proceed to use the Network
Scanning features listed above.
The WebUI allows an SA to set up a default authentication domain and as many as 8 additional
alternate authentication domains. The device will attempt to authenticate the user at each domain
server in turn until authentication is successful, or the list is exhausted.
3.2.2.1.
Kerberos Authentication (Solaris or Windows 2000/Windows 2003)
This is an option that must be enabled on the device, and is used in conjunction with all Network
Scanning features (Scan to File, Scan to E-mail, internet fax, and Scan to Fax Server). The authentication
steps are:
1) A User enters a user name and password at the device in the Local UI. The device sends an
authentication request to the Kerberos Server.
2) The Kerberos Server responds with the encrypted credentials of the user attempting to sign on.
3) The device attempts to decrypt the credentials using the entered password. The user is
authenticated if the credentials can be decrypted.
4) The device then logs onto and queries the LDAP server trying to match an email address against the
user’s Login Name. The user’s email address will be retrieved if the personalization option has been
selected on the Authentication Configuration page.
5) If the LDAP Query is successful, the user’s email address is placed in the From: field. Otherwise, the
user’s login name along with the system domain is used in the From: field.
6) The user may then add recipient addresses by accessing the Address Book on the LDAP server. Please
see the User Manual for details. Each addition is a separate session to the LDAP server.
3.2.2.2.
SMB Authentication (Windows NT 4 or Windows 2000/Windows 2003)
This is also an option that may be enabled on the device, and is used in conjunction with all Network
Scanning features (Scan to File, Scan to E-mail, internet fax, and Scan to Fax Server). The authentication
steps vary somewhat, depending on the network configuration. Listed below are 3 network
configurations and the authentication steps.
Basic Network Configuration: Device and Domain Controller are on the same Subnet
Authentication Steps:
1)
The device broadcasts an authentication request that is answered by the Domain Controller.