Macintosh Clients Authenticating to Windows NT Servers

Microsoft Windows NT Server Services for Macintosh is a thoroughly integrated component of Microsoft Windows NT Server, making it possible for computers running Windows NT Server and Apple Macintosh clients to share files and printers.

With Services for Macintosh, Macintoshes need only the Macintosh operating system software to function as clients; no additional software is required. You can, however, set up the optional user authentication module, which is software that provides a secure logon to the Windows NT Server.

For complete information on planning and setting up the Macintosh network, see the Microsoft Windows NT Server 4.0 Networking Supplement.

Installing Services for Macintosh

Terra Flora is using Macintosh clients to produce some of the necessary graphical marketing materials. At Terra Flora, they will enable Services for Macintosh on the computers running Windows NT Server using the Network icon in the Control Panel and the Windows NT Server distribution disk.

When Services for Macintosh are installed, the AppleTalk Protocol, File Server for Macintosh, and Print Server for Macintosh are automatically started, or enabled. An explanation of these services is provided in the Microsoft Windows NT Server 4.0 Networking Supplement, Chapter 15, "Introduction to Services for Macintosh."

In addition, setting up Services for Macintosh creates an icon in Control Panel, which gives the administrator the same server administration capabilities as the MacFile menu, excluding volume management, for the local computer.

To set up Services for Macintosh

Services for Macintosh are loaded through the Network Icon on the Control Panel from the CD ROM accompanying the Windows NT Server product.

1. On the Control Panel, click the Network icon.

2. Click the Services tab.

3. Click Add.

4. On Network Service, click to Services for Macintosh, and click OK.

5. Type the full path of the Services for Macintosh, and click Continue.

6. In the AppleTalk Protocol Configuration dialog box, enter the changes you want, such as selecting a new zone, a different network, or enabling AppleTalk routing.

For details about this configuration, see, Microsoft Windows NT Server 4.0 Networking Supplement, Chapter 16, "How Services for Macintosh Works," Chapter 18, "Setting Up Services for Macintosh" and Chapter 21, "Working with Macintosh-Accessible Volumes." Choose OK or Cancel if you don't want to change the configuration.

The computer must be restarted for the changes to take effect.

Authentication Services for Macintosh Client Software

Microsoft authentication is an extension to AppleShare, which provides a more secure logon session to a computer running Windows NT Server. It encrypts passwords and stores them on the computer running Windows NT Server. Administrators can either set up or instruct Macintosh users to set up the authentication file on their Macintoshes via the network.

With Microsoft authentication, users can also specify a domain when they log on or change their passwords. So if there are multiple domains on the network, the user's account domain will be used.

Note

Because the Apple System software up to version 7.1 does not fully support custom user authentication modules, Microsoft encourages the installation of Microsoft Authentication (MS UAM) only if increased security is necessary on the network computers running Windows NT Server.

A user authentication module (UAM) is a software program that prompts users for an account name and password before they log on to a server. Apple's Chooser has a standard UAM built in, which uses the clear-text password method of security. Microsoft Authentication offers an additional level of security because it encrypts, or scrambles, a password so it cannot be monitored when it is sent over the network. At Terra Flora, the administrators have determined that encryption is an important security measure, and will require use of Microsoft Authentication when the user logs on to the computer running Windows NT Server.

To gain access to the authentication files

1. On the Macintosh Apple menu, click Chooser.

The Chooser dialog box appears.

2. Click the AppleShare icon, and then click the AppleTalk zone in which the computer running Windows NT Server resides.

3. Click the name of the Windows NT Server, and then click OK.

A sign-in dialog box appears.

4. Click Registered User or Guest, as appropriate, and then click OK.

A server dialog box appears.

5. Click Microsoft UAM Volume, and then click OK.

To install the authentication files on the Macintosh client

1. From the Macintosh Desktop, double-click the Microsoft UAM Volume.

The Microsoft UAM Volume window appears.

2. Drag the AppleShare Folder to the System Folder on your hard disk.

Note If the Macintosh client already has an AppleShare Folder in the System Folder, you will see a message that asks whether you want to overwrite the folder. You should not overwrite it because it may contain other UAMs, such as the NetWare UAM. If you want to maintain the files in the original AppleShare Folder, simply open the AppleShare Folder in the Microsoft UAM Volume, and drop the MS UAM file into your existing AppleShare Folder in your System Folder.

Configuring Services for Macintosh

Apple Talk Protocol is a stack of protocols that Services for Macintosh uses to route information and configure zones. It works behind the scenes to ensure that computers on the network can talk to one another. The Apple Talk Protocol is configured accessing Services for Macintosh located under the Network option of the Control Panel.

To configure Services for Macintosh

1. In Control Panel, click Network.

2. In the Services tab, select Services For Macintosh and click Properties.

The Microsoft AppleTalk Protocol Properties dialog box appears.

3. Select a default network from a list of adapter cards bound to the AppleTalk Protocol.

For details, see the Microsoft Windows NT Server Networking Supplement, Chapter 19, "Configuring Services for Macintosh."

How Files Are Shared

With Services for Macintosh, Macintosh users can easily share files stored on the computer running Windows NT Server. On a computer running Services for Macintosh, files are stored in shared directories or in Macintosh volumes.

With Services for Macintosh, Macintosh users cannot automatically gain access to all shares. To make a directory, and consequently its subdirectories, which may or may not be shared on the Windows NT system network, available to Macintosh users, the administrator must designate the directory as a Macintosh-accessible volume. For details, see the Microsoft Windows NT Server 4.0 Networking Supplement, Chapter 21, "Working with Macintosh-Accessible Volumes."

Creating Volumes

All Macintosh-accessible volumes must be created on an NTFS partition. Similar to creating a share (shared directory) for PC users, you can designate a directory as a Macintosh-accessible volume. If the directory is to be accessed by PC clients as well as Macintosh clients, make sure you share the directory using the Share As command on the Disk menu and designate it as a Macintosh-accessible.

Note You cannot give a directory Macintosh-accessible volume status if it is a subdirectory of another directory that has Macintosh-accessible volume status. For specifics, see Microsoft Windows NT Server Networking Supplement, Chapter 21, "Working with Macintosh-Accessible Volumes."

You can designate a directory as a Macintosh-accessible volume using the Create Volume command on the MacFile menu. From the Create Volume dialog box, you can create the volume by accepting the default settings, or may customize by changing the options.

To create a Macintosh-accessible volume

1. In File Manager, select the directory that you want to designate as a Macintosh-accessible volume.

2. On the MacFile menu, click Create Volume.

3. Type a name in Volume Name, which will be the name Macintosh users will see when they log on.

4. To accept the default options (listed below in Table 5.1), click OK.

Or, go to step 5.

5. Enter the settings you want to change from the default settings.

Refer to Table 5.2, below, for descriptions of the options.

6. Click Permissions to set directory permissions for Macintosh users, and then click OK.

The Macintosh-accessible volume automatically inherits the permissions of the corresponding directory, although you may change these. See Setting Permissions for Volumes and Folders later in this section.

Table 5.1. The default settings for the Create Volume dialog box

Option

Default Setting

Volume name

Same as the directory name. The character limit is 27.

Path

Same as the directory path.

Password/Confirm Password

No password.

This volume is read-only

This option is Off.

Guests can use this volume

This option is On (Yes).

User Limit

Unlimited.

User Permissions

Current directory permissions.


Table 5.2 Alternate settings for the Create Volume dialog box

Option

Description

Password

Enter the password for this volume. When Macintosh users try to mount this volume, they will be asked for this password.

Confirm Password

Confirm the password just entered.

This volume is read-only

This volume and all of its contents have read-only access. This option supersedes all directory permissions set with the Permission button. In other words, if you give this volume read-only access, the permissions of directories with less restrictive access will not be honored.

Guests can use this volume

Guests can have access to this volume. If not selected, guests do not have access.

User Limit

Number of clients that can simultaneously mount the volume on the respective desktops. Select Unlimited or Allow and specify the number of users.

Permissions

Set access permissions on this volume. See Setting Permissions for Volumes and Folders later in this section.


Creating Folders in a Volume

You can create subdirectories for a Macintosh-accessible volume from the computer running Windows NT Server or folders from the Macintosh clients. In either case, the procedure for creating the directories or folders is no different than it is for creating other directories or folders on the respective systems.

On the computer running Windows NT Server, the folders appear in the File Manager's directory tree as subdirectories of the directory. To create another subdirectory, you select the directory in which it will appear and choose Create Directory from the File menu.

On the Macintosh, you create folders using the New Folder command on the File menu. You can view and use the folders in the Macintosh-accessible volume just organized by Name, Date, Icon, Size, and so forth.

Note

You cannot designate the subdirectory or folder as another Macintosh-accessible volume when the directory is already designated as a Macintosh-accessible volume.

Network Security

Services for Macintosh translates user identification, authentication (passwords), and permissions so that the security of the server is maintained regardless of the type of client used.

Services for Macintosh uses the same user accounts database as Windows NT Server. Therefore, if you already have Windows NT Server accounts created for the people who will be using Macintoshes on the network, you don't need to create additional accounts.

One aspect of Windows NT Server user accounts, the user's primary group, applies only to Services for Macintosh. The user's primary group is the group the user works with most, and it should be the group with which the user has the most resource needs in common. When a user creates a folder on a server, the user becomes the owner. The owner's primary group is set as the group associated with the folder. The administrator or owner can change the group associated with the folder.

Passwords

Macintosh users are logged on to a computer running Windows NT Server in one of three possible scenarios:

Using Services for Macintosh, you can set up guest logons, which allow users without accounts to log on to the server using a Macintosh. You can specify what access to resources guest logon users have; administrators typically grant guest users fewer permissions than users who have accounts on the server. If the guest logon option is enabled, the server always approves the logon request without requiring a password. For information on setting up Guest Logons, see the Microsoft Windows NT Server Concepts and Planning Guide.

Cleartext password protection is part of the AppleShare client software on Macintoshes. It provides less security than encrypted password protection because the passwords are sent over computer lines and can be detected by "sniffers," which are network monitors that can look for passwords. Moreover, the AppleShare passwords can be no longer than eight characters. This method of protection is offered for Macintosh users who use the standard AppleShare client software or System 7 File Sharing.

An encrypted, or encoded, password is more secure than the cleartext password type of security. Windows NT Server encodes passwords and stores them so that they cannot be directly stolen from the client itself. Encrypted passwords can be as long as 14 characters. Services for Macintosh offers encrypted passwords to Macintosh clients.

For more information about security, see Windows NT Server Services for Macintosh, Microsoft Windows NT Server 4.0 Networking Supplement and the Windows NT Server System Guide.

Volume Passwords

Services for Macintosh provides an extra level of security through Macintosh-accessible volume passwords. A volume password is a password you assign to a Macintosh-accessible volume when configuring it. Any Macintosh user who wants to use the volume must type the volume password. Volume passwords are case-sensitive. Volume passwords are optional; when you create a new Macintosh-accessible volume, the default is to have no volume password.

Note

Because of a constraint with the System 6 and 7 Finder, you cannot automatically mount a volume with a volume password at startup or by double-clicking an alias. You also cannot automatically mount a volume if the user originally connected to the volume with Microsoft Authentication.

Permissions

Access to network files and directories is controlled with permissions. With the Windows NT security system, you specify which users can use which shares, directories, and files, and how they can use those files. The Macintosh-style permissions differ in that they can be set for folders (directories) only—not files.

The Windows NT Server Administrator account always has full permissions on Services for Macintosh volumes.

Macintosh users set Macintosh-style permissions on the folders they create. In Windows NT, new files and new subdirectories inherit permissions from the directory in which they are created.

Macintosh files effectively inherit the permissions set on folders. Even though the Macintosh doesn't have file permissions, any Windows NT permission specified for a file will be recognized by the File Server for Macintosh, even though the Macintosh user won't see any indication in the Finder that these permissions exist. The Macintosh has the following four types of permissions for a folder:

The Macintosh security scheme is based on the idea that every folder on a server falls into one of three types: private information, accessible only by a single person, the owner of the folder; group information, accessible by a single workgroup; and public information, accessible by everyone.

For example, there can be a folder containing information that all members of a certain group should see, but that only one person can change. The person allowed to change the information should be the owner of the folder and should have See Files, See Folders, and Make Changes permissions. The workgroup that uses the folder should be the group associated with the folder and should have only See Files and See Folders permissions. Because no one else needs to see the folder's contents, the Everyone category should not be selected.

Although a folder's owner will often be a member of the group associated with the folder, this is not required.

With both Macintosh-style and Windows NT Server-style permissions, users' access to folders can be defined differently for each directory and subdirectory within a directory tree. For example, you could give a user See Files, See Folders, and Make Changes permissions for one folder, only the See Files permission for a subfolder of that folder, and no permissions at all for another subfolder.

The Macintosh does not support file-level permissions. When a file has file-level permissions, those permissions apply to Macintosh users only if the permissions are more restrictive than those assigned for the directory that contains the file.

Setting Permissions for Volumes and Folders

You control who can use Macintosh-accessible volumes by setting permissions. Permissions also control what kind of access is granted to users. For example, permissions dictate which users can make changes to a folder, and which ones can read the content of the folder but not alter it.

To set Macintosh-style permissions on a Macintosh-accessible volume or folder

1. In File Manager, click the directory you've designated as a Macintosh-accessible volume or a subdirectory that represents a folder in the volume.

2. On the MacFile menu, click Permissions.

3. Select or click to clear the See Files, See Folders, and Make Changes check boxes, as appropriate, for Owner, Primary Group, and Everyone.

Refer to Table 5.3, below, to help you decide which permissions to set.

Table 5.3 Options for Permissions

Permission

Description

See Files

Allows the owner, primary group, or everyone to see and open files in this folder.

See Folders

Allows the owner, primary group, or everyone to see and open folders in this folder.

Make changes

Allows the owner, primary group, or everyone to add or delete files and folders, and save changes to files in this folder.


4. To copy the permissions you set to all folders within this volume or folder, select the Replace permissions on subdirectories check box.

5. To prevent Macintosh users from moving, renaming, or deleting the volume or folder, select the Cannot move, rename, or delete check box.

Printing

When you set up a printer on the AppleTalk network to be used with Services for Macintosh, you can specify whether Services for Macintosh will capture the printer. This means that the printer will not accept print jobs from any source other than the print server, thus giving Windows NT Server administrators complete control over the printer.

In general, it is best to always capture a printer, unless a source other than the print server prints jobs on the printer. If a printer won't be used by anything other than Windows NT Server, Microsoft recommends that you capture it. Doing so ensures that users don't accidentally bypass the print server and send print jobs directly to the printer or reset the printer, which may cause spooler problems.

If a printer is not captured and both Windows NT Server and another source send jobs to the printer, no jobs will be interrupted; however, while the printer is printing a job from one source, it will appear busy to the other sources.

For information about how to capture AppleTalk printers, see the Networking Supplement.

Before setting up printers, it's important to understand the distinction between a printing device and a printer that you create using the Add Printer wizard.

These concepts and others are explained more fully in the Windows NT Server Concepts and Planning Guide and the Windows NT Server Services for Macintosh.

When Services for Macintosh (SFM) is set up, several AppleTalk services are integrated into Windows NT Server. The print server, called Print Server for Macintosh, is integrated into the Windows NT Server Printers folder. The print server makes printers connected to the computer running Windows NT Server available to Macintosh clients, and it makes AppleTalk PostScript printers (with LaserWriter drivers) available to PC clients.

When the print server receives print jobs from the print server, it sends them to a spooler, which is a portion of the hard disk. The spooler then sends the print job to the specified printing device—for example, to a printing device on the AppleTalk network. This enables Macintosh users, as well as PC users, to submit print jobs and continue working on their computers without waiting for the print job to complete.

The print server also translates all incoming PostScript files if the print request is to a non-PostScript printer attached to the computer running Windows NT Server. So, a Macintosh client (but not a Windows NT client) can send a PostScript job to any Windows NT Server printer.

Note

This implementation of Postscript RIP for SFM supports 300 dpi and Postscript level 1.

Stopping and Restarting the Print Server

When you set up SFM, all services are automatically started, including the print server. You might want to stop and restart the print server if, for example, you must remove a printing device. You stop and restart the Print Server for Macintosh using the Services icon in Control Panel.

To stop and restart Print Server for Macintosh

1. In Control Panel, click Services.

2. In Service, click Print Server For Macintosh.

3. Click Stop or Start, as appropriate, and then click.

4. To change options at startup, click Startup.

5. Click Close.

Creating a Printer on a Computer Running Windows NT Server

After you have physically attached a printing device to a computer running Windows NT Server (either directly or on a network), use the Add Printer wizard to create a printer that represents it. You can create more than one printer representing the same printing device.

For example, if you have a printing device in your office but also share it with others over the network, you might want to create two printers representing the printing device. You can create a printer for yourself that is not shared over the network and a second printer that is shared. Then it's easy to control the use of the shared printer. You can set permissions on the shared printer, ensuring that only members of your department can print to it. Or you can set a low priority for it, ensuring that documents you send to the printer will always print before documents sent by those who share it.

Another common example is to create a printer that spools to a printing device at night and another printer that spools to the same printing device during the day.

To create a printer, you must be logged on with sufficient permissions. Administrators, Server Operators, and Print Operators can create printers.

To create a printer

1. Click Start, point to Settings, and then click Printers.

2. In the Printers dialog box, click Add Printer.

3. Follow the Add Printer wizard to choose the printer ports, printer driver, and printer name. You can also set printer properties, such as location and scheduling information.

See the online Help during setup for more information.

Note

The printer name can be up to 32 characters in length. This name will appear in the title bar of the printer window. By default, it is the name that network users (except MS-DOS users) will see when you share the printer.

Choose the Share this printer option during setup. In the Share Name box, specify the printer name that you want MS-DOS clients to see.

When you are selecting a destination, if the printing device is physically connected to the Windows NT Server computer, then select the appropriate port. If the printing device is on the network, click Add Port. Choose AppleTalk Printing Devices from the Printer Ports dialog box and click OK. From the Available AppleTalk Printing Devices dialog box, select a zone and a printer, and click OK.

Setting Up a User Account for Macintosh Print Jobs

After setting up Services for Macintosh, you should create an account that will be used by all Macintosh clients when printing jobs to captured AppleTalk printing devices or to other devices on the computer running Windows NT Server. You should also configure Print Server for Macintosh to use this account.

After it is created, the user account (for example, MACUSERS) appears in the list of names that appears when you choose Permissions from the Security menu in Print Manager. You can give specific rights to this user account, just as you would any user account, including Print and No Access.

For more information about permissions, see Networking Supplement, Chapter 22, "Managing the File Server." For information on creating a user account and more specific information for configuring it to run with a service (such as Print Server for Macintosh), see the Windows NT Server Concepts and Planning Guide.

To configure the Print Server for Macintosh service to use a user account

1. In Control Panel, double-click Services.

2. Click Print Server For Macintosh.

3. Click Startup.

4. In the Print Server For Macintosh dialog box, click This Account and type the user account.

5. To require Macintosh users of the computer running Windows NT Server to use a password , type a password in Password and in Confirm Password.

6. Click OK.

Enabling Clients to Use Printers on the AppleTalk Network

With SFM, both PC and Macintosh clients can send print jobs to printing devices or spoolers on the AppleTalk network.

The printing device must appear as a LaserWriter in the Chooser, and there must be a Windows NT print driver for the printing device.

Macintosh clients use printers just as they normally do—through the Chooser. If an AppleTalk printer has been set up through Print Manager, it can be captured so that Macintosh clients cannot access it directly. This causes Macintosh print jobs go through the computer running Windows NT Server and be spooled along with print jobs from PC clients.

You can disable the capture setting. Doing so enables any Macintosh client to print to an AppleTalk printer directly. There are a few problems with this scenario, the most important being that the jobs will not be under the administrator's control.

To release or recapture an AppleTalk printing device

1. In Printers, select an AppleTalk printing device.

2. On the File menu, click Properties.

3. Click the Ports tab, and then click Configure Port.

A dialog box appears, asking if you want to capture this AppleTalk printing device.

4. Click Yes to capture it.

– Or –

Click No to release it.

5. Click OK.

When an AppleTalk printer is released, any Macintosh user on the AppleTalk network can use the device directly.

A printing device on AppleTalk can be captured when SFM is set up and a printer is created for it. It must remain captured so that all Macintosh clients send print jobs through the computer running Windows NT Server. If a printing device has been released for some reason, you can recapture it.

You can select another spooler instead of an actual device. Use this type of configuration with caution. It is possible to create an endless loop of print spooling with this method.