Fermilab Computing Sector
Fermilab Homepage Computing Sector Homepage Computing Sector Banner

Accounts and Passwords

On this page:  New Accounts  |  Renewing Accounts  |  Password Changes & Policies  

Kerberos Principals  |  Crypto Cards  |   Email Accounts  |  Services Accounts 

Windows Fermi Domain Accounts  |  FNALU Accounts

New Accounts

 On-site Employees

  1. Obtain a Fermilab ID during New Employee Orientation. (required before you can apply for computing accounts).
  2. Read the Fermilab Policy on Computing.
  3. Your supervisor or a colleague may then fill out the request form for you for Computing Username and Primary Accounts: 

    • Log in to the Service Desk
    • Click "Order New/Renew Accounts" > "Computing Username & Primary Accounts"

    The Computing Username and Primary Accounts form is used to request any of the following:
  • a username for all your computer accounts at the lab
  • a Fermilab Email account   
  • a Kerberos Principal 
  • Services Account

Contractors

  1. Fill out and get signatures on the Contractor ID form (PDF) and obtain your Contractor ID (required before you can apply for computing accounts).
  2. Read the Fermilab Policy on Computing.
  3. Your supervisor or a colleague may then fill out the request form for Computing Username and Primary Accounts: 
  • Log in to the Service Desk
  • Click "Order New/Renew Accounts" > "Computing Username & Primary Accounts"

On-site Visitors

  1. Fill out and get signatures on the Visitors ID Form:
    Form for first-time applicants | form for renewing your Visitor ID
    and obtain your Fermilab Visitor ID (required before you can apply for computing accounts).
  2. Read the Fermilab Policy on Computing.
  3. Your supervisor or a colleague may then fill out the request form for Computing Username and Primary Accounts: 
    • Log in to the Service Desk
    • Click "Order New/Renew Accounts" > "Computing Username & Primary Accounts"
  4. To renew your visitor ID, please submit a servicedesk ticket and the staff in the User's Office will handle it.

Off-site Visitors

    Please read Getting Started as Non-Employee Off-site User.

 

Renewing Accounts

On-site Employees

Periodically re-read the Fermilab Policy on Computing. Your ID and computer privileges are automatically renewed as long as you remain an employee, but you do need to visit the Key & ID office on the ground floor of Wilson Hall to get a new photo ID before it expires.

To reactivate any of your previous accounts, fill out the form for Reactivating Primary Accounts or your Kerberos Principal.

 Contractors 

  1. Re-read the Fermilab Policy on Computing.
  2. Fill out and get signatures on the Contractor ID form (PDF) for each contract period, BEFORE your ID expires.  Failure to do so will result in losing your computer account acess.  If this happens, fill out the form for Reactivating Primary Accounts or your Kerberos Principal.  

 On-site Visitors

  1. Re-read the Fermilab Policy on Computing.
  2. Fill out and get signatures on the Visitors ID Form (PDF) BEFORE your ID expires.  Failure to do so will result in losing your computer account acess.  If this happens, fill out the form for Reactivating Primary Accounts or your Kerberos Principal.  

Off-site Visitors

  1. Re-read the Fermilab Policy on Computing
  2. Fill out the form Renew Fermilab Visitor ID.  

Password Changes and Policies

Please refer to Password Policies for guidelines in choosing your passwords.

*** On UNIX, the Kerberos V5 password and the AFS password are both changed using a command called kpasswd. For Kerberos, use /usr/krb5/bin/kpasswd. For AFS, use /usr/afsws/bin/kpasswd.

If you have forgotten your password on one of the systems above, you should contact the Service Desk. For all the other systems, you need to contact the system administrator. 

 

Kerberos Principals

The Kerberos Network Authentication Service V5 is the strong authentication program that Fermilab computers are required to run. All the computers associated with a Kerberos installation make up what's called a "strengthened realm". At Fermilab, the strengthened realm for UNIX machines is called FNAL.GOV; for the Windows domain it is FERMI.WIN.FNAL.GOV.

As a user, you need to obtain a Kerberos Principal for each realm and you must choose a very-hard-to-guess Kerberos password. A principal and a password are used together to authenticate you to a machine configured to be in the realm. Your principals will be of the form principal_name@REALM (e.g., joe@FNAL.GOV and joe@FERMI.WIN.FNAL.GOV).

 See Password Policies page for guidelines on choosing your password. 

 

Crypto Card

If you need to make network connections to UNIX machines in the FNAL.GOV realm from Computers without Kerberos Software and is not part of the FNAL.GOV realm (or domain), you will need a Crypto Card.

A CRYPTOCard is a calculator-style, battery-powered device used for generating single-use passwords. It gets programmed for use with computers in the FNAL.GOV realm (UNIX machines only) before it is issued to you.

Background -

Fermilab has implemented a computer security system that exercises tight control over who uses the lab's computers and network. The computer access methods used at the lab involve a concept known as "strong authentication".
 
"Authentication" refers to verifying the identities of networked users, clients and servers. "Strong" authentication is a means of verifying these identities without transmitting passwords over the network, and without requiring that the network be protected.
 
To ensure "Strong Authentication" single use passwords are transmitted across the network. There are two ways of doing this: 1) using a computer running Kerberos Software or 2) using a single use password generator (Crypto Card).
 
If the local desktop (or laptop) computer you will be using does not run Kerberos software and is not part of the FNAL.GOV realm (or domain), then the user can't authenticate locally on this computer. The user can work on the desktop with no problem, but in order to connect to remote Kerberized UNIX hosts, he or she must authenticate to the FNAL.GOV realm first.  A Crypto Card is used to perform this authentication.

Apply for your Crypto Card by filling out the Cryptocard Request form. You will need approval from your supervisor or an experiment spokesperson when you fill out the Request Form for CryptoCard. To fill out the form:

  • Log in to the Service Desk
  • Click Account > Cryptocard Request

Fermilab Email Account

Any Fermilab employee, user, or contractor with a valid Fermilab ID is eligible for a Fermilab email address, username@fnal.gov. Use Computing Username and Primary Accounts to apply:

  • Log in to the Service Desk
  • Click Account > Computing Username & Primary Accounts

    •  

    Your Fermilab email address should be used as your primary address to ensure that your mail passes through the Fermilab email gateway. The gateway acts as a distribution point for all electronic mail between "@fnal.gov" and outside systems. The gateway facilitates the transfer of messages between dissimilar mail systems. It also scans all messages originating off-site for virus-infected attachments. For more information, see the Fermilab Email web site.

    See Password Policies page for guidelines on choosing your password. 

     

    Services Accounts

    A "Services Account" enables you to access a number of important applications at Fermilab with a single username/password. Applications now available via the "Services Account" are: Fermilab Exchange Email, Fermilab IMAP Email, Fermilab Time and Labor Reporting, and Fermilab Service Desk. Find more at the "Services Accounts" web site.

    See Password Policies page for guidelines on choosing your password. 

     

    Windows Fermi Domain Accounts

    Fermilab's Windows domain is named FERMI.WIN.FNAL.GOV; note the upper case. Desktops, servers and other computing resources that belong to it require authentication to the domain prior to use, Kerberos being the default protocol used. You don't get a domain "account" per se. Once you obtain a Kerberos principal using the request form for Computing Username and Primary Accounts (Log in the the Service Desk, click "Accounts'" > "Computing Username & Primary Accounts"), you will be able to authenticate to this domain and thereby access some subset of the servers and resources, as configured for your group. The available resources include:

    • File storage, backup, virus-checking and disaster recovery
    • Computing Sector supported software and software patches
    • Email services
    • Wide variety of printers
    • VPN support for remote access

    See Password Policies page for guidelines on choosing your password. 

     

    FNALU Accounts

    In order to get an account on the central UNIX system FNALU, you will need approval from your supervisor or an experiment spokesperson when you request an FNALU Account.

    To request a FNALU account:

  • Log in the the Service Desk
  • Click Accounts > Request FNALU Account

    •  

    FNALU is a managed resource. If you need dedicated space for your project for a group of people on AFS, please fill out an AFS space Request Form. To do this:

    • Log in the the Service Desk
    • Click Storage > AFS Space Request

    Small projects may qualify under "Non-Grant Usage " guidelines. If you are part of a group or experiment that already has an approved grant, you may be covered by that grant, so check with your group/experiment first.

     


    Send comments about this page via the suggestion form

    Last updated by cdweb 4/5/2012
     This page rendered in 0.5988 seconds