Helix NIH Active Directory Authentication Q and A
This Spring and Summer, the Scientific Computing Branch will be migrating Helix and Biowulf users from local Unix authentication to NIH Active Directory (AD) authentication. This migration will result in much improved support, consistency and convenience for our customers, and will involve changes that will impact our users to varying degrees. This Q and A addresses the changes our customers will experience during and after the migration and the changes to login behavior that will accompany the migration.Q: What is NIH AD authentication?
A: NIH AD authentication uses your NIH AD Domain Account and password-- the same user name and password you use to log into ITAS to manage your timecard, log into a NIH-managed Windows workstations and check your mail.nih.gov mail. It is also your PIV card with your private PIN number, which may also be used to log into many NIH services and workstations. It is the central NIH enterprise authentication service.Q: How will the transition work and what do I need to know about it?
A: The authentication transition will happen in two major phases. The first phase will involve changing your Helix login name to your NIH user name (completed). If your NIH and Helix user names are already the same, you will notice no difference in behavior during Phase I. The second phase will be the actual switch to NIH AD authentication.
- Phase I: Sync NIH and Helix User names (completed, see below for details)
Phase II: Switch to NIH AD authentication (August 28th 2012)
In this phase, you will start using your NIH user name and password when logging into Helix/Biowulf. This includes ssh logins, mail, helixdrive and web applications. At this point Helix/Biowulf will be fully integrated into the same enterprise authentication infrastructure that NIH mail, ITAS and other NIH services use.
A: Your account credentials will be managed by the NIH IT Service Desk. If you forget your password, have trouble changing it, or your account gets locked for repeated failed logins, you will need to contact the NIH Service Desk or use iforgotmypassword.nih.gov to reset or unlock your account. It will be possible to use the kpasswd command on Helix/Biowulf to change your NIH password. This will have the same effect as changing it via a Windows workstation or at password.nih.gov.Q: Why transition at all?
A: Transitioning to NIH authentication will create a more seamless work environment for researchers at the NIH and reduce confusion related to remembering separate passwords and who to call for user account support. After the migration, Helix/Biowulf will be integrated with the NIH enterprise authentication infrastructure which is fully supported by the NIH IT Service Desk. There will be additional benefits enumerated below. See: "Anything else?"Q: Is the Helix mail service going away?
A: No. Corresponding to your new Helix user name, you will receive a new helix email address. Additional details appear elsewhere in this document.Q: I use Helixdrive, what happens there?
A: If your user name is changed in Phase I, then you'll simply start using your NIH user name for mapping shares from helixdrive.nih.gov using your current (Helix) password. When Phase II is started, you will use your NIH user name and password.Q: I use Sciware, what about that?
A: The same as Helixdrive above.Q: I use Galaxy (galaxy.cit.nih.gov), what happens with that?
A: If your user name is changed in Phase I, then you'll simply start using your NIH user name for accessing galaxy.cit.nih.gov with your current (Helix) password. When Phase II is started, you will use your NIH user name and password.Q: Anything else?
A: Yes! After the migration:
- Windows users will be able to use GSSAPI-enabled applications (SSH clients like OpenSSH and PuTTY; mail clients, like Thunderbird) for single sign-on capability. If you logged into your workstation with your PIV card or your NIH user name and password you will not be asked to authenticate again when logging into Helix/Biowulf, checking your Helix mail or mapping a drive from helixdrive. Some initial client configuration may be necessary for this functionality. We expect our customers will thoroughly enjoy this capability.
- For Linux (and some Unix) users, single sign-on is even easier, but you have to configure your system for the NIH AD domain first. See instructions here.
- For MacOS users, follow these instructions for single sign-on to the NIH domain.
Q: Since my username migration, alpine has been displaying my old address instead of the recipient in Index pages, particularly in sent-mail folders. Useful information is now hidden!
A: Alpine doesn't recognize your old address as denoting "you," so it displays the sender instead of "your" recipient. To fix this, add your previous address to the Alternate Addresses list, located several pages down in alpine's Setup / Configure pages; then Exit Setup.
- In May 2012:
Your Helix user name will change to your NIH user name (if they are already exactly the same, then you can safely ignore Phase I and skip to Phase II). If you need to be migrated, you will be sent a message with a date and time for migration and a direct contact for additional coordination and migration support.
- During this phase, your password on Helix/Biowulf will not be changed, only your user name will be altered.
- When migrated, you will log into Helix/Biowulf using your NIH user name and current Helix password.
- The name of your home directory will change to your NIH user name (contents will be unaltered).
- The name of your data directory will change to your NIH user name (contents will be unaltered).
- You will have a new helix.nih.gov email address that reflects the user name change, emails in your in-box will not be affected.
- Your old helix.nih.gov email address will still work for individuals sending mail to you for one year after the transition. Users can request a permanent alias by filling out a short form here.
- If you use Helix for mail, you will have to update your mail software preferences to use your NIH user name when logging into helix. You should also update your return address. Instructions are available.
- Scripts and programs that you have written may need to be updated with new information. For instance, if you hard-coded your home or data directory into a perl script or other program, you'll have to update the program after your home directory is renamed.