I am installing eB, and I want to be confident that eB is secure.
eB users are specified within eB itself, and there is a 'User Account Information' topic associated to the eB Person Object. To be able to log on you can either be assigned a username and password (eB Authentication), or be given the option to link your Windows account to the eB Person (Windows Authentication).
There is no requirement to specify the eB users as database users. eB uses service accounts ( either sql server, or windows) to authenticate to the database. This is for obvious performance reasons such as connection pooling etc. When Windows authentication is used, the identity connecting to the database is the identity set on the eB COM object, in combination with the identity running the eB Index Listener Service (typically the same user). The ability to alter content within the database will be related to eB Users permissions specified within eB Director’s system admin section.
eB does not talk directly to AD to validate users, eB simply trusts secure tokens issues by the Windows Infrastructure (either NTLM or Kerberos).
So, if all servers are on the domain:
(screenshot to follow)
Then Kerberos will be used. Then the (deliberately simplified) process works like this:
If the client is coming in from outside of your environment, then NTLM authentication would be used.
http://msdn.microsoft.com/en-us/library/ff647076.aspx