1 / 26

Spotlight On Active Directory Interoperability

Spotlight On Active Directory Interoperability. Kim Saunders Director, Interoperability Programs Andreas Luther Group Program Management, Microsoft Identity Integration Server. Active Directory Interoperability Partners. David McNeely, Centrify Director of Product Management

virginia
Download Presentation

Spotlight On Active Directory Interoperability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spotlight OnActive Directory Interoperability Kim SaundersDirector, Interoperability Programs Andreas LutherGroup Program Management, Microsoft Identity Integration Server

  2. Active Directory Interoperability Partners • David McNeely, Centrify • Director of Product Management • Dennis Chapman, Network Appliance • Technical Director, Engineering • Robin Wilton, Sun Microsystems • Corporate Architect, Federated Identity • Barry Scott, Vintela • Technical Services Manager (Europe)

  3. Anchored in Active DirectoryWorld’s Most Widely Used Directory Directory Usage • Single sign-on • Group policy • Smartcard and 2-factor authentication • Secure wireless and remote access • Vast ecosystem with >1,000 AD enabled apps • ADFS and WS-* extend to other systems

  4. Active DirectoryInteroperability Program Partners helping extend Active Directory services to non-Windows environments

  5. Identity Management Challenge Enterprises average 12 external account stores. On average, users are provisioned in 16 systems and de-provisioned in 10. Users spend on average 16minutes per week logging on. Password resets cost $57-$147. Source: META Group research conducted on behalf of PricewaterhouseCoopers, June 2002

  6. Interoperability Microsoft Vision For Access Log on once, secure access to everything • Two basic, complementary philosophies • Use Windows identity and services as broadly as possible • Enable Windows and non-Windows identity and services to smoothly coexist

  7. Secure Access Scenarios Active Directory Interoperability • Application integration • using Windows directory and security technology • Platform integration • extending Active Directory to Non-Windows Platforms • Credential mapping • supporting multiple security models among Windows and Non-Windows Platforms • Synchronization • keeping accounts & passwords synchronized • Web SSO and identity federation • distributing directory and security services across organizational, security, or platform boundaries

  8. Secure Access Scenarios Active Directory Interoperability • Application integration • using Windows directory and security technology • Platform integration • extending Active Directory to Non-Windows Platforms • Credential mapping • supporting multiple security models among Windows and Non-Windows Platforms • Synchronization • keeping accounts & passwords synchronized • Web SSO and identity federation • distributing directory and security services across organizational, security, or platform boundaries

  9. Norsk Hydro Improve Service Levels while Lowering Costs • Business Problems • Difficult-to-manage mesh of storage networks and direct-attached islands • Mixture of Windows, Novell and UNIX environments • Lacking business model which clearly defined different service levels and identified various services as products • Current Environment • 55,000 users • 17,000 Windows workstations & 450 UNIX workstations • 5 core sites in Norway, 5 in Germany and more than 400 remote sites • 175 TB of business data • Storage Solution • Mirrored storage platform operating between Norsk Hydro’s head office and separate, secure business continuance centre • Elimination of tape-based backup at remote sites that rely on NetApp systems or Windows systems to provide storage • Remote data replicated and backed up at a central location • Business data seamlessly available across the corporate network

  10. Secure Access Scenarios Active Directory Interoperability • Application integration • using Windows directory and security technology • Platform integration • extending Active Directory to Non-Windows Platforms • Credential mapping • supporting multiple security models among Windows and Non-Windows Platforms • Synchronization • keeping accounts & passwords synchronized • Web SSO and identity federation • distributing directory and security services across organizational, security, or platform boundaries

  11. Central Michigan UniversityIntegrates Account Administration with AD and DirectControl • Business Problems • Account admin is managed independently by different admin staff for AD and Unix • 25% of the end user population changes each fall • Users login to Windows and Solaris PCs with different userids and passwords • Current Environment • 30-50 Solaris and Windows computers per lab; NIS for Solaris account admin • Plan to migrate to Xandros on Intel from Solaris • Campus wide Active Directory is used for Windows account admin • DirectControl Solution • Consolidates user authentication to AD eliminating the need to maintain NIS • Users only need remember one userid and password regardless of the computer they need to log into • Single Sign-On is enabled for users accessing multiple computers • Does not require changes to the Campus wide AD infrastructure managed by a different Admin team

  12. UK - Ministry of Defence Employees use multiple sign-ins and passwords Frequent account revocations and sign-in resets cost the IT department a lot of time and expense Result: Vintela improved employee productivityand helped reduce IT costs “The integration of all user accounts will improve security and will remove what has been a headache for our IT department” Cdr. Terry O'ReillyMinistry of Defence Italy - Guardia di Finanza 66,000 Windows and 3,000 Oracle/UnixWare identities managed separately Difficult to manage security across platforms Result: Vintela improved IT operational efficiencyby simplifying system administration and security “We selected Vintela to simplify system administration and security, thanks to the integration capabilities of Unix servers with Active Directory” M.F. Bosticco, Guardia di Finanza

  13. Secure Access Scenarios Active Directory Interoperability • Application integration • using Windows directory and security technology • Platform integration • extending Active Directory to Non-Windows Platforms • Credential mapping • supporting multiple security models among Windows and Non-Windows Platforms • Synchronization • keeping accounts & passwords synchronized • Web SSO and identity federation • distributing directory and security services across organizational, security, or platform boundaries

  14. Secure Access Scenarios Active Directory Interoperability • Application integration • using Windows directory and security technology • Platform integration • extending Active Directory to Non-Windows Platforms • Credential mapping • supporting multiple security models among Windows and Non-Windows Platforms • Synchronization • keeping accounts & passwords synchronized • Web SSO and identity federation • distributing directory and security services across organizational, security, or platform boundaries

  15. Secure Access Scenarios Active Directory Interoperability • Application integration • using Windows directory and security technology • Platform integration • extending Active Directory to Non-Windows Platforms • Credential mapping • supporting multiple security models among Windows and Non-Windows Platforms • Synchronization • keeping accounts & passwords synchronized • Web SSO and identity federation • distributing directory and security services across organizational, security, or platform boundaries

  16. Active Directory Federation Services Extending Access Through Web Services • Enables secure, appropriate customer/partner/employee access to web applications outside their domain/forest • Promotes IT, developer and end user efficiency • Improves security and regulatory compliance • First step towards AD as a service for SOA

  17. Where Are We Now? On The Way To Extending Access Through Web Services Past Present Future • Application Silos • ID for Each System • Internally Focused • Limit to Biz Value • Custom Integration • Identity Integration • Internal & External • High cost to value • Connected Systems • Identity Federation • Built to Extend • Low cost to value Identity Integration Products and Services Platform Capabilities Web Services Interop The Transition

  18. Secure Access Scenarios Active Directory Interoperability • Application integration • using Windows directory and security technology • Platform integration • extending Active Directory to Non-Windows Platforms • Credential mapping • supporting multiple security models among Windows and Non-Windows Platforms • Synchronization • keeping accounts & passwords synchronized • Web SSO and Identity Federation • distributing directory and security services across organizational, security, or platform boundaries

  19. Microsoft Vision For Access Log on once, secure access to everything Questions?

  20. Appendix

  21. Network Appliance • Support for AD in Data ONTAP™ since 2000 • Respond to customer requests by adding additional AD interoperability features • License File Server, Media Streaming Server and Domain Services Interactions protocols under MCPP • Drive increased adoption of AD with Microsoft using NetApp’s SnapManager line of applications for Exchange and SQL Server

  22. Centrify DirectControl Suite • Enables Active Directory to act as the central identity, access and policy service for non-Windows platforms • Systems: Linux, UNIX (HP-UX, Solaris, AIX), Mac OS X • Web platforms: Apache, JBoss, Tomcat, WebLogic, etc. • Works seamlessly with existing infrastructure in non-invasive manner • Windows Server: no schema extensions or domain controller software • Unix/Linux systems: can map multiple existing legacy identities to a single Active Directory account – no rationalization of UIDs required • Customer benefits • Single point of administration for IT and single sign-on for users • Strengthened security via consistent password and security policies across Windows and UNIX/Linux/Java • Centralized access control and auditing for regulatory compliance • Quick, flexible deployment without costly or intrusive changes • More info: http://www.centrify.com

  23. VintelaUsing industry standards to extend and integrate Microsoft infrastructure products and technologies across heterogeneous systems • Microsoft’s partner for cross-platform integration • Microsoft invested in Vintela (Nov/04) • Cooperative development process between product teams • Microsoft provides Vintela product support • Joint sales and marketing efforts • Licensee of Microsoft’s AD communications protocols • Vintela’s products have enabled over 500,000 Unix identities to be integrated with Active Directory • 40% of the Fortune 500 have purchased or are actively evaluating Vintela solutions • Quest Software–Microsoft’s 2004 Global Independent Software Vendor Partner–announced the acquisition of Vintela, which is expected to close shortly

  24. Active Directory Interoperability Program • Interoperability Developer Labs • for AD interoperability projects in Redmond, Washington, USA • Active Directory Password Change Notification Service • IP and Protocol Technology Licensing for AD Interop • www.microsoft.com/interop • New Active Directory Interop program page

  25. AD Interop Program: Licensing • Kerberos PAC Group Membership • Kerberos PAC authentication and key distribution protocol used to authenticate two principals to each other, and establish a cryptographic key that the two can use to secure any messages • Client-side and server-side implementations • Scenarios include communicating for Windows 2000-specific group membership authorization data carried in the field of a Kerberos ticket for use by servers in performing access control • Authentication/Directory Servers • Authentication and authorization service protocols used between Windows clients and Windows DCs • Server-side implementations (e.g., application and Web servers) • Scenarios include communicating with Windows client logon and security subsystems for authentication, authorization and access control, policy enforcement, or usage accounting and audit information data packets • Active Directory Client • Authentication and authorization service protocols used between Windows clients and Windows domain controllers. • Client-side implementations (on desktops, workstations or other devices, including servers acting as clients) • Scenarios include communicating with Windows DCs for local logon and communicating with other Windows servers for network access using Windows domain user credentials • Group Policy Client • Group policy service protocols used between Windows clients and Windows servers. • Client-side implementations (on desktops, workstations or other devices, including servers acting as clients) • Scenarios include communicating with Windows domain controllers for application of group policy for , enabling the management of configuration and other policies for all machines and users in a domain • Domain Services Interaction (DSIP) • Authentication and authorization service protocols used between Windows member servers and Windows clients, and between Windows member servers and Windows domain controllers • Server-side implementations (e.g., application and Web servers) • Scenarios include communicating with Windows clients and servers and with Windows DCs for pass-through authentication of remote requests from Windows clients and servers to Windows domain controllers • Key benefits of these license programs include • Detailed technical documentation and valuable intellectual property • Marketing value in having a licensed implementation • Reduced dependency and risk associated with reverse engineering

  26. Web Services Interop • Sun and Microsoft relationship • Exec strategy meetings • Technical Advisory Council • Rolling quarterly programme of work • Microsoft to have a high profile at Java ONE 2006 • Identity: Sun as the ID and Federation bridge of choice to Longhorn/AD. • Demonstrated interoperability • Joint specification which we have mutually committed to submit to open standards body • What’s Coming? • Joint collateral • Customer references • Publicity about interoperability progress

More Related