Spotlight On Active Directory Interoperability Kim Saunders Director, Interoperability Programs...

Spotlight OnSpotlight On Active Directory Active Directory InteroperabilityInteroperability

Kim SaundersKim SaundersDirector, Interoperability ProgramsDirector, Interoperability Programs

Andreas LutherAndreas LutherGroup Program Management, Microsoft Identity Integration Group Program Management, Microsoft Identity Integration ServerServer

Active Directory Interoperability Active Directory Interoperability PartnersPartners

David McNeely, CentrifyDavid McNeely, Centrify

Director of Product ManagementDirector of Product Management

Dennis Chapman, Network ApplianceDennis Chapman, Network Appliance

Technical Director, EngineeringTechnical Director, Engineering

Robin Wilton, Sun MicrosystemsRobin Wilton, Sun Microsystems

Corporate Architect, Federated IdentityCorporate Architect, Federated Identity

Barry Scott, VintelaBarry Scott, Vintela

Technical Services Manager (Europe)Technical Services Manager (Europe)

Single sign-onSingle sign-on

Group policyGroup policy

Smartcard and 2-factor Smartcard and 2-factor authenticationauthentication

Secure wireless and Secure wireless and remote accessremote access

Vast ecosystem with Vast ecosystem with >1,000 AD enabled apps>1,000 AD enabled apps

ADFS and WS-* ADFS and WS-* extend to other systemsextend to other systems

Partners helping extend Active Directory Partners helping extend Active Directory services to non-Windows environmentsservices to non-Windows environments

Identity Management ChallengeIdentity Management Challenge

Enterprises average 12 external account stores.

Users spend on average 16minutes per week logging on.

Password resets cost $57-$147.

On average, users are provisioned in 16 systems and de-provisioned in 10.

Source: META Group research conducted on behalf of PricewaterhouseCoopers, June 2002

Microsoft Vision For AccessMicrosoft Vision For Access

Two basic, complementary philosophiesTwo basic, complementary philosophies

Use Windows identity and services as broadly Use Windows identity and services as broadly as possibleas possible

Enable Windows and non-Windows identity Enable Windows and non-Windows identity and services to smoothly coexistand services to smoothly coexist

Log on once, secure access to everything

Interoperability

Secure Access ScenariosSecure Access Scenarios

Application integrationApplication integrationusing Windows directory and security technologyusing Windows directory and security technology

Platform integrationPlatform integrationextending Active Directory to Non-Windows Platformsextending Active Directory to Non-Windows Platforms

Credential mappingCredential mappingsupporting multiple security models among Windows supporting multiple security models among Windows and Non-Windows Platformsand Non-Windows Platforms

SynchronizationSynchronizationkeeping accounts & passwords synchronizedkeeping accounts & passwords synchronized

Web SSO and identity federationWeb SSO and identity federationdistributing directory and security services across distributing directory and security services across organizational, security, or platform boundariesorganizational, security, or platform boundaries

Active Directory Interoperability

Norsk HydroNorsk Hydro

Business ProblemsBusiness ProblemsDifficult-to-manage mesh of storage networks and direct-attached islandsDifficult-to-manage mesh of storage networks and direct-attached islandsMixture of Windows, Novell and UNIX environmentsMixture of Windows, Novell and UNIX environmentsLacking business model which clearly defined different service levels and Lacking business model which clearly defined different service levels and identified various services as productsidentified various services as products

Current EnvironmentCurrent Environment55,000 users55,000 users17,000 Windows workstations & 450 UNIX workstations17,000 Windows workstations & 450 UNIX workstations5 core sites in Norway, 5 in Germany and more than 400 remote sites5 core sites in Norway, 5 in Germany and more than 400 remote sites175 TB of business data175 TB of business data

Storage SolutionStorage SolutionMirrored storage platform operating between Norsk Hydro’s head office and Mirrored storage platform operating between Norsk Hydro’s head office and separate, secure business continuance centreseparate, secure business continuance centreElimination of tape-based backup at remote sites that rely on NetApp Elimination of tape-based backup at remote sites that rely on NetApp systems or Windows systems to provide storagesystems or Windows systems to provide storageRemote data replicated and backed up at a central locationRemote data replicated and backed up at a central locationBusiness data seamlessly available across the corporate networkBusiness data seamlessly available across the corporate network

Improve Service Levels while Lowering CostsImprove Service Levels while Lowering Costs

Central Michigan UniversityCentral Michigan UniversityIntegrates Account Administration with AD and DirectControlIntegrates Account Administration with AD and DirectControl

Business ProblemsBusiness ProblemsAccount admin is managed independently by different admin staff for AD Account admin is managed independently by different admin staff for AD and Unixand Unix25% of the end user population changes each fall25% of the end user population changes each fallUsers login to Windows and Solaris PCs with different userids and passwordsUsers login to Windows and Solaris PCs with different userids and passwords

Current EnvironmentCurrent Environment30-50 Solaris and Windows computers per lab; NIS for Solaris account 30-50 Solaris and Windows computers per lab; NIS for Solaris account adminadminPlan to migrate to Xandros on Intel from SolarisPlan to migrate to Xandros on Intel from SolarisCampus wide Active Directory is used for Windows account adminCampus wide Active Directory is used for Windows account admin

DirectControl SolutionDirectControl SolutionConsolidates user authentication to AD eliminating the need to maintain NISConsolidates user authentication to AD eliminating the need to maintain NISUsers only need remember one userid and password regardless of the Users only need remember one userid and password regardless of the computer they need to log intocomputer they need to log intoSingle Sign-On is enabled for users accessing Single Sign-On is enabled for users accessing multiple computersmultiple computersDoes not require changes to the Campus wide Does not require changes to the Campus wide AD infrastructure managed by a different Admin team AD infrastructure managed by a different Admin team

UK - Ministry of DefenceUK - Ministry of Defence

Italy - Guardia di Finanza Italy - Guardia di Finanza

66,000 Windows and 3,000 Oracle/UnixWare 66,000 Windows and 3,000 Oracle/UnixWare identities managed separatelyidentities managed separately

Difficult to manage security across platformsDifficult to manage security across platforms

Result:Result: Vintela improved IT operational efficiency Vintela improved IT operational efficiencyby simplifying system administration and securityby simplifying system administration and security

““We selected Vintela We selected Vintela to simplify system to simplify system administrationadministrationand security, thanks and security, thanks to the integration to the integration capabilities of Unix capabilities of Unix servers with Active servers with Active Directory”Directory”

M.F. Bosticco, M.F. Bosticco, Guardia di Finanza Guardia di Finanza

Employees use multiple sign-ins and passwordsEmployees use multiple sign-ins and passwords

Frequent account revocations and sign-in resets Frequent account revocations and sign-in resets cost the IT department a lot of time and expensecost the IT department a lot of time and expense

Result:Result: Vintela improved employee productivity Vintela improved employee productivityand helped reduce IT costsand helped reduce IT costs

““The integration of all The integration of all user accounts will user accounts will improve security and improve security and will remove what has will remove what has been a headache for been a headache for our IT department” our IT department”

Cdr. Terry O'ReillyCdr. Terry O'ReillyMinistry of DefenceMinistry of Defence

http://www.mod.uk/index.shtml

Active Directory Federation ServicesActive Directory Federation Services

Enables secure, appropriate Enables secure, appropriate customer/partner/employee customer/partner/employee access to web access to web applications outside their domain/forestapplications outside their domain/forest

Promotes IT, developer and end user efficiencyPromotes IT, developer and end user efficiency

Improves security and regulatory complianceImproves security and regulatory compliance

First step towards AD as a service for SOAFirst step towards AD as a service for SOA

Extending Access Through Web Services

Where Are We Now?Where Are We Now?

Past Present Future

Connected Systems

Identity Federation

Built to Extend

Low cost to value

Application Silos

ID for Each System

Internally Focused

Limit to Biz Value

Custom Integration

Identity Integration

Internal & External

High cost to value

Identity IntegrationIdentity IntegrationProducts and ServicesProducts and Services

Platform CapabilitiesPlatform CapabilitiesWeb Services InteropWeb Services Interop

The Transition

On The Way To Extending Access Through Web Services






Web SSO and Identity FederationWeb SSO and Identity Federationdistributing directory and security services across distributing directory and security services across organizational, security, or platform boundariesorganizational, security, or platform boundaries


Microsoft Vision For AccessMicrosoft Vision For AccessLog on once, secure access to everything

Questions?Questions?

AppendixAppendix

Network ApplianceNetwork Appliance

Support for AD in Data ONTAP™ since 2000Support for AD in Data ONTAP™ since 2000

Respond to customer requests by adding Respond to customer requests by adding additional AD interoperability featuresadditional AD interoperability features

License File Server, Media Streaming Server License File Server, Media Streaming Server and Domain Services Interactions protocols and Domain Services Interactions protocols under MCPPunder MCPP

Drive increased adoption of AD with Drive increased adoption of AD with Microsoft using NetApp’s SnapManager line Microsoft using NetApp’s SnapManager line of applications for Exchange and SQL Serverof applications for Exchange and SQL Server

Centrify DirectControl SuiteCentrify DirectControl Suite

Enables Active Directory to act as the central identity, access Enables Active Directory to act as the central identity, access and policy service for non-Windows platformsand policy service for non-Windows platforms

Systems: Linux, UNIX (HP-UX, Solaris, AIX), Mac OS XSystems: Linux, UNIX (HP-UX, Solaris, AIX), Mac OS XWeb platforms: Apache, JBoss, Tomcat, WebLogic, etc.Web platforms: Apache, JBoss, Tomcat, WebLogic, etc.

Works seamlessly with existing infrastructure in non-invasive Works seamlessly with existing infrastructure in non-invasive mannermanner

Windows Server: no schema extensions or domain controller Windows Server: no schema extensions or domain controller softwaresoftwareUnix/Linux systems: can map multiple existing legacy identities to Unix/Linux systems: can map multiple existing legacy identities to a single Active Directory account – no rationalization of UIDs a single Active Directory account – no rationalization of UIDs requiredrequired

Customer benefitsCustomer benefitsSingle point of administration for IT and single sign-on for usersSingle point of administration for IT and single sign-on for usersStrengthened security via consistent password and security Strengthened security via consistent password and security policies across Windows and UNIX/Linux/Javapolicies across Windows and UNIX/Linux/JavaCentralized access control and auditing for regulatory complianceCentralized access control and auditing for regulatory complianceQuick, flexible deployment without costly or intrusive changesQuick, flexible deployment without costly or intrusive changes

More info: http://www.centrify.comMore info: http://www.centrify.com

VintelaVintelaUsing industry standards to extend and integrate Microsoft Using industry standards to extend and integrate Microsoft infrastructure products and technologies across infrastructure products and technologies across heterogeneous systemsheterogeneous systems

Microsoft’s partner for cross-platform integrationMicrosoft’s partner for cross-platform integration

Microsoft invested in Vintela (Nov/04)Microsoft invested in Vintela (Nov/04)

Cooperative development process between product teamsCooperative development process between product teams

Microsoft provides Vintela product supportMicrosoft provides Vintela product support

Joint sales and marketing effortsJoint sales and marketing efforts

Licensee of Microsoft’s AD communications protocolsLicensee of Microsoft’s AD communications protocols

Vintela’s products have enabled over 500,000 Unix Vintela’s products have enabled over 500,000 Unix identities to be integrated with Active Directoryidentities to be integrated with Active Directory

40% of the Fortune 500 have purchased or are actively 40% of the Fortune 500 have purchased or are actively evaluating Vintela solutionsevaluating Vintela solutions

Quest SoftwareQuest Software––Microsoft’s 2004 Global Independent Microsoft’s 2004 Global Independent Software Vendor PartnerSoftware Vendor Partner––announced the acquisition of announced the acquisition of Vintela, which is expected to close shortlyVintela, which is expected to close shortly

Active Directory Interoperability Active Directory Interoperability ProgramProgram

Interoperability Developer LabsInteroperability Developer Labs

for AD interoperability projects in Redmond, for AD interoperability projects in Redmond, Washington, USAWashington, USA

Active Directory Password Change Active Directory Password Change Notification ServiceNotification Service

IP and Protocol Technology Licensing for IP and Protocol Technology Licensing for AD InteropAD Interop

www.microsoft.com/interopwww.microsoft.com/interop

New Active Directory Interop program pageNew Active Directory Interop program page

http://www.microsoft.com/interop

AD Interop Program: Licensing AD Interop Program: Licensing Kerberos PAC Group MembershipKerberos PAC Group Membership

Kerberos PAC authentication and key distribution protocol used to authenticate two principals to each other, and establish a Kerberos PAC authentication and key distribution protocol used to authenticate two principals to each other, and establish a cryptographic key that the two can use to secure any messagescryptographic key that the two can use to secure any messages

Client-side and server-side implementationsClient-side and server-side implementations

Scenarios include communicating for Windows 2000-specific group membership authorization data carried in the field of a Scenarios include communicating for Windows 2000-specific group membership authorization data carried in the field of a Kerberos ticket for use by servers in performing access controlKerberos ticket for use by servers in performing access control

Authentication/Directory Servers Authentication/Directory Servers Authentication and authorization service protocols used between Windows clients and Windows DCsAuthentication and authorization service protocols used between Windows clients and Windows DCs

Server-side implementations (e.g., application and Web servers)Server-side implementations (e.g., application and Web servers)

Scenarios include communicating with Windows client logon and security subsystems for authentication, authorization and Scenarios include communicating with Windows client logon and security subsystems for authentication, authorization and access control, policy enforcement, or usage accounting and audit information data packetsaccess control, policy enforcement, or usage accounting and audit information data packets

Active Directory Client Active Directory Client Authentication and authorization service protocols used between Windows clients and Windows domain controllers. Authentication and authorization service protocols used between Windows clients and Windows domain controllers.

Client-side implementations (on desktops, workstations or other devices, including servers acting as clients)Client-side implementations (on desktops, workstations or other devices, including servers acting as clients)

Scenarios include communicating with Windows DCs for local logon and communicating with other Windows servers for Scenarios include communicating with Windows DCs for local logon and communicating with other Windows servers for network access using Windows domain user credentialsnetwork access using Windows domain user credentials

Group Policy Client Group Policy Client Group policy service protocols used between Windows clients and Windows servers.Group policy service protocols used between Windows clients and Windows servers.

Client-side implementations (on desktops, workstations or other devices, including servers acting as clients)Client-side implementations (on desktops, workstations or other devices, including servers acting as clients)

Scenarios include communicating with Windows domain controllers for application of group policy for , enabling the Scenarios include communicating with Windows domain controllers for application of group policy for , enabling the management of configuration and other policies for all machines and users in a domainmanagement of configuration and other policies for all machines and users in a domain

Domain Services Interaction (DSIP)Domain Services Interaction (DSIP)Authentication and authorization service protocols used between Windows member servers and Windows clients, and Authentication and authorization service protocols used between Windows member servers and Windows clients, and between Windows member servers and Windows domain controllersbetween Windows member servers and Windows domain controllers

Server-side implementations (e.g., application and Web servers)Server-side implementations (e.g., application and Web servers)

Scenarios include communicating with Windows clients and servers and with Windows DCs for pass-through authentication of Scenarios include communicating with Windows clients and servers and with Windows DCs for pass-through authentication of remote requests from Windows clients and servers to Windows domain controllersremote requests from Windows clients and servers to Windows domain controllers

Key benefits of these license programs includeKey benefits of these license programs includeDetailed technical documentation and valuable intellectual propertyDetailed technical documentation and valuable intellectual property

Marketing value in having a licensed implementationMarketing value in having a licensed implementation

Reduced dependency and risk associated with reverse engineeringReduced dependency and risk associated with reverse engineering

Web Services InteropWeb Services Interop

Sun and Microsoft relationshipSun and Microsoft relationshipExec strategy meetingsExec strategy meetings

Technical Advisory Council Technical Advisory Council

Rolling quarterly programme of workRolling quarterly programme of work

Microsoft to have a high profile at Java ONE 2006 Microsoft to have a high profile at Java ONE 2006

Identity: Sun as the ID and Federation bridge of choice to Identity: Sun as the ID and Federation bridge of choice to Longhorn/AD.Longhorn/AD.

Demonstrated interoperabilityDemonstrated interoperability

Joint specification which we have mutually committed to submit to Joint specification which we have mutually committed to submit to open standards bodyopen standards body

What’s Coming? What’s Coming? Joint collateralJoint collateral

Customer referencesCustomer references

Publicity about interoperability progress Publicity about interoperability progress

Spotlight On Active Directory Interoperability Kim Saunders Director, Interoperability Programs...

Documents

Transcript of Spotlight On Active Directory Interoperability Kim Saunders Director, Interoperability Programs...