Spotlight On Active Directory Interoperability Kim Saunders Director, Interoperability Programs...
-
Upload
jeremiah-daley -
Category
Documents
-
view
226 -
download
0
Transcript of Spotlight On Active Directory Interoperability Kim Saunders Director, Interoperability Programs...
Spotlight OnSpotlight On Active Directory Active Directory InteroperabilityInteroperability
Kim SaundersKim SaundersDirector, Interoperability ProgramsDirector, Interoperability Programs
Andreas LutherAndreas LutherGroup Program Management, Microsoft Identity Integration Group Program Management, Microsoft Identity Integration ServerServer
Active Directory Interoperability Active Directory Interoperability PartnersPartners
David McNeely, CentrifyDavid McNeely, Centrify
Director of Product ManagementDirector of Product Management
Dennis Chapman, Network ApplianceDennis Chapman, Network Appliance
Technical Director, EngineeringTechnical Director, Engineering
Robin Wilton, Sun MicrosystemsRobin Wilton, Sun Microsystems
Corporate Architect, Federated IdentityCorporate Architect, Federated Identity
Barry Scott, VintelaBarry Scott, Vintela
Technical Services Manager (Europe)Technical Services Manager (Europe)
Single sign-onSingle sign-on
Group policyGroup policy
Smartcard and 2-factor Smartcard and 2-factor authenticationauthentication
Secure wireless and Secure wireless and remote accessremote access
Vast ecosystem with Vast ecosystem with >1,000 AD enabled apps>1,000 AD enabled apps
ADFS and WS-* ADFS and WS-* extend to other systemsextend to other systems
Partners helping extend Active Directory Partners helping extend Active Directory services to non-Windows environmentsservices to non-Windows environments
Identity Management ChallengeIdentity Management Challenge
Enterprises average 12 external account stores.
Users spend on average 16minutes per week logging on.
Password resets cost $57-$147.
On average, users are provisioned in 16 systems and de-provisioned in 10.
Source: META Group research conducted on behalf of PricewaterhouseCoopers, June 2002
Microsoft Vision For AccessMicrosoft Vision For Access
Two basic, complementary philosophiesTwo basic, complementary philosophies
Use Windows identity and services as broadly Use Windows identity and services as broadly as possibleas possible
Enable Windows and non-Windows identity Enable Windows and non-Windows identity and services to smoothly coexistand services to smoothly coexist
Log on once, secure access to everything
Interoperability
Secure Access ScenariosSecure Access Scenarios
Application integrationApplication integrationusing Windows directory and security technologyusing Windows directory and security technology
Platform integrationPlatform integrationextending Active Directory to Non-Windows Platformsextending Active Directory to Non-Windows Platforms
Credential mappingCredential mappingsupporting multiple security models among Windows supporting multiple security models among Windows and Non-Windows Platformsand Non-Windows Platforms
SynchronizationSynchronizationkeeping accounts & passwords synchronizedkeeping accounts & passwords synchronized
Web SSO and identity federationWeb SSO and identity federationdistributing directory and security services across distributing directory and security services across organizational, security, or platform boundariesorganizational, security, or platform boundaries
Active Directory Interoperability
Secure Access ScenariosSecure Access Scenarios
Application integrationApplication integrationusing Windows directory and security technologyusing Windows directory and security technology
Platform integrationPlatform integrationextending Active Directory to Non-Windows Platformsextending Active Directory to Non-Windows Platforms
Credential mappingCredential mappingsupporting multiple security models among Windows supporting multiple security models among Windows and Non-Windows Platformsand Non-Windows Platforms
SynchronizationSynchronizationkeeping accounts & passwords synchronizedkeeping accounts & passwords synchronized
Web SSO and identity federationWeb SSO and identity federationdistributing directory and security services across distributing directory and security services across organizational, security, or platform boundariesorganizational, security, or platform boundaries
Active Directory Interoperability
Norsk HydroNorsk Hydro
Business ProblemsBusiness ProblemsDifficult-to-manage mesh of storage networks and direct-attached islandsDifficult-to-manage mesh of storage networks and direct-attached islandsMixture of Windows, Novell and UNIX environmentsMixture of Windows, Novell and UNIX environmentsLacking business model which clearly defined different service levels and Lacking business model which clearly defined different service levels and identified various services as productsidentified various services as products
Current EnvironmentCurrent Environment55,000 users55,000 users17,000 Windows workstations & 450 UNIX workstations17,000 Windows workstations & 450 UNIX workstations5 core sites in Norway, 5 in Germany and more than 400 remote sites5 core sites in Norway, 5 in Germany and more than 400 remote sites175 TB of business data175 TB of business data
Storage SolutionStorage SolutionMirrored storage platform operating between Norsk Hydro’s head office and Mirrored storage platform operating between Norsk Hydro’s head office and separate, secure business continuance centreseparate, secure business continuance centreElimination of tape-based backup at remote sites that rely on NetApp Elimination of tape-based backup at remote sites that rely on NetApp systems or Windows systems to provide storagesystems or Windows systems to provide storageRemote data replicated and backed up at a central locationRemote data replicated and backed up at a central locationBusiness data seamlessly available across the corporate networkBusiness data seamlessly available across the corporate network
Improve Service Levels while Lowering CostsImprove Service Levels while Lowering Costs
Secure Access ScenariosSecure Access Scenarios
Application integrationApplication integrationusing Windows directory and security technologyusing Windows directory and security technology
Platform integrationPlatform integrationextending Active Directory to Non-Windows Platformsextending Active Directory to Non-Windows Platforms
Credential mappingCredential mappingsupporting multiple security models among Windows supporting multiple security models among Windows and Non-Windows Platformsand Non-Windows Platforms
SynchronizationSynchronizationkeeping accounts & passwords synchronizedkeeping accounts & passwords synchronized
Web SSO and identity federationWeb SSO and identity federationdistributing directory and security services across distributing directory and security services across organizational, security, or platform boundariesorganizational, security, or platform boundaries
Active Directory Interoperability
Central Michigan UniversityCentral Michigan UniversityIntegrates Account Administration with AD and DirectControlIntegrates Account Administration with AD and DirectControl
Business ProblemsBusiness ProblemsAccount admin is managed independently by different admin staff for AD Account admin is managed independently by different admin staff for AD and Unixand Unix25% of the end user population changes each fall25% of the end user population changes each fallUsers login to Windows and Solaris PCs with different userids and passwordsUsers login to Windows and Solaris PCs with different userids and passwords
Current EnvironmentCurrent Environment30-50 Solaris and Windows computers per lab; NIS for Solaris account 30-50 Solaris and Windows computers per lab; NIS for Solaris account adminadminPlan to migrate to Xandros on Intel from SolarisPlan to migrate to Xandros on Intel from SolarisCampus wide Active Directory is used for Windows account adminCampus wide Active Directory is used for Windows account admin
DirectControl SolutionDirectControl SolutionConsolidates user authentication to AD eliminating the need to maintain NISConsolidates user authentication to AD eliminating the need to maintain NISUsers only need remember one userid and password regardless of the Users only need remember one userid and password regardless of the computer they need to log intocomputer they need to log intoSingle Sign-On is enabled for users accessing Single Sign-On is enabled for users accessing multiple computersmultiple computersDoes not require changes to the Campus wide Does not require changes to the Campus wide AD infrastructure managed by a different Admin team AD infrastructure managed by a different Admin team
UK - Ministry of DefenceUK - Ministry of Defence
Italy - Guardia di Finanza Italy - Guardia di Finanza
66,000 Windows and 3,000 Oracle/UnixWare 66,000 Windows and 3,000 Oracle/UnixWare identities managed separatelyidentities managed separately
Difficult to manage security across platformsDifficult to manage security across platforms
Result:Result: Vintela improved IT operational efficiency Vintela improved IT operational efficiencyby simplifying system administration and securityby simplifying system administration and security
““We selected Vintela We selected Vintela to simplify system to simplify system administrationadministrationand security, thanks and security, thanks to the integration to the integration capabilities of Unix capabilities of Unix servers with Active servers with Active Directory”Directory”
M.F. Bosticco, M.F. Bosticco, Guardia di Finanza Guardia di Finanza
Employees use multiple sign-ins and passwordsEmployees use multiple sign-ins and passwords
Frequent account revocations and sign-in resets Frequent account revocations and sign-in resets cost the IT department a lot of time and expensecost the IT department a lot of time and expense
Result:Result: Vintela improved employee productivity Vintela improved employee productivityand helped reduce IT costsand helped reduce IT costs
““The integration of all The integration of all user accounts will user accounts will improve security and improve security and will remove what has will remove what has been a headache for been a headache for our IT department” our IT department”
Cdr. Terry O'ReillyCdr. Terry O'ReillyMinistry of DefenceMinistry of Defence
Secure Access ScenariosSecure Access Scenarios
Application integrationApplication integrationusing Windows directory and security technologyusing Windows directory and security technology
Platform integrationPlatform integrationextending Active Directory to Non-Windows Platformsextending Active Directory to Non-Windows Platforms
Credential mappingCredential mappingsupporting multiple security models among Windows supporting multiple security models among Windows and Non-Windows Platformsand Non-Windows Platforms
SynchronizationSynchronizationkeeping accounts & passwords synchronizedkeeping accounts & passwords synchronized
Web SSO and identity federationWeb SSO and identity federationdistributing directory and security services across distributing directory and security services across organizational, security, or platform boundariesorganizational, security, or platform boundaries
Active Directory Interoperability
Secure Access ScenariosSecure Access Scenarios
Application integrationApplication integrationusing Windows directory and security technologyusing Windows directory and security technology
Platform integrationPlatform integrationextending Active Directory to Non-Windows Platformsextending Active Directory to Non-Windows Platforms
Credential mappingCredential mappingsupporting multiple security models among Windows supporting multiple security models among Windows and Non-Windows Platformsand Non-Windows Platforms
SynchronizationSynchronizationkeeping accounts & passwords synchronizedkeeping accounts & passwords synchronized
Web SSO and identity federationWeb SSO and identity federationdistributing directory and security services across distributing directory and security services across organizational, security, or platform boundariesorganizational, security, or platform boundaries
Active Directory Interoperability
Secure Access ScenariosSecure Access Scenarios
Application integrationApplication integrationusing Windows directory and security technologyusing Windows directory and security technology
Platform integrationPlatform integrationextending Active Directory to Non-Windows Platformsextending Active Directory to Non-Windows Platforms
Credential mappingCredential mappingsupporting multiple security models among Windows supporting multiple security models among Windows and Non-Windows Platformsand Non-Windows Platforms
SynchronizationSynchronizationkeeping accounts & passwords synchronizedkeeping accounts & passwords synchronized
Web SSO and identity federationWeb SSO and identity federationdistributing directory and security services across distributing directory and security services across organizational, security, or platform boundariesorganizational, security, or platform boundaries
Active Directory Interoperability
Active Directory Federation ServicesActive Directory Federation Services
Enables secure, appropriate Enables secure, appropriate customer/partner/employee customer/partner/employee access to web access to web applications outside their domain/forestapplications outside their domain/forest
Promotes IT, developer and end user efficiencyPromotes IT, developer and end user efficiency
Improves security and regulatory complianceImproves security and regulatory compliance
First step towards AD as a service for SOAFirst step towards AD as a service for SOA
Extending Access Through Web Services
Where Are We Now?Where Are We Now?
Past Present Future
Connected Systems
Identity Federation
Built to Extend
Low cost to value
Application Silos
ID for Each System
Internally Focused
Limit to Biz Value
Custom Integration
Identity Integration
Internal & External
High cost to value
Identity IntegrationIdentity IntegrationProducts and ServicesProducts and Services
Platform CapabilitiesPlatform CapabilitiesWeb Services InteropWeb Services Interop
The Transition
On The Way To Extending Access Through Web Services
Secure Access ScenariosSecure Access Scenarios
Application integrationApplication integrationusing Windows directory and security technologyusing Windows directory and security technology
Platform integrationPlatform integrationextending Active Directory to Non-Windows Platformsextending Active Directory to Non-Windows Platforms
Credential mappingCredential mappingsupporting multiple security models among Windows supporting multiple security models among Windows and Non-Windows Platformsand Non-Windows Platforms
SynchronizationSynchronizationkeeping accounts & passwords synchronizedkeeping accounts & passwords synchronized
Web SSO and Identity FederationWeb SSO and Identity Federationdistributing directory and security services across distributing directory and security services across organizational, security, or platform boundariesorganizational, security, or platform boundaries
Active Directory Interoperability
Microsoft Vision For AccessMicrosoft Vision For AccessLog on once, secure access to everything
Questions?Questions?
AppendixAppendix
Network ApplianceNetwork Appliance
Support for AD in Data ONTAP™ since 2000Support for AD in Data ONTAP™ since 2000
Respond to customer requests by adding Respond to customer requests by adding additional AD interoperability featuresadditional AD interoperability features
License File Server, Media Streaming Server License File Server, Media Streaming Server and Domain Services Interactions protocols and Domain Services Interactions protocols under MCPPunder MCPP
Drive increased adoption of AD with Drive increased adoption of AD with Microsoft using NetApp’s SnapManager line Microsoft using NetApp’s SnapManager line of applications for Exchange and SQL Serverof applications for Exchange and SQL Server
Centrify DirectControl SuiteCentrify DirectControl Suite
Enables Active Directory to act as the central identity, access Enables Active Directory to act as the central identity, access and policy service for non-Windows platformsand policy service for non-Windows platforms
Systems: Linux, UNIX (HP-UX, Solaris, AIX), Mac OS XSystems: Linux, UNIX (HP-UX, Solaris, AIX), Mac OS XWeb platforms: Apache, JBoss, Tomcat, WebLogic, etc.Web platforms: Apache, JBoss, Tomcat, WebLogic, etc.
Works seamlessly with existing infrastructure in non-invasive Works seamlessly with existing infrastructure in non-invasive mannermanner
Windows Server: no schema extensions or domain controller Windows Server: no schema extensions or domain controller softwaresoftwareUnix/Linux systems: can map multiple existing legacy identities to Unix/Linux systems: can map multiple existing legacy identities to a single Active Directory account – no rationalization of UIDs a single Active Directory account – no rationalization of UIDs requiredrequired
Customer benefitsCustomer benefitsSingle point of administration for IT and single sign-on for usersSingle point of administration for IT and single sign-on for usersStrengthened security via consistent password and security Strengthened security via consistent password and security policies across Windows and UNIX/Linux/Javapolicies across Windows and UNIX/Linux/JavaCentralized access control and auditing for regulatory complianceCentralized access control and auditing for regulatory complianceQuick, flexible deployment without costly or intrusive changesQuick, flexible deployment without costly or intrusive changes
More info: http://www.centrify.comMore info: http://www.centrify.com
VintelaVintelaUsing industry standards to extend and integrate Microsoft Using industry standards to extend and integrate Microsoft infrastructure products and technologies across infrastructure products and technologies across heterogeneous systemsheterogeneous systems
Microsoft’s partner for cross-platform integrationMicrosoft’s partner for cross-platform integration
Microsoft invested in Vintela (Nov/04)Microsoft invested in Vintela (Nov/04)
Cooperative development process between product teamsCooperative development process between product teams
Microsoft provides Vintela product supportMicrosoft provides Vintela product support
Joint sales and marketing effortsJoint sales and marketing efforts
Licensee of Microsoft’s AD communications protocolsLicensee of Microsoft’s AD communications protocols
Vintela’s products have enabled over 500,000 Unix Vintela’s products have enabled over 500,000 Unix identities to be integrated with Active Directoryidentities to be integrated with Active Directory
40% of the Fortune 500 have purchased or are actively 40% of the Fortune 500 have purchased or are actively evaluating Vintela solutionsevaluating Vintela solutions
Quest SoftwareQuest Software––Microsoft’s 2004 Global Independent Microsoft’s 2004 Global Independent Software Vendor PartnerSoftware Vendor Partner––announced the acquisition of announced the acquisition of Vintela, which is expected to close shortlyVintela, which is expected to close shortly
Active Directory Interoperability Active Directory Interoperability ProgramProgram
Interoperability Developer LabsInteroperability Developer Labs
for AD interoperability projects in Redmond, for AD interoperability projects in Redmond, Washington, USAWashington, USA
Active Directory Password Change Active Directory Password Change Notification ServiceNotification Service
IP and Protocol Technology Licensing for IP and Protocol Technology Licensing for AD InteropAD Interop
www.microsoft.com/interopwww.microsoft.com/interop
New Active Directory Interop program pageNew Active Directory Interop program page
AD Interop Program: Licensing AD Interop Program: Licensing Kerberos PAC Group MembershipKerberos PAC Group Membership
Kerberos PAC authentication and key distribution protocol used to authenticate two principals to each other, and establish a Kerberos PAC authentication and key distribution protocol used to authenticate two principals to each other, and establish a cryptographic key that the two can use to secure any messagescryptographic key that the two can use to secure any messages
Client-side and server-side implementationsClient-side and server-side implementations
Scenarios include communicating for Windows 2000-specific group membership authorization data carried in the field of a Scenarios include communicating for Windows 2000-specific group membership authorization data carried in the field of a Kerberos ticket for use by servers in performing access controlKerberos ticket for use by servers in performing access control
Authentication/Directory Servers Authentication/Directory Servers Authentication and authorization service protocols used between Windows clients and Windows DCsAuthentication and authorization service protocols used between Windows clients and Windows DCs
Server-side implementations (e.g., application and Web servers)Server-side implementations (e.g., application and Web servers)
Scenarios include communicating with Windows client logon and security subsystems for authentication, authorization and Scenarios include communicating with Windows client logon and security subsystems for authentication, authorization and access control, policy enforcement, or usage accounting and audit information data packetsaccess control, policy enforcement, or usage accounting and audit information data packets
Active Directory Client Active Directory Client Authentication and authorization service protocols used between Windows clients and Windows domain controllers. Authentication and authorization service protocols used between Windows clients and Windows domain controllers.
Client-side implementations (on desktops, workstations or other devices, including servers acting as clients)Client-side implementations (on desktops, workstations or other devices, including servers acting as clients)
Scenarios include communicating with Windows DCs for local logon and communicating with other Windows servers for Scenarios include communicating with Windows DCs for local logon and communicating with other Windows servers for network access using Windows domain user credentialsnetwork access using Windows domain user credentials
Group Policy Client Group Policy Client Group policy service protocols used between Windows clients and Windows servers.Group policy service protocols used between Windows clients and Windows servers.
Client-side implementations (on desktops, workstations or other devices, including servers acting as clients)Client-side implementations (on desktops, workstations or other devices, including servers acting as clients)
Scenarios include communicating with Windows domain controllers for application of group policy for , enabling the Scenarios include communicating with Windows domain controllers for application of group policy for , enabling the management of configuration and other policies for all machines and users in a domainmanagement of configuration and other policies for all machines and users in a domain
Domain Services Interaction (DSIP)Domain Services Interaction (DSIP)Authentication and authorization service protocols used between Windows member servers and Windows clients, and Authentication and authorization service protocols used between Windows member servers and Windows clients, and between Windows member servers and Windows domain controllersbetween Windows member servers and Windows domain controllers
Server-side implementations (e.g., application and Web servers)Server-side implementations (e.g., application and Web servers)
Scenarios include communicating with Windows clients and servers and with Windows DCs for pass-through authentication of Scenarios include communicating with Windows clients and servers and with Windows DCs for pass-through authentication of remote requests from Windows clients and servers to Windows domain controllersremote requests from Windows clients and servers to Windows domain controllers
Key benefits of these license programs includeKey benefits of these license programs includeDetailed technical documentation and valuable intellectual propertyDetailed technical documentation and valuable intellectual property
Marketing value in having a licensed implementationMarketing value in having a licensed implementation
Reduced dependency and risk associated with reverse engineeringReduced dependency and risk associated with reverse engineering
Web Services InteropWeb Services Interop
Sun and Microsoft relationshipSun and Microsoft relationshipExec strategy meetingsExec strategy meetings
Technical Advisory Council Technical Advisory Council
Rolling quarterly programme of workRolling quarterly programme of work
Microsoft to have a high profile at Java ONE 2006 Microsoft to have a high profile at Java ONE 2006
Identity: Sun as the ID and Federation bridge of choice to Identity: Sun as the ID and Federation bridge of choice to Longhorn/AD.Longhorn/AD.
Demonstrated interoperabilityDemonstrated interoperability
Joint specification which we have mutually committed to submit to Joint specification which we have mutually committed to submit to open standards bodyopen standards body
What’s Coming? What’s Coming? Joint collateralJoint collateral
Customer referencesCustomer references
Publicity about interoperability progress Publicity about interoperability progress