Spotlight On Active Directory Interoperability

1
Spotlight On Active Directory Interoperability

• Kim SaundersDirector, Interoperability Programs
• Andreas LutherGroup Program Management,
  Microsoft Identity Integration Server

2
Active Directory Interoperability Partners

• David McNeely, Centrify
• Director of Product Management
• Dennis Chapman, Network Appliance
• Technical Director, Engineering
• Robin Wilton, Sun Microsystems
• Corporate Architect, Federated Identity
• Barry Scott, Vintela
• Technical Services Manager (Europe)

3
Anchored in Active DirectoryWorlds Most Widely
Used Directory
Directory Usage

• Single sign-on
• Group policy
• Smartcard and 2-factor authentication
• Secure wireless and remote access
• Vast ecosystem with gt1,000 AD enabled apps
• ADFS and WS- extend to other systems

4
Active DirectoryInteroperability Program

• Partners helping extend Active Directory services
  to non-Windows environments

5
Identity Management Challenge
Enterprises average 12 external account stores.
On average, users are provisioned in 16 systems
and de-provisioned in 10.
Users spend on average 16minutes per week
logging on.
Password resets cost 57-147.
Source META Group research conducted on behalf
of PricewaterhouseCoopers, June 2002
6
Microsoft Vision For Access
Log on once, secure access to everything

• Two basic, complementary philosophies
• Use Windows identity and services as broadly as
  possible
• Enable Windows and non-Windows identity and
  services to smoothly coexist

7
Secure Access Scenarios
Active Directory Interoperability

• Application integration
• using Windows directory and security technology
• Platform integration
• extending Active Directory to Non-Windows
  Platforms
• Credential mapping
• supporting multiple security models among Windows
  and Non-Windows Platforms
• Synchronization
• keeping accounts passwords synchronized
• Web SSO and identity federation
• distributing directory and security services
  across organizational, security, or platform
  boundaries

8
Secure Access Scenarios
Active Directory Interoperability

• Application integration
• using Windows directory and security technology
• Platform integration
• extending Active Directory to Non-Windows
  Platforms
• Credential mapping
• supporting multiple security models among Windows
  and Non-Windows Platforms
• Synchronization
• keeping accounts passwords synchronized
• Web SSO and identity federation
• distributing directory and security services
  across organizational, security, or platform
  boundaries

9
Norsk Hydro
Improve Service Levels while Lowering Costs

• Business Problems
• Difficult-to-manage mesh of storage networks and
  direct-attached islands
• Mixture of Windows, Novell and UNIX environments
• Lacking business model which clearly defined
  different service levels and identified various
  services as products
• Current Environment
• 55,000 users
• 17,000 Windows workstations 450 UNIX
  workstations
• 5 core sites in Norway, 5 in Germany and more
  than 400 remote sites
• 175 TB of business data
• Storage Solution
• Mirrored storage platform operating between Norsk
  Hydros head office and separate, secure business
  continuance centre
• Elimination of tape-based backup at remote sites
  that rely on NetApp systems or Windows systems to
  provide storage
• Remote data replicated and backed up at a central
  location
• Business data seamlessly available across the
  corporate network

10
Secure Access Scenarios
Active Directory Interoperability

• Application integration
• using Windows directory and security technology
• Platform integration
• extending Active Directory to Non-Windows
  Platforms
• Credential mapping
• supporting multiple security models among Windows
  and Non-Windows Platforms
• Synchronization
• keeping accounts passwords synchronized
• Web SSO and identity federation
• distributing directory and security services
  across organizational, security, or platform
  boundaries

11
Central Michigan UniversityIntegrates Account
Administration with AD and DirectControl

• Business Problems
• Account admin is managed independently by
  different admin staff for AD and Unix
• 25 of the end user population changes each fall
• Users login to Windows and Solaris PCs with
  different userids and passwords
• Current Environment
• 30-50 Solaris and Windows computers per lab NIS
  for Solaris account admin
• Plan to migrate to Xandros on Intel from Solaris
• Campus wide Active Directory is used for Windows
  account admin
• DirectControl Solution
• Consolidates user authentication to AD
  eliminating the need to maintain NIS
• Users only need remember one userid and password
  regardless of the computer they need to log into
• Single Sign-On is enabled for users accessing
  multiple
  computers
• Does not require changes to the Campus wide
  AD
  infrastructure managed by a different Admin team

12
UK - Ministry of Defence

• Employees use multiple sign-ins and passwords
• Frequent account revocations and sign-in resets
  cost the IT department a lot of time and expense
• Result Vintela improved employee
  productivityand helped reduce IT costs

The integration of all user accounts will
improve security and will remove what has been a
headache for our IT department Cdr. Terry
O'ReillyMinistry of Defence
Italy - Guardia di Finanza

• 66,000 Windows and 3,000 Oracle/UnixWare
  identities managed separately
• Difficult to manage security across platforms
• Result Vintela improved IT operational
  efficiencyby simplifying system administration
  and security

We selected Vintela to simplify system
administration and security, thanks to the
integration capabilities of Unix servers with
Active Directory M.F. Bosticco, Guardia di
Finanza
13
Secure Access Scenarios
Active Directory Interoperability

• Application integration
• using Windows directory and security technology
• Platform integration
• extending Active Directory to Non-Windows
  Platforms
• Credential mapping
• supporting multiple security models among Windows
  and Non-Windows Platforms
• Synchronization
• keeping accounts passwords synchronized
• Web SSO and identity federation
• distributing directory and security services
  across organizational, security, or platform
  boundaries

14
Secure Access Scenarios
Active Directory Interoperability

• Application integration
• using Windows directory and security technology
• Platform integration
• extending Active Directory to Non-Windows
  Platforms
• Credential mapping
• supporting multiple security models among Windows
  and Non-Windows Platforms
• Synchronization
• keeping accounts passwords synchronized
• Web SSO and identity federation
• distributing directory and security services
  across organizational, security, or platform
  boundaries

15
Secure Access Scenarios
Active Directory Interoperability

• Application integration
• using Windows directory and security technology
• Platform integration
• extending Active Directory to Non-Windows
  Platforms
• Credential mapping
• supporting multiple security models among Windows
  and Non-Windows Platforms
• Synchronization
• keeping accounts passwords synchronized
• Web SSO and identity federation
• distributing directory and security services
  across organizational, security, or platform
  boundaries

16
Active Directory Federation Services
Extending Access Through Web Services

• Enables secure, appropriate customer/partner/emplo
  yee access to web applications outside their
  domain/forest
• Promotes IT, developer and end user efficiency
• Improves security and regulatory compliance
• First step towards AD as a service for SOA

17
Where Are We Now?
On The Way To Extending Access Through Web
Services
Past
Present
Future

• Connected Systems
• Identity Federation
• Built to Extend
• Low cost to value

• Application Silos
• ID for Each System
• Internally Focused
• Limit to Biz Value

• Custom Integration
• Identity Integration
• Internal External
• High cost to value

Identity Integration Products and Services
Platform Capabilities Web Services Interop
The Transition
18
Secure Access Scenarios
Active Directory Interoperability

• Application integration
• using Windows directory and security technology
• Platform integration
• extending Active Directory to Non-Windows
  Platforms
• Credential mapping
• supporting multiple security models among Windows
  and Non-Windows Platforms
• Synchronization
• keeping accounts passwords synchronized
• Web SSO and Identity Federation
• distributing directory and security services
  across organizational, security, or platform
  boundaries

19
Microsoft Vision For Access

• Log on once, secure access to everything
• Questions?

20
Appendix
21
Network Appliance

• Support for AD in Data ONTAP since 2000
• Respond to customer requests by adding additional
  AD interoperability features
• License File Server, Media Streaming Server and
  Domain Services Interactions protocols under MCPP
• Drive increased adoption of AD with Microsoft
  using NetApps SnapManager line of applications
  for Exchange and SQL Server

22
Centrify DirectControl Suite

• Enables Active Directory to act as the central
  identity, access and policy service for
  non-Windows platforms
• Systems Linux, UNIX (HP-UX, Solaris, AIX), Mac
  OS X
• Web platforms Apache, JBoss, Tomcat, WebLogic,
  etc.
• Works seamlessly with existing infrastructure in
  non-invasive manner
• Windows Server no schema extensions or domain
  controller software
• Unix/Linux systems can map multiple existing
  legacy identities to a single Active Directory
  account no rationalization of UIDs required
• Customer benefits
• Single point of administration for IT and single
  sign-on for users
• Strengthened security via consistent password and
  security policies across Windows and
  UNIX/Linux/Java
• Centralized access control and auditing for
  regulatory compliance
• Quick, flexible deployment without costly or
  intrusive changes
• More info http//www.centrify.com

23
VintelaUsing industry standards to extend and
integrate Microsoft infrastructure products and
technologies across heterogeneous systems

• Microsofts partner for cross-platform
  integration
• Microsoft invested in Vintela (Nov/04)
• Cooperative development process between product
  teams
• Microsoft provides Vintela product support
• Joint sales and marketing efforts
• Licensee of Microsofts AD communications
  protocols
• Vintelas products have enabled over 500,000 Unix
  identities to be integrated with Active Directory
• 40 of the Fortune 500 have purchased or are
  actively evaluating Vintela solutions
• Quest SoftwareMicrosofts 2004 Global
  Independent Software Vendor Partnerannounced the
  acquisition of Vintela, which is expected to
  close shortly

24
Active Directory Interoperability Program

• Interoperability Developer Labs
• for AD interoperability projects in Redmond,
  Washington, USA
• Active Directory Password Change Notification
  Service
• IP and Protocol Technology Licensing for AD
  Interop
• www.microsoft.com/interop
• New Active Directory Interop program page

25
AD Interop Program Licensing

• Kerberos PAC Group Membership
• Kerberos PAC authentication and key distribution
  protocol used to authenticate two principals to
  each other, and establish a cryptographic key
  that the two can use to secure any messages
• Client-side and server-side implementations
• Scenarios include communicating for Windows
  2000-specific group membership authorization data
  carried in the field of a Kerberos ticket for use
  by servers in performing access control
• Authentication/Directory Servers
• Authentication and authorization service
  protocols used between Windows clients and
  Windows DCs
• Server-side implementations (e.g., application
  and Web servers)
• Scenarios include communicating with Windows
  client logon and security subsystems for
  authentication, authorization and access control,
  policy enforcement, or usage accounting and audit
  information data packets
• Active Directory Client
• Authentication and authorization service
  protocols used between Windows clients and
  Windows domain controllers.
• Client-side implementations (on desktops,
  workstations or other devices, including servers
  acting as clients)
• Scenarios include communicating with Windows DCs
  for local logon and communicating with other
  Windows servers for network access using Windows
  domain user credentials
• Group Policy Client
• Group policy service protocols used between
  Windows clients and Windows servers.
• Client-side implementations (on desktops,
  workstations or other devices, including servers
  acting as clients)
• Scenarios include communicating with Windows
  domain controllers for application of group
  policy for , enabling the management of
  configuration and other policies for all machines
  and users in a domain
• Domain Services Interaction (DSIP)
• Authentication and authorization service
  protocols used between Windows member servers and
  Windows clients, and between Windows member
  servers and Windows domain controllers
• Server-side implementations (e.g., application
  and Web servers)

26
Web Services Interop

• Sun and Microsoft relationship
• Exec strategy meetings
• Technical Advisory Council
• Rolling quarterly programme of work
• Microsoft to have a high profile at Java ONE 2006
  
• Identity Sun as the ID and Federation bridge of
  choice to Longhorn/AD.
• Demonstrated interoperability
• Joint specification which we have mutually
  committed to submit to open standards body
• Whats Coming?
• Joint collateral
• Customer references
• Publicity about interoperability progress