Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spotlight On Active Directory Interoperability Kim Saunders Director, Interoperability Programs Andreas Luther Group Program Management, Microsoft Identity.

Similar presentations


Presentation on theme: "Spotlight On Active Directory Interoperability Kim Saunders Director, Interoperability Programs Andreas Luther Group Program Management, Microsoft Identity."— Presentation transcript:

1 Spotlight On Active Directory Interoperability Kim Saunders Director, Interoperability Programs Andreas Luther Group Program Management, Microsoft Identity Integration Server

2 Active Directory Interoperability Partners David McNeely, Centrify Director of Product Management Dennis Chapman, Network Appliance Technical Director, Engineering Robin Wilton, Sun Microsystems Corporate Architect, Federated Identity Barry Scott, Vintela Technical Services Manager (Europe)

3 Directory Usage Anchored in Active Directory Worlds Most Widely Used Directory Single sign-on Group policy Smartcard and 2-factor authentication Secure wireless and remote access Vast ecosystem with >1,000 AD enabled apps ADFS and WS-* extend to other systems

4 Active Directory Interoperability Program Partners helping extend Active Directory services to non-Windows environments

5 Identity Management Challenge Enterprises average 12 external account stores. Users spend on average 16 minutes per week logging on. Password resets cost $57-$147. On average, users are provisioned in 16 systems and de-provisioned in 10. Source: META Group research conducted on behalf of PricewaterhouseCoopers, June 2002

6 Microsoft Vision For Access Two basic, complementary philosophies Use Windows identity and services as broadly as possible Enable Windows and non-Windows identity and services to smoothly coexist Log on once, secure access to everything Interoperability

7 Secure Access Scenarios Application integration using Windows directory and security technology Platform integration extending Active Directory to Non-Windows Platforms Credential mapping supporting multiple security models among Windows and Non- Windows Platforms Synchronization keeping accounts & passwords synchronized Web SSO and identity federation distributing directory and security services across organizational, security, or platform boundaries Active Directory Interoperability

8 Secure Access Scenarios Application integration using Windows directory and security technology Platform integration extending Active Directory to Non-Windows Platforms Credential mapping supporting multiple security models among Windows and Non- Windows Platforms Synchronization keeping accounts & passwords synchronized Web SSO and identity federation distributing directory and security services across organizational, security, or platform boundaries Active Directory Interoperability

9 Norsk Hydro Business Problems Difficult-to-manage mesh of storage networks and direct-attached islands Mixture of Windows, Novell and UNIX environments Lacking business model which clearly defined different service levels and identified various services as products Current Environment 55,000 users 17,000 Windows workstations & 450 UNIX workstations 5 core sites in Norway, 5 in Germany and more than 400 remote sites 175 TB of business data Storage Solution Mirrored storage platform operating between Norsk Hydros head office and separate, secure business continuance centre Elimination of tape-based backup at remote sites that rely on NetApp systems or Windows systems to provide storage Remote data replicated and backed up at a central location Business data seamlessly available across the corporate network Improve Service Levels while Lowering Costs

10 Secure Access Scenarios Application integration using Windows directory and security technology Platform integration extending Active Directory to Non-Windows Platforms Credential mapping supporting multiple security models among Windows and Non- Windows Platforms Synchronization keeping accounts & passwords synchronized Web SSO and identity federation distributing directory and security services across organizational, security, or platform boundaries Active Directory Interoperability

11 Central Michigan University Integrates Account Administration with AD and DirectControl Business Problems Account admin is managed independently by different admin staff for AD and Unix 25% of the end user population changes each fall Users login to Windows and Solaris PCs with different userids and passwords Current Environment Solaris and Windows computers per lab; NIS for Solaris account admin Plan to migrate to Xandros on Intel from Solaris Campus wide Active Directory is used for Windows account admin DirectControl Solution Consolidates user authentication to AD eliminating the need to maintain NIS Users only need remember one userid and password regardless of the computer they need to log into Single Sign-On is enabled for users accessing multiple computers Does not require changes to the Campus wide AD infrastructure managed by a different Admin team

12 UK - Ministry of Defence Italy - Guardia di Finanza 66,000 Windows and 3,000 Oracle/UnixWare identities managed separately Difficult to manage security across platforms Result: Vintela improved IT operational efficiency by simplifying system administration and security We selected Vintela to simplify system administration and security, thanks to the integration capabilities of Unix servers with Active Directory M.F. Bosticco, Guardia di Finanza Employees use multiple sign-ins and passwords Frequent account revocations and sign-in resets cost the IT department a lot of time and expense Result: Vintela improved employee productivity and helped reduce IT costs The integration of all user accounts will improve security and will remove what has been a headache for our IT department Cdr. Terry O'Reilly Ministry of Defence

13 Secure Access Scenarios Application integration using Windows directory and security technology Platform integration extending Active Directory to Non-Windows Platforms Credential mapping supporting multiple security models among Windows and Non- Windows Platforms Synchronization keeping accounts & passwords synchronized Web SSO and identity federation distributing directory and security services across organizational, security, or platform boundaries Active Directory Interoperability

14 Secure Access Scenarios Application integration using Windows directory and security technology Platform integration extending Active Directory to Non-Windows Platforms Credential mapping supporting multiple security models among Windows and Non- Windows Platforms Synchronization keeping accounts & passwords synchronized Web SSO and identity federation distributing directory and security services across organizational, security, or platform boundaries Active Directory Interoperability

15 Secure Access Scenarios Application integration using Windows directory and security technology Platform integration extending Active Directory to Non-Windows Platforms Credential mapping supporting multiple security models among Windows and Non- Windows Platforms Synchronization keeping accounts & passwords synchronized Web SSO and identity federation distributing directory and security services across organizational, security, or platform boundaries Active Directory Interoperability

16 Active Directory Federation Services Enables secure, appropriate customer/partner/employee access to web applications outside their domain/forest Promotes IT, developer and end user efficiency Improves security and regulatory compliance First step towards AD as a service for SOA Extending Access Through Web Services

17 Where Are We Now? PastPresentFuture Connected Systems Identity Federation Built to Extend Low cost to value Application Silos ID for Each System Internally Focused Limit to Biz Value Custom Integration Identity Integration Internal & External High cost to value Identity Integration Products and Services Platform Capabilities Web Services Interop The Transition On The Way To Extending Access Through Web Services

18 Secure Access Scenarios Application integration using Windows directory and security technology Platform integration extending Active Directory to Non-Windows Platforms Credential mapping supporting multiple security models among Windows and Non- Windows Platforms Synchronization keeping accounts & passwords synchronized Web SSO and Identity Federation distributing directory and security services across organizational, security, or platform boundaries Active Directory Interoperability

19 Microsoft Vision For Access Log on once, secure access to everythingQuestions?

20 Appendix

21 Network Appliance Support for AD in Data ONTAP since 2000 Respond to customer requests by adding additional AD interoperability features License File Server, Media Streaming Server and Domain Services Interactions protocols under MCPP Drive increased adoption of AD with Microsoft using NetApps SnapManager line of applications for Exchange and SQL Server

22 Centrify DirectControl Suite Enables Active Directory to act as the central identity, access and policy service for non-Windows platforms Systems: Linux, UNIX (HP-UX, Solaris, AIX), Mac OS X Web platforms: Apache, JBoss, Tomcat, WebLogic, etc. Works seamlessly with existing infrastructure in non-invasive manner Windows Server: no schema extensions or domain controller software Unix/Linux systems: can map multiple existing legacy identities to a single Active Directory account – no rationalization of UIDs required Customer benefits Single point of administration for IT and single sign-on for users Strengthened security via consistent password and security policies across Windows and UNIX/Linux/Java Centralized access control and auditing for regulatory compliance Quick, flexible deployment without costly or intrusive changes More info:

23 Vintela Using industry standards to extend and integrate Microsoft infrastructure products and technologies across heterogeneous systems Microsofts partner for cross-platform integration Microsoft invested in Vintela (Nov/04) Cooperative development process between product teams Microsoft provides Vintela product support Joint sales and marketing efforts Licensee of Microsofts AD communications protocols Vintelas products have enabled over 500,000 Unix identities to be integrated with Active Directory 40% of the Fortune 500 have purchased or are actively evaluating Vintela solutions Quest Software–Microsofts 2004 Global Independent Software Vendor Partner–announced the acquisition of Vintela, which is expected to close shortly

24 Active Directory Interoperability Program Interoperability Developer Labs for AD interoperability projects in Redmond, Washington, USA Active Directory Password Change Notification Service IP and Protocol Technology Licensing for AD Interop New Active Directory Interop program page

25 AD Interop Program: Licensing Kerberos PAC Group Membership Kerberos PAC authentication and key distribution protocol used to authenticate two principals to each other, and establish a cryptographic key that the two can use to secure any messages Client-side and server-side implementations Scenarios include communicating for Windows 2000-specific group membership authorization data carried in the field of a Kerberos ticket for use by servers in performing access control Authentication/Directory Servers Authentication and authorization service protocols used between Windows clients and Windows DCs Server-side implementations (e.g., application and Web servers) Scenarios include communicating with Windows client logon and security subsystems for authentication, authorization and access control, policy enforcement, or usage accounting and audit information data packets Active Directory Client Authentication and authorization service protocols used between Windows clients and Windows domain controllers. Client-side implementations (on desktops, workstations or other devices, including servers acting as clients) Scenarios include communicating with Windows DCs for local logon and communicating with other Windows servers for network access using Windows domain user credentials Group Policy Client Group policy service protocols used between Windows clients and Windows servers. Client-side implementations (on desktops, workstations or other devices, including servers acting as clients) Scenarios include communicating with Windows domain controllers for application of group policy for, enabling the management of configuration and other policies for all machines and users in a domain Domain Services Interaction (DSIP) Authentication and authorization service protocols used between Windows member servers and Windows clients, and between Windows member servers and Windows domain controllers Server-side implementations (e.g., application and Web servers) Scenarios include communicating with Windows clients and servers and with Windows DCs for pass-through authentication of remote requests from Windows clients and servers to Windows domain controllers Key benefits of these license programs include Detailed technical documentation and valuable intellectual property Marketing value in having a licensed implementation Reduced dependency and risk associated with reverse engineering

26 Web Services Interop Sun and Microsoft relationship Exec strategy meetings Technical Advisory Council Rolling quarterly programme of work Microsoft to have a high profile at Java ONE 2006 Identity: Sun as the ID and Federation bridge of choice to Longhorn/AD. Demonstrated interoperability Joint specification which we have mutually committed to submit to open standards body Whats Coming? Joint collateral Customer references Publicity about interoperability progress


Download ppt "Spotlight On Active Directory Interoperability Kim Saunders Director, Interoperability Programs Andreas Luther Group Program Management, Microsoft Identity."

Similar presentations


Ads by Google