When designing a secure network that includes multiple directories, consider how the directories will integrate. The goal is to allow a user to authenticate to the heterogeneous network using a single user account and password. All network operating systems and services should recognize the single set of credentials.
You also must plan directory integration to prevent changes in one directory service from overwriting directory modifications in another directory service. By defining which directory service is authoritative for a specific attribute, you can decentralize the management of directory data to specific departments.
Finally, you must plan for the integration of authentication mechanisms that are supported in multiple operating systems. Kerberos v5 is used by both Active Directory and several UNIX deployments. Configuring Kerberos realms to interoperate with Active Directory domains allow single sign-on capabilities in the mixed network.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
User accounts in a NetWare environment can synchronize their passwords with an Active Directory user account by using the MSDSS application included in Windows Services for NetWare 5.0. The MSDSS application allows passwords to be synchronized between Novell Directory Services (NDS) user accounts and Active Directory user accounts based on mappings configured in MSDSS.
NOTE
You can also use MSDSS to synchronize account information between Active Directory and a NetWare Bindery service from NetWare 3.x.
Table 16.4 shows the design decisions you face when synchronizing NetWare NDS with Active Directory.
Table 16.4 Securing Directory Synchronization Between NetWare and Active Directory
To | Do the Following |
---|---|
Synchronize passwords between NDS and Active Directory | Install MSDSS on a Windows 2000 domain controller. |
Limit which attributes are synchronized | Modify the mapping table in MSDSS to map only the attributes required |
Perform password synchronization between NDS and Active Directory | The Windows 2000 client computer must have the Novell Client for Windows 2000 installed. You can t use Gateway Services For NetWare (GSNW). |
MSDSS simplifies migration from NetWare 4.11 to Windows 2000 by ensuring that the same user credentials are used in both networks. By ensuring that passwords are the same for user accounts in both network operating systems, Blue Yonder Airlines will reduce the costs associated with migrating to Windows 2000. When the migration is complete, users will continue to authenticate using the same user name and password that they used in the NetWare environment, thus reducing security issues related to modifying passwords during a migration.
Microsoft Metadirectory Services (MMS) 2.2 allows integration of identity information from multiple directory services. By using MMS, you ensure that the organization has a single authoritative directory store that collects all of its information from multiple existing directories.
MMS establishes a single directory by deploying a metadirectory. A metadirectory is a service that collects directory information from multiple directories, as shown in Figure 16.2.
Figure 16.2 A metadirectory merging directory information from multiple sources
The metadirectory not only merges information from multiple directories into a single source, but it can also synchronize those changes to all directory services in an organization.
A metadirectory allows you to define ownership rules. You can designate which directory is authoritative for each attribute. For example, you could configure all Human Resources (HR)—related information in a directory to be maintained in Lotus Notes. If two directory services differ in an HR-related attribute, such as Manager, the Lotus Notes directory attribute value would be propagated to all other directories in the organization.
Management agents maintain synchronization between the metadirectory and the source directories. Management agents import data into the metadirectory and export metadirectory data to the connected directory assigned to the management agent. This process ensures that the directory service is synchronized with the metadirectory. MMS provides management agents for several common directories, including Windows NT, Novell NDS, cc:Mail, Banyan Vines, and Lotus Notes.
MMS allows the coexistence of multiple directories in an organization. So that the multiple directories can interact, be sure to include the decision points in Table 16.5 when designing MMS.
Table 16.5 Planning Integration of Directories
To | Do the Following |
---|---|
Merge multiple directories into a common directory | Design an MMS solution that uses management agents to connect multiple directory services into a single metadirectory. |
Connect a directory to an MMS metadirectory | Define a management agent that will manage the synchronization of the directory service with the metadirectory. |
Maintain which directory service is authoritative for a specific attribute | Define ownership rules that define which directory service is authoritative for a specific attribute. The ownership rule will publish information to the metadirectory if the directory service is authoritative or roll the data back to the metadirectory value if another directory service is authoritative. |
While MSDSS allows password synchronization between NetWare NDS directories and Active Directory, MMS provides you with greater flexibility of when deciding how attribute control is delegated. For example, imagine that user modifications performed in NDS are being overwritten with previous data stored in Active Directory during the migration from NetWare to Windows 2000. MMS allows you to configure NDS as the authoritative directory service for the OU and ensure that any updates performed in the NDS environment are propagated to Active Directory. The management agent also prevents any attempts by Active Directory to update objects stored in the OU. Because of the ability of MMS to delegate management of specific attributes, it may be desirable for Blue Yonder Airlines to use MMS instead of MSDSS.
Windows 2000 uses Kerberos v5 authentication as the default authentication mechanism. Kerberos allows Windows 2000 and UNIX clients to interoperate and authenticate with each other. There are three common strategies for integrating UNIX and Windows 2000 networks for authentication services.
Figure 16.3 Establishing trust relationships between Windows 2000 domains and Kerberos realms
NOTE
For more information on Windows 2000 and UNIX interoperability, see the white paper "Windows 2000 Kerberos Interoperability" found on the Supplemental Course Materials CD-ROM (\Chapt16\Windows 2000 Kerberos Interoperability.doc) that accompanies this book.
While all three methods provide Kerberos authentication, creating a Kerberos inter-realm trust is the only method that allows true interoperability and cross-authentication. Figure 16.4 shows how Kerberos authentication takes place for a user account in a UNIX realm when the user account accesses resources in a Windows 2000 domain.
Figure 16.4 Establishing trust relationships between Windows 2000 domains and Kerberos
NOTE
This process requires the passwords in the UNIX realm and Windows 2000 domain to be synchronized.
When determining what form of Kerberos interoperability to use in a mixed network, consider the following design issues:
Blue Yonder Airlines must establish a Kerberos inter-realm trust between the blueyonder.tld domain and the UNIX Kerberos realm. Active Directory user accounts can obtain Kerberos service tickets for access to the UNIX database server only if you establish inter-realm trusts. To be safe, establish a two-way trust relationship so that UNIX user accounts can access Windows 2000 resources. Granting access to Windows 2000 resources requires you to define Kerberos name mapping that will associate a UNIX UID with an Active Directory user account.
Consolidating directories allows you to maintain a single uniform directory within an organization. The implementation of a uniform directory requires planning to ensure that attributes modified in one directory aren't changed by entries in another directory. The security plan must define what directories are authoritative for specific attributes.
Alternatively, you may require two different directories to cross-authenticate users. Your security design must determine whether only one of the directories should provide the authentication or whether the directories must coexist and allow the forwarding of authentication requests between the multiple directories.