Chapter 7: Active Directory Enhancements


Active Directory and its related services form the foundation for enterprise networks running Microsoft Windows, and the new features and enhancements to Active Directory and its related services in Windows Server 2008 are numerous. This chapter takes a look at these enhancements and at the direction in which Active Directory and its related services are heading as an integrated identity and access platform for enterprises-that is, as a platform for provisioning and managing network identity.

Understanding Identity and Access in Windows Server 2008

Before we jump in and examine the various enhancements to Active Directory and its related services in Windows Server 2008, however, let’s first step back a bit and get the big picture of how Active Directory and its related services have been evolving since they were first introduced in Windows 2000 Server and what these services are becoming in Windows Server 2008 and beyond. It’s important to understand this big picture, as otherwise the many improvements to Active Directory and related services in Windows Server 2008 might seem like a miscellaneous grab-bag of changes without much in common. But they have a lot in common as we’ll shortly see.

Understanding Identity and Access

So why is identity and access (IDA) important to enterprises? Think for a moment about what goes on when a user on your network needs access to confidential business information stored on a server. Tony is in the Marketing department, and he needs access to a product specification so that he can work on a marketing presentation for a customer. The document containing the specification is stored on a server on the company’s network, and Tony tries to open the document so that he can cut and paste information contained in it into his presentation. To safeguard such specifications, you’d like your IDA infrastructure to do the following:

  1. Determine who the user is who wants to use the document.

  2. Grant the user the appropriate level of access to the document.

  3. Protect confidential information contained in the document.

  4. Maintain a record of interaction concerning the user’s accessing of the document.

For example, you might want to restrict access to product specifications to full-time employees (FTEs) only and provide read-only access to users in the Marketing department so that they can view but not modify specifications. You might also want to prevent Marketing department users from copying and pasting text from specifications into other documents. And you might want an audit trail showing the day and time that the user accessed the specification.

The challenge of implementing an IDA solution that can do all of this becomes even greater once you start extending the boundaries of your enterprise with “anywhere access” devices, Web services, and collaboration tools like e-mail and instant messaging. It becomes even more complicated once you have to start applying the IDA process not just to FTEs but also to contractors, temps, customers, and external partners. The challenge is to build an IDA solution that can handle all these different scenarios, and Microsoft has steadily been working toward this goal since Active Directory was first released with Windows 2000 Server. Let’s briefly summarize the evolution of Microsoft’s IDA solution, beginning with Windows 2000 Server and working up to the current platform for Windows Server 2003 R2 and then to Windows Server 2008 and beyond.

Identity and Access in Windows 2000 Server

Active Directory directory service is a Windows-based directory service that was first introduced in Windows 2000 Server. Active Directory directory service stores information about various kinds of objects on a network-such as users, groups, computers, printers, and shared folders-and it makes this information available to users who need to access these resources and administrators who need to manage them. Active Directory provides network users with controlled access to permitted resources anywhere on the network using a single logon process. Active Directory directory service also provides administrators with an intuitive, hierarchical view of the network and its resources, and it provides a single point of administration for all network objects.

Windows 2000 Server also included a separate component, called Certificate Services, that can be used to set up a certificate authority (CA) for issuing digital certificates as part of a Public Key Infrastructure (PKI). These certificates can be used to provide authentication for users and computers on your network to secure e-mail, provide Web-based authentication, and support smart-card authentication. Certificate Services also provides customizable services for issuing and managing certificates for your enterprise. What’s important to understand here is that in Windows 2000 Server, Active Directory directory service and Certificate Services are two separate components that are not integrated together. In other words, the two services are managed separately and have policy implemented differently.

In addition to these two built-in IDA services, Microsoft also released an out-of-band service for Windows 2000 Server called Microsoft Metadirectory Services (MMS). In its final version, MMS 2.2 was an enterprise metadirectory that enterprises could use to integrate all their various directories together into a single consolidated central repository. MMS 2.2 consisted of one or more metadirectory servers, management agents, and the connected directories, and it provided users with access to this consolidated information via Lightweight Directory Access Protocol (LDAP). The goal of MMS 2.2 was to provide enterprises with a provisioning solution that could be used to effectively provide consistent identity management across many different databases and directories. For example, if you had both an Active Directory directory service infrastructure and a Lotus Notes infrastructure and you wanted Active Directory directory service users to be able to look up e-mail addresses from the Lotus Notes directory, MMS 2.2 could make this possible. MMS 2.2 could also simplify the deployment of Active Directory directory service for enterprises that already had information about employees or customers stored in other directories by enabling real-time synchronization of information from these directories into Active Directory directory service. Finally, MMS 2.2 could also be used to simplify the migration and consolidation of multiple directories into Active Directory directory service.

Identity and Access in Windows Server 2003

Although these Windows 2000 Server offerings did meet the needs of some enterprises, they were still provided as separate services and MMS was even a totally separate product. Customers wanted something more integrated, and they also wanted additional IDA features, such as document rights protection and role-based authorization. In addition to making improvements to how Active Directory directory service and Certificate Services work and how they are managed, Microsoft added a new feature called Authorization Manager to Windows 2003 Server that provided role-based authorization for users of line-of-business applications. Although Active Directory directory service by itself provides object-based access control using ACLs, the role-based access control (RBAC) provided by Authorization Manager enables permissions to be managed in terms of the different job roles users might have. Authorization Manager works by providing a set of COM-based runtime interfaces that enables an application to manage and verify a client’s requests to perform operations using the application. Authorization Manager also includes an MMC snap-in that application administrators can use to manage different user roles and permissions.

Another IDA service that Microsoft released for Windows Server 2003 is Windows Rights Management Service (RMS), an information-protection technology that works with RMS-enabled applications to help businesses safeguard valuable digital information from unauthorized use whether online or offline and whether inside the firewall or outside the firewall. Windows RMS was also designed to help organizations comply with a growing number of regulatory requirements that mandated information protection, including the U.S. Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and others. To use Windows RMS, enterprises can create centralized custom usage policy templates, such as “Confidential – Read Only,” that can work with any RMS-enabled client and can be directly applied to sensitive business information such as financial reports, product specifications, or e-mail messages. Implementing Windows RMS requires an Active Directory directory service infrastructure, a PKI, and Internet Information Services-all of which are included in Windows Server 2003. In addition, RMS-enabled client applications such as Microsoft Office 2003 and Internet Explorer are needed, plus Microsoft SQL Server to provide the underlying database for the service.

While these additional IDA services and add-ons for Active Directory directory service were being released, Microsoft also released a follow-up to MMS 2.2 called Microsoft Identity Integration Server (MIIS) 2003, which provides a centralized service that stores and integrates identity information for organizations with multiple directories. It also provides a unified view of all known identity information about users, applications, and resources on a network. MIIS 2003 is designed for life-cycle management of identity and access to simplify the provisioning of new user accounts, strong credentials, access policies, rights management policies, and so on. MIIS 2003 is available in two versions. First, there’s Microsoft Identity Integration Server 2003 SP1, Enterprise Edition, which includes support for identity integration/directory synchronization, account provisioning/deprovisioning, and password synchronization and management. And second, there’s Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory, a free download that provides the same functionality as Microsoft Identity Integration Server 2003 SP1, Enterprise Edition (identity integration/directory synchronization, account provisioning/deprovisioning, and password synchronization) but only between Active Directory directory service, Active Directory Application Mode (ADAM), and Microsoft Exchange Server 2000 and later. Enterprises that need to interface with repositories other than Active Directory, ADAM, or Exchange Server, however, must use MIIS 2003, Enterprise Edition, rather than the free Feature Pack version.

Identity and Access in Windows Server 2003 R2

With the R2 release of Windows Server 2003, Microsoft added two more IDA services to the slate of various services already available on Windows Server 2003 either as in-box services, downloadable add-ons, or separate server products built upon Active Directory directory services. These two new IDA services are Active Directory Application Mode and Active Directory Federation Services.

Active Directory Application Mode (ADAM) is essentially a standalone version of Active Directory directory service that is designed specifically for use with directory-enabled applications. ADAM does not require or depend upon Active Directory forests or domains, so you can use it in a workgroup scenario on standalone servers if desired-you don’t have to install it on a domain controller. In addition, ADAM stores and replicates only application-related information and does not store or replicate information about network resources, such as users, groups, or computers. And because ADAM is not an operating system service, you can even run multiple instances of ADAM on a single computer, with each instance of ADAM supporting a different directory-enabled application and having its own directory store, assigned LDAP and SSL ports, and application event log. ADAM is provided as an optional component of Windows Server 2003 R2, but there’s also a downloadable version that can be installed on either Windows Server 2003 or Windows XP.

Active Directory Federation Services (ADFS) is another optional component of Windows Server 2003 R2 that provides Web single sign-on (SSO) functionality to authenticate a user to multiple Web applications over the life of a single online session. ADFS works by securely sharing digital identity and entitlement rights across security and enterprise boundaries, and it supports the WS-Federation Passive Requestor Profile (WS-F PRP) Web Services protocol. ADFS is tightly integrated with Active Directory, and it can work with both Active Directory directory services and ADAM. Using ADFS, an enterprise can extend its existing Active Directory infrastructure to the Internet to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can be either external third parties or additional departments or subsidiaries within the enterprise.

Identity and Access in Windows Server 2008

Looking back over this evolution of Active Directory–based IDA services since Windows 2000 Server, we have the following IDA solution for the current platform Windows Server 2003 R2:

  • Active Directory directory services and Certificate Services-two core services that can be deployed separately or together.

  • Authorization Manager, ADAM, and ADFS-separate optional components that require Active Directory directory services. (Authorization Manager also requires Certificate Services.)

  • MIIS 2003, which is available both as a separate product or as a free Feature Pack (depending on whether or not you need to synchronize with non-Microsoft directory services).

  • Windows Rights Management Service (RMS), which is available as an optional download from the Microsoft Download Center.

Microsoft’s vision with Windows Server 2008 (and beyond) is to consolidate all these various IDA capabilities into a single, integrated IDA solution built upon Active Directory. This consolidation picture as of Beta 3 of Windows Server 2008 is as follows.

As shown in the following diagram, there are four key integrated IDA components present in Windows Server 2008:

  • Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS), which provide the foundational directory services for domain-based and standalone network environments.

  • Active Directory Certificate Services (AD CS), which provides strong credentials using PKI digital certificates.

  • Active Directory Rights Management Services (AD RMS), which protects information contained in documents, e-mails, and so on.

  • Active Directory Federation Services (AD FS), which eliminates the need for creating and maintaining multiple separate identities.

    image from book

Note the following rebranding of IDA services in Windows Server 2008:

  • Active Directory directory services is now known as Active Directory Domain Services (AD DS).

  • Active Directory Application Mode is now called Active Directory Lightweight Directory Services (AD LDS).

  • Certificate Services is now called Active Directory Certificate Services (AD CS).

  • Windows Rights Management Services is now named Active Directory Rights Management Services (AD RMS).

  • Finally, Active Directory Federation Services (ADFS) is still called Active Directory Federation Services (AD FS) but now includes an extra space in the abbreviation.

And for identity life-cycle management, Microsoft also plans on releasing a follow-up to MIIS 2003 called Identity Lifecycle Manager (ILM) 2007 in mid-2007. Initially, ILM 2007 will run on Windows Server 2003, Enterprise Edition. ILM 2007 builds on the metadirectory and user-provisioning capabilities in MIIS 2003 by adding new capabilities for managing strong credentials such as smart cards and by providing an integrated approach that pulls together metadirectory, digital certificate and password management, and user provisioning across Microsoft Windows platforms and other enterprise systems. Microsoft is also working on the next version of ILM, which is codenamed Identity Lifecycle Manager “2.” This version is planned for release around the same time as Windows Server 2008, but it will install separately. Before we go any further, let’s hear from one of our experts at Microsoft concerning plans for ILM “2” as an identity-management solution for Windows Server 2008:

image from book
From the Experts: Identity Lifecycle Manager “2”

Identity Lifecycle Manager “2” is the codename for Microsoft’s identity management solution for Windows Server 2008. The principles behind Identity Lifecycle Manager “2” are that identity is everywhere and it can be managed how you want it to be.

Identity Is Everywhere

Identity Lifecycle Manager “2” provides a plethora of ready-to-deploy self-service identity and access solutions. Users can manage their own information and that of their staff, and navigate through the organizational hierarchy. They can reset their own passwords, provision their own smart cards, and retrieve their certificates. They can create security groups and distribution lists, request access to one another’s groups, and manage approval.

Best of all, they can do all of this right from within their Office applications and Windows desktops. So, with Identity Lifecycle Manager “2,” if you want to request to join a group, you can do that right within Outlook. And when you are asked to approve an action by another user, the Approve and Reject buttons are right there in the approval request mail. And if you forget your password and need to reset it, you can do so right where you are most likely to find that you have forgotten it: at the Windows log-in prompt. All the facilities of Identity Lifecycle Manager “2” are also available from a central portal, hosted within Windows SharePoint Services.

Identity Is Managed How You Want It to Be

Identity Lifecycle Manager “2” lets you manage identity your way by allowing you to accurately model your business processes and attach them to identity and access events. Modeling your unique business procedures around identity and access management processes is meant to be something that each staff member can do for themselves, without having to depend on programmers to do it for them. Thus, Identity Lifecycle Manager “2” provides a simple graphical user interface for modeling your business procedures-the Identity Lifecycle Manager “2” Process Designer. Moreover, you don’t have to deploy any special software onto your user’s desktops for them to be able to use the Process Designer. The Process Designer is fully incorporated within the Identity Lifecycle Manager “2” portal, which is a Windows SharePoint Services 3 application. So all that users of the Process Designer need to access the designer is their browser.

The three fundamental types of processes that you can model in Microsoft Identity Lifecycle Manager “2” are authentication processes, approval processes, and action processes. Indeed, within Identity Lifecycle Manager “2,” processing proceeds by first executing your authentication processes, then your approval processes, and finally your action processes.

Authentication processes are for confirming a user’s identity. The steps in an authentication process challenge the user for credentials. This process can also include several steps to define a multifactor authentication process required for more sensitive operations. Both the built-in authentication activities and your custom ones can leverage the Windows GINA and Windows Vista Credential Provider technologies to challenge users for their credentials at the Windows log-in prompt. This is a desirable option, because then users are challenged to prove their identity precisely where they expect to be challenged.

A second core type of process in the process model of Microsoft Identity Lifecycle Manager “2” is the approval process. Approval processes are for confirming that a user has permission to perform a requested operation. Typically, an approval process involves sending an e-mail message to the owner of a resource asking them to confirm that a user has permission to perform some requested operation on that resource. Identity Lifecycle Manager “2” allows users to respond to those approval requests right from within Outlook, which is precisely where a user would naturally want to be able to do so. Another type of activity in an approval process is one that requires users to submit a business justification for an operation they want to perform. In Identity Lifecycle Manager “2,” approval processes can involve any activities that a user might have to complete before being allowed to proceed with an operation. The enabling power of Identity Life-cycle Manager “2” is that it gives you the freedom to determine how you want to gather approvals for users’ actions. Then it surfaces the approvals on the end users’ desktops, inside an appropriate application context where they would expect to find them-saving the user from having to go elsewhere to manage permissions.

The third and final core type of process in the process model of Microsoft Identity Lifecycle Manager “2” is the action process. Action processes define what happens as a consequence of an operation. A simple example is just having a notification sent to the owner of a resource to inform the owner of a change. A more interesting and, indeed, more common type of activity to perform as a consequence of an identity management operation is an entitlement activity. Thus, you might define a process that, as a consequence of assigning a user to a particular group, allocates a parking permit in the correct lot and issues the appropriate card key for the user’s building. The point is that Identity Lifecycle Manager “2” action processes are truly a blank slate. On that blank slate, you get to define how actions on objects within Identity Lifecycle Manager “2” propagate out to the identity stores and resources of your enterprise.

We’ve said that the principal idea is that you get to define processes that model the identity management procedures of your enterprise and that you get to attach those processes to identity and access events. Up to this point, we have discussed quite a lot about the processes. Now let us turn to the subject of attaching those processes to events.

Events are the triggers that cause Identity Lifecycle Manager “2” processes to be executed. So, in attaching a process to an event, you are defining the circumstances under which the process will be executed. In the nomenclature of Identity Lifecycle Manager “2,” we refer to this as mapping a process to an event. We provide a simple user interface for accomplishing it. You identify the process that you have created using the Process Designer, and then you specify the event to which you want to attach the process.

So what is an event in Identity Lifecycle Manager “2?” Well, an event is something that happens to a set of one or more objects. For example, you might update the cost center assigned to a particular team of people, or you might update the office telephone number of a single individual. Both constitute examples of events. Another example is the addition of a person to a team-in that case, there is an event for the person being added, as well as an event for the team that the person is joining.

Because an event is something that happens to a set of one or more objects, when you map a process to an event, you must identify the set of objects to which the event is expected to occur. Identity Lifecycle Manager “2” gives you considerable power to identify the sets of objects. You get to define the rules by which objects are included in sets. Those rules can be as rich and complex or as bare and simple as you want them to be. You can define them so as to include any number of objects in a set, and any variety of types of objects as well. Once you have defined rules to identify a set of objects, you can select the events on those objects that you want to serve as triggers for your processes. There are two types of events in Identity Lifecycle Manager “2” that can trigger your processes: request events and transition events.

Request events are events by which the data of an object or set of objects is retrieved or manipulated. So, included in the category of request events are create, read, update, and delete events. Transition events occur when an object moves in or out of a set of objects. So, in the earlier example of a person joining a team, there is a transition for that person in being included in the group and a transition for the group in having that person join.

All in all, the authentication, approval, and action processes that you compose using approval actions, notification actions, and entitlement actions in the Process Designer can be mapped to any request or transition event on any set of objects that you identify via your rules. We believe that this simple model of designing processes and then mapping those processes to events gives you tremendous power to manage the identity life cycle of your organization. Whatever identity-related occurrences that you can imagine happening in your enterprise can be represented as events within Identity Lifecycle Manager “2,” and then you can describe processes to handle those events-processes that confirm the identity of the person initiating the event, that confirm the person’s permission to initiate the event, or that define the consequences. Crucially, you get to define those processes as models representing the business policies and procedures that uniquely govern the identity-related assets of your enterprise.

Microsoft Identity Lifecycle Manager “2” is built on the Windows Communication Foundation, Windows Workflow Foundation, and Windows SharePoint Services 3 technologies, and it exposes a thoroughly standards-based API that implements WS-Transfer, WS-ResourceTransfer, WS-Enumeration, and WS-Trust.

–Donovan Follette

Identity and Access Developer Evangelist, Windows Server Evangelism

image from book

After reading all this, you hopefully understand now the big picture of what Microsoft’s vision is for identity and access, and how Active Directory in Windows Server 2008 fits into this picture. Now it’s time to look at each piece of this picture and learn about the new features and enhancements to Active Directory in Windows Server 2008. We’ll begin with core improvements to AD DS/LDS.




Microsoft Windows Server Team - Introducing Windows Server 2008
Introducing Windows Server 2008
ISBN: 0735624216
EAN: 2147483647
Year: 2007
Pages: 138

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net