Friday, March 27
Well, in case you haven't seen it, Courion now has a blog. And so far, there's a lot of good content being written there. It appears to be a nice combination of industry analysis, business-value, and technical insight that remains on-topic. ...thought you might enjoy the pointer.
Wednesday, March 18
I haven't actually done this in a few years, so my information may be out of date, but I'm sure someone will speak up if I'm wrong. ...they always do ;) I will assume you know what ADAM is, why you'd use it, where to get it, and how to install & configure it.
A few quick scenarios where pass through authentication is useful:
- You want to put a portion of your Active Directory users into the DMZ for authentication by publicly-facing applications, but you don't want to expose an AD DC in the DMZ. In this scenario, the app can leverage a DMZ'ed ADAM for authentication. ADAM will still need to make a request to a DC, so AD is partially exposed, but in a more controlled way.
- You want to leverage AD credentials for application authentication, but the app wants to store information about users that is not currently in AD and you don't want to extend the schema. You could stand up an ADAM instance, extend its schema however you want, enable passthrough authentication, and point the app to ADAM instead of AD.
- You have an app that is used by people that have an AD account AND people that don't. And your app only accepts a single authentication store.
Here's what you need to know about using ADAM for pass through authentication to AD:
- The ADAM installation process gives you the ability to import the schema for UserProxy objects from a file called ms-userproxy.ldf – you'll need to import that object to enable the passthrough functionality. You can do it after the install if you need to.
- For an account to perform a passthrough authentication (aka a bind redirection) from ADAM, the account must be configured as a UserProxy object. A standard user account can not authenticate through to Active Directory.
- The UserProxy object has an attribute called ObjectSid, which is critical to this functionality. For passthrough authentication to work, the account's ObjectSid must be populated with the SID of the associated Active Directory user account (this will actually work with any security principal object).
- When a UserProxy account attempts to bind to the ADAM instance, ADAM recognizes the account as a proxy and forwards the authentication request to Active Directory.
- Passthrough authentication only works for accounts that live in the forest to which the ADAM server is joined (or to a trusted domain or forest). So, that's how ADAM knows where to send the request.
- Passthrough authentication only works with simple binds. So, the password is being passed to ADAM in clear text. You'll want to be aware of that and use SSL as appropriate.
That's pretty much all you need to know to get passthrough authentication working. As I recall, it's that simple.
PLEASE leave a comment if you're here because you want to do this for a reason I haven't mentioned above or if you have additional information. Am I wrong? Did I leave anything out?
Microsoft refers to this as Bind Redirection for ADAM Proxy Objects. So, that's the terminology you'll want to use to find more information.
Thursday, March 12
By 2011, hosted IAM and IAM as a service will account for 20 per cent of IAM revenue.I've discussed managed services for Identity Management in previous posts. I think it's a natural progression. Identity and Access Management is an extremely complicated technology-set. Any given IT shop's ability to maintain the right skills to support an IAM environment is probably more costly (in effort and dollars) than outsourcing that function to specialists. And this certainly appears to be the beginning of an Era of Cost where cost has moved up the list of decision influencers.
I'm honestly a bit surprised and impressed to see Gartner come out on this one. I tend to think of them as a bit more conservative – making predictions that follow a trend that has already begun. Has this trend started to take shape or is Gartner a bit agressive on this one?
Last night, I wasted four hours manually removing a virus that I pretty much knew would come back, but I had to try just to see if I could identify the how-to. (Kudos to Microsoft for XP's restore feature building a restore point without me having to enable it.)
If you've ever purposely went to a phishing site or intentionally opened an email attachment that you knew was malicious, you might want to give it a read. And next time it goes bad, just remind yourself that you're sort of a hero.
...and good job Kristen pushing Sara to deliver the goods!
Wednesday, March 11
NetVision believes in the value of the SBN and its members. We backed that up by signing on in early 2009 as an advertiser. Go check it out. And Happy Reading!