Friday, March 27

Courion Blog

If you work in the IAM space, you should already know who Courion is – being one of the top password management and provisioning vendors for the past decade and now having morphed into a full Access Assurance offering with role management and compliance solutions.

Well, in case you haven't seen it, Courion now has a blog. And so far, there's a lot of good content being written there. It appears to be a nice combination of industry analysis, business-value, and technical insight that remains on-topic. ...thought you might enjoy the pointer.

Wednesday, March 18

ADAM Pass Through Authentication to AD

A few years ago, I wrote a post that referenced ADAM passthrough authentication to Active Directory without providing much info. Since then, people searching on that topic have found themselves on my blog (probably hoping for more information). So, I thought I'd cover it in more detail.

Disclaimer:
I haven't actually done this in a few years, so my information may be out of date, but I'm sure someone will speak up if I'm wrong. ...they always do ;) I will assume you know what ADAM is, why you'd use it, where to get it, and how to install & configure it.

Why:
A few quick scenarios where pass through authentication is useful:

  1. You want to put a portion of your Active Directory users into the DMZ for authentication by publicly-facing applications, but you don't want to expose an AD DC in the DMZ. In this scenario, the app can leverage a DMZ'ed ADAM for authentication. ADAM will still need to make a request to a DC, so AD is partially exposed, but in a more controlled way.
  2. You want to leverage AD credentials for application authentication, but the app wants to store information about users that is not currently in AD and you don't want to extend the schema. You could stand up an ADAM instance, extend its schema however you want, enable passthrough authentication, and point the app to ADAM instead of AD.
  3. You have an app that is used by people that have an AD account AND people that don't. And your app only accepts a single authentication store.

Here's what you need to know about using ADAM for pass through authentication to AD:

  • The ADAM installation process gives you the ability to import the schema for UserProxy objects from a file called ms-userproxy.ldf – you'll need to import that object to enable the passthrough functionality. You can do it after the install if you need to.
  • For an account to perform a passthrough authentication (aka a bind redirection) from ADAM, the account must be configured as a UserProxy object. A standard user account can not authenticate through to Active Directory.
  • The UserProxy object has an attribute called ObjectSid, which is critical to this functionality. For passthrough authentication to work, the account's ObjectSid must be populated with the SID of the associated Active Directory user account (this will actually work with any security principal object).
  • When a UserProxy account attempts to bind to the ADAM instance, ADAM recognizes the account as a proxy and forwards the authentication request to Active Directory.
  • Passthrough authentication only works for accounts that live in the forest to which the ADAM server is joined (or to a trusted domain or forest). So, that's how ADAM knows where to send the request.
  • Passthrough authentication only works with simple binds. So, the password is being passed to ADAM in clear text. You'll want to be aware of that and use SSL as appropriate.

That's pretty much all you need to know to get passthrough authentication working. As I recall, it's that simple.

Comments/Corrections:
PLEASE leave a comment if you're here because you want to do this for a reason I haven't mentioned above or if you have additional information. Am I wrong? Did I leave anything out?

More Information:
Microsoft refers to this as Bind Redirection for ADAM Proxy Objects. So, that's the terminology you'll want to use to find more information.

Thursday, March 12

IAM as a Service - 20% of the Market

Today, Gartner identified their Identity and Access Management predictions for 2009 and beyond. First on the list is:

By 2011, hosted IAM and IAM as a service will account for 20 per cent of IAM revenue.
I've discussed managed services for Identity Management in previous posts. I think it's a natural progression. Identity and Access Management is an extremely complicated technology-set. Any given IT shop's ability to maintain the right skills to support an IAM environment is probably more costly (in effort and dollars) than outsourcing that function to specialists. And this certainly appears to be the beginning of an Era of Cost where cost has moved up the list of decision influencers.

I'm honestly a bit surprised and impressed to see Gartner come out on this one. I tend to think of them as a bit more conservative – making predictions that follow a trend that has already begun. Has this trend started to take shape or is Gartner a bit agressive on this one?

Sara: I’m sort of a hero

In addition to keeping up with general topics, there are a number of specific blogs that I try to stay on top of. One is CSI's Security Provoked. where Sara Peters just posted two entertaining stories about how her work in security has left her less secure. I can relate.

Last night, I wasted four hours manually removing a virus that I pretty much knew would come back, but I had to try just to see if I could identify the how-to. (Kudos to Microsoft for XP's restore feature building a restore point without me having to enable it.)

If you've ever purposely went to a phishing site or intentionally opened an email attachment that you knew was malicious, you might want to give it a read. And next time it goes bad, just remind yourself that you're sort of a hero.

...and good job Kristen pushing Sara to deliver the goods!

Wednesday, March 11

Security Bloggers Network

The Security Bloggers Network (SBN) is a network of security professionals. Many are briliiant. And many are opinionated. That makes for an entertaining and informative combination. If you're in the security field, the SBN is a great place to go each day to stay up-to-date on real world security trends, technologies, and experience.

NetVision believes in the value of the SBN and its members. We backed that up by signing on in early 2009 as an advertiser. Go check it out. And Happy Reading!