Identity Management David Hoyle Consultant

Slides:



Advertisements
Similar presentations
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Advertisements

Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.
SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Implementing and Administering AD FS
Lecture 23 Internet Authentication Applications
Authentication & Kerberos
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Understanding Active Directory
Security and Policy Enforcement Mark Gibson Dave Northey
Identity Management with Microsoft Identity Integration Server.
CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Identity and Access Management
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.
Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Chapter 12: Additional Active Directory Server Roles
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
Security features of Windows What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored.
Overview of Access and Information Protection
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Sudha Iyer Principal Product Manager Oracle Corporation.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
James Akrigg Microsoft Ltd Integrating InfoPath Forms Into Workflow Solutions And Business Processes.
Windows Role-Based Access Control Longhorn Update
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Federico Guerrini IDA TSP, EMEA Incubation Team From Identity Synchronization to Identity Management.
Web Services Security Patterns Alex Mackman CM Group Ltd
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Be Microsoft’s first and best customer Enabling world-class and predictable customer, client, and partner experience Protecting Microsoft’s physical and.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
Microsoft Identity Integration Server & Role Base Access Theo Kostelijk Consultant Microsoft BV
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Secure Connected Infrastructure
Data and Applications Security Developments and Directions
Radius, LDAP, Radius used in Authenticating Users
Goals Introduce the Windows Server 2003 family of operating systems
Office 365 Identity Management
Presentation transcript:

Identity Management David Hoyle dhoyle@microsoft.com Consultant Business Critical Services Microsoft Services Organisation (UK)

Agenda Where are we today? Where are we going in the future? Identity Management in the Enterprise Directories – AD, ADAM, MIIS Authentication/Single Sign On (SSO) Identity Management outside the Enterprise B2C Identity Management Where are we going in the future? Federated Identity Management ADAM – Active Directory Application Mode © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

ID Management in the Enterprise Directories - AD and ADAM Active Directory Microsoft Network Operating System User Management Computer management Core component of Windows ADAM Application Mode MIIS – Microsoft Identity Integration Server Authentication Kerberos/NTLM Single-Sign-On Certificates/Smartcards A good story today in the Enterprise – AD, ADAM, MIIS, Single Sign On, SSL, IAS/EAP ADAM – Active Directory Application Mode MIIS – Microsoft Identity Integration Server © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

AD & ADAM Factor global vs local digital identity data Active Directory - Global Globally relevant, centrally-controlled, persistent, shared by multiple applications ADAM - Local App-specific, locally controlled, ephemeral Store data in the right LDAP directory Avoid schema bottleneck of enterprise directory App owner has full accountability for availability Reduce concerns over apps disrupting infrastructure Useful for local application data that needs to be stored in a LDAP directory. Avoids problems such as schema updates to the main directory Protects AD from rogue/badly written LDAP applications. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Introducing: ADAM Infrastructure Active Directory Active Directory Application Mode DSAMAIN DSA LDAP REPL (Infrastructure AD minus legacy) LSASS LDAP MAPI REPL KDC Lanman DSA SAM dependencies DNS FRS Programming model, admin tools virtually identical to infrastructure Active Directory Skill set easily transferable © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Meta-Directories - MIIS Microsoft Identity Integration Server 2003 Formerly called MMS (Microsoft Meta-directory Services) Most companies have multiple directories, HR, LDAP, Applications Allows a single view of all directories Allows synchronisation of data between directories

MS Identity Integration Server Ensure consistency & utility of digital identity data Exchange Web Service File Share Application Active Directory Active Directory & ADAM Single store for users, computers, services, groups, etc. Distributed, replicated for availability Automated security policy management LDAP v3 compliant ADAM for app-specific data Microsoft Identity Integration Server Directory synchronization LDAP (ADAM, iPlanet, etc) Relational databases Application specific Account Provisioning Automate account creation Automate account de-provisioning Password Management Self-service password reset Visual Studio .NET Integration Visual Basic, C++, C#, J# .NET , Third party (Perl etc). Account Directory LDAP SQL Enterprise App © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

MIIS Metadirectory Concepts Multiple publishers, one source iPlanet Oracle SQL Exchange 5.5 Connected Directories Metaverse User Connector Space Connected Directory Source and/or destination for synchronized attributes Connector Space (CS) Staging area for inbound or outbound synchronized attributes Metaverse (MV) Central (SQL) store of identity information Matching CS entries to a single MV entry is called “join” © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Windows Authentication Kerberos V5 RFC 1512 Open standard Windows 2003 - Cross Forest/Realm Authentication

Windows Kerberos Logon Active Directory Windows Domain Controller KDC Client Authenticates to Domain Controller (Authentication) Ticket Server grants Ticket(s) to client Client Machine

Kerberos Authentication Mutual Authentication Application Server (target) 4. Present service ticket at connection setup Target 5. Mutual auth using unique session key 2. Lookup Service, Compose SPN TGT 3. Request service ticket for <spn> Windows Active Directory Key Distribution Center (KDC) Windows domain controller

Windows and Application Single Sign On (SSO) Windows desktop logon Active Directory Exchange Logon to Windows Web Service File Share Single Sign-on to: Windows File servers Windows Web applications Exchange email SQL Server BizTalk Server Other Microsoft applications 3rd Party Integrated Apps ERP/CRM © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Windows and Enterprise SSO Extending the Windows desktop logon X-Forest Forest Trust and Kerberos/NTLM X-Realm Realm Trust & Kerberos X-Platform Host Integration Service BizTalk SSO © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Windows Domain Controller KDC Windows X-Realm (X-Forest) SSO Windows 2003 Forest Kerberos Realm Realm Trust Windows Domain Controller KDC UNIX KDC

Windows X-Realm (X-Forest) SSO Windows Trust & Kerberos Windows 2003 Forest Kerberos Realm Realm Trust Windows KDC UNIX KDC 2 X-realm TGT 3 TICKET 1 TGT 4 TICKET XP Client (Host-realm mapping) UNIX Server (Name-based authorization) © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Windows X-Platform SSO Host integration services & BizTalk SSO Active Directory Logon to Windows UNIX BizTalk Adapters (Microsoft and Partners Also can use Services for Unix for NIS bi-directional sync of passwords etc. Mainframe/ AS400 Host Integration Server Windows to RACF accounts Windows to 0S/400 Security System Bi-Directional Password Synchronization © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Certificate Services/PKI Necessary plumbing - PKI should be considered like other Infrastructure components (DNS, DHCP etc). Technology Enabler for many applications including Network Security (VPN, IPsec, Wireless 802.1x) Smartcard (Logon, Digital Signatures, Authentication) Secure Web Secure Email File Encryption Very low cost – Auto-enrollment, No per certificate costs. Low user involvement/impact It now just works! Windows Certificate Services/PKI takes away much of the pain that used to be associated with PKI Easy to deploy, secure, reliable, very high functionality, very low cost of ownership. Will commoditise PKI The bad old days of large, expensive, failed PKI projects are hopefully over. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Smartcard Authentication Applications Logon VPN Authentication Digital Signatures Advantages Two factor security Reduces password resets $25 average per support call 30% of all support calls password resets Average 1.75 calls/month/user For 50,000 users password reset costs approx. >$4 million/year.

Windows Smart Cards Smart Card Logon Windows Active Directory Reader SC 1 Card insertion displays PIN dialog Key Distribution Center (KDC) 4 Kerberos PKINIT 5 KDC returns Ticket 2 User inputs PIN Windows domain controller

Smart Cards for Admins All Administrators can use Smart cards Smart card credentials for terminal server sessions

Certificate based Network Authentication Microsoft IAS (Radius) Server built-in to Windows 2000/2003 server Provides support for authentication of VPN clients and wireless (802.1x) Typically uses certificates to authenticate computers and users

Windows and Web SSO Web SSO on FE with AD authorization on BE B2C Passport Integration B2B Microsoft Web SSO Partners N-tier applications Protocol Transition & Constrained Delegation © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Web SSO for B2C apps Passport Integration & AD Active Directory (3) PUID mapped to AD account & user context impersonated (2) Passport auth built into IIS 6 returns PUID (4) User is authorized based on AD account. IIS 6 Web Server (1) Customer accesses Web site using standard browser Applications Let Passport deal with forgotten user passwords Manage customer/employee permissions the same way © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Federated Identity Management © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

What is Federated Identity? Federated Identity allows customers, partners and end-users to use Web services without having to constantly authenticate or identify themselves to the services within their federation. This applies both within the corporation and across the Internet. Michael Beach, The Boeing Company, Catalyst 2003 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Windows 2003 has Federated Identity Management Today SSO & authorized access for external users External domain trust UNIX Kerberos realm trust Requires mapped account Forest trust Passport integration © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

TrustBridge Federated Web Services © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

What is TrustBridge? Goals Components Extend secure web applications Enable interoperable, secure web services WS-Security compliant web service Components Federation Server Security Runtime Logon Server Browser proxy to secure web services Allowing customers to securely authenticate and share user identities across business and security boundaries © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Federation Information Model Organization A Private Namespace Organization B Private Namespace Business Level Agreement Defines: Common Namespace Contractual terms & conditions Auditing requirements Etc. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

TrustBridge Federation Server Security token service, Trust & Policy mgt Organization A Private Namespace Organization B Private Namespace Federation Servers Issue tokens: Manage: Trust -- Keys Security -- Claims required Privacy -- Claims allowed Audit -- Identities , authorities Federation Server Federation Server © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Federated Identity Mgt in Action Cross-platform, cross-organization SSO Exchange Web Service Collaboration Active Directory Intranet Applications TrustBridge Federation Server (STS) WS Security Application WS Security Application Supplier A Supplier B Requires XRML Requires SAML © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Distributed AppSec Standards Kerberos Trust Policy X.509v3 SAML Authorization Policy XrML . . . Application WS-Security (WS-*) XML and SOAP Apps understand specific tokens or claims Security Token Services translate tokens From what principal has to what app needs WS-* provide standard stack & envelope © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

TrustBridge and Windows Authorisation Manager Windows Authorisation Manager updated to support TrustBridge XML Add new token support XrML SAML Integrate with ASP.NET Roles & TrustBridge Security Runtime Common Authorization Policy & Engine for Win32 apps, Web apps & Web services © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Passport and Federation Evolution from monolithic authentication authority to federated identity mgt service Passport authority (current) Authentication SSO for B2C web applications Identity Management Managed name spaces for enterprises (mycompany.com) Authentication for instant messaging Passport web service (2004) Federated Identity Management Support the Windows and TrustBridge WS-* stack Interoperate with any WS-* compliant web service, regardless of its underlying platform Co-develop [with TrustBridge] robust Web SSO protocol for browser clients © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Going forward Don’t build/buy apps that need private user creds Consolidate redundant LDAP directories AD for Infrastructure Directory Factor global vs local digital identity data AD & ADAM store data where/how apps need it Ensure consistency & utility of digital identity data MIIS provisions & synchronizes distributed data Start federated identity management project Today: Windows Trust & Kerberos, .NET web services Future: TrustBridge & WS-Security © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Additional Resources Oasis http://www.oasis-open.org/ Windows Server 2003 http://www.microsoft.com/windowsserver2003/ Microsoft Identity Management http://www.microsoft.com/idm MSDN Web Services http://msdn.microsoft.com/webservices Oasis http://www.oasis-open.org/ Web Services Interoperability (WS-I) http://www.ws-i.org/ W3C http://www.w3.org/ © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Microsoft Identity Integration Server (MIIS) 2003 MIIS includes support for a wide variety of identity repositories including, Active Directory®, Active Directory Application Mode (ADAM), NT 4.0 Files (LDAP Directory Interchange Format, Attribute value pair text files, Delimited text files, Directory Services Markup Language, Fixed-width text files) Exchange Global Address Lists (Exchange 5.5, 2000 and 2003), Notes Microsoft SQL 7 and 2000, Oracle 8i and 9i, DB2, Access, Excel etc databases Other directories – Novell, Sun iPlanet Provision User Accounts Manage Passwords Visual Studio .NET Integration Languages supported Visual Basic .NET, Visual C++ .NET, Visual C# .NET, Visual J# .NET, or third party (Perl etc).

Windows Smart Cards Smart Card Logon Reader SC 1 Card insertion causes Winlogon to display GINA 4 LSA accesses smart card and retrieves cert from card 2 User inputs PIN 8 Smart card decrypts the TGT using private key allowing LSA to log user on 3 GINA passes PIN to LSA 6 KDC verifies certificate then looks up principal in DS 5 Kerberos sends certificate in a PKINIT login request to the KDC LSA Kerberos Kerberos KDC 7 KDC returns TGT, encrypted with a session key which is in turn encrypted using user’s public key

Web SSO for B2B apps Microsoft Partners & AD Enterprise Extranet “Trusted” Business Partner Web App 1 SSO Agent Web App 2 Delegated Admin Cookie Authorization Check SSL Session EAM Web SSO Corporate Identities Active Directory Authentication LDAP Bind Active Directory Partner Identities © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Passport or 3rd Party web SSO Signed Messages, S/MIME/SMTP Web SSO for N-tier Apps Protocol Transition/Constrained Delegation & AD Active Directory KDC Passport Integration Protocol Transition KDC Verifies Policy: Allowed-To-Delegate-To U s e r Passport or 3rd Party web SSO Constrained Delegation Basic Digest SSL Signed Messages, S/MIME/SMTP Kerberos XMLDSIG/HTTP Cert Front End Application Server Back End Application Server © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

What’s Driving Federated Identity Transition from sealed to porous environment Network security derived from isolation Seal the environment Manage the perimeter Security not guaranteed if the seal is broken Defense in depth Today’s business model “cracks” the seal E-mail, Web-applications, Supply chain & Inventory mgt, Collaboration, Outsourcing … Edge defense not sufficient in porous environment Apps must service users from other security domains Need distributed authentication & authorization Big policy, security & management problem! © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

TrustBridge Security Runtime Application Logic Security Runtime Security Tokens SOAP Authenticate Trust Policy Policy Lookup Authorize Authorization Policy Security Tokens SOAP Create Tokens © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Web Services Authorization & RBAC Platform independent Object Model AzAuthorizationManager AzApplication AzApplicationGroup LDAP Query AzScope AzRole AzTask w/ BizRule AzOperation Policy Object Model AzClientContext Init methods AccessCheck Runtime Object Model Windows Authorization API Web Services Front End E-Commerce Application LOB ADD: SAML & XrML Export/Import Windows Authorization API Authorization Administration Manager Active Directory XML SQL Policy Stores Common Roles Mgt UI Federation should follow Business level agreements Authorization should follow Business user roles © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

TrustBridge Logon Server SOAP rich client proxy for browsers Active Directory “TrustBridge” Web-based Logon Server Web Service Web Front End User authenticates to Logon server (forms based) TrustBridge validates credentials with Active Directory TrustBridge creates the requested security token Logon server returns token to client Client forwards token to web front end Front end sends WS-Security msg with token to web service Security Token Security Message © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Windows Kerberos Domain Controller Windows Server(s) Client Machine Applications Files Windows Server(s) ACL Devices Active Directory Domain Controller KDC Client Authenticates to Domain Controller (Authentication) Ticket Server grants Ticket(s) to client Client requests a resource and presents a ticket Request Ticket (Authorization) 4. Resource Server verifies the ticket, compares it to the Access Control List (ACL) on the resource and grants or denies access