Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Management David Hoyle Consultant

Published byWalter Goodwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Management David Hoyle Consultant"— Presentation transcript:

1 Identity Management David Hoyle dhoyle@microsoft.com Consultant
Business Critical Services Microsoft Services Organisation (UK)

2 Agenda Where are we today? Where are we going in the future?
Identity Management in the Enterprise Directories – AD, ADAM, MIIS Authentication/Single Sign On (SSO) Identity Management outside the Enterprise B2C Identity Management Where are we going in the future? Federated Identity Management ADAM – Active Directory Application Mode © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3 ID Management in the Enterprise
Directories - AD and ADAM Active Directory Microsoft Network Operating System User Management Computer management Core component of Windows ADAM Application Mode MIIS – Microsoft Identity Integration Server Authentication Kerberos/NTLM Single-Sign-On Certificates/Smartcards A good story today in the Enterprise – AD, ADAM, MIIS, Single Sign On, SSL, IAS/EAP ADAM – Active Directory Application Mode MIIS – Microsoft Identity Integration Server © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4 AD & ADAM Factor global vs local digital identity data
Active Directory - Global Globally relevant, centrally-controlled, persistent, shared by multiple applications ADAM - Local App-specific, locally controlled, ephemeral Store data in the right LDAP directory Avoid schema bottleneck of enterprise directory App owner has full accountability for availability Reduce concerns over apps disrupting infrastructure Useful for local application data that needs to be stored in a LDAP directory. Avoids problems such as schema updates to the main directory Protects AD from rogue/badly written LDAP applications. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5 Introducing: ADAM Infrastructure Active Directory Active Directory Application Mode DSAMAIN DSA LDAP REPL (Infrastructure AD minus legacy) LSASS LDAP MAPI REPL KDC Lanman DSA SAM dependencies DNS FRS Programming model, admin tools virtually identical to infrastructure Active Directory Skill set easily transferable © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

6 Meta-Directories - MIIS
Microsoft Identity Integration Server 2003 Formerly called MMS (Microsoft Meta-directory Services) Most companies have multiple directories, HR, LDAP, Applications Allows a single view of all directories Allows synchronisation of data between directories

7 MS Identity Integration Server Ensure consistency & utility of digital identity data
Exchange Web Service File Share Application Active Directory Active Directory & ADAM Single store for users, computers, services, groups, etc. Distributed, replicated for availability Automated security policy management LDAP v3 compliant ADAM for app-specific data Microsoft Identity Integration Server Directory synchronization LDAP (ADAM, iPlanet, etc) Relational databases Application specific Account Provisioning Automate account creation Automate account de-provisioning Password Management Self-service password reset Visual Studio .NET Integration Visual Basic, C++, C#, J# .NET , Third party (Perl etc). Account Directory LDAP SQL Enterprise App © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

8 MIIS Metadirectory Concepts Multiple publishers, one source
iPlanet Oracle SQL Exchange 5.5 Connected Directories Metaverse User Connector Space Connected Directory Source and/or destination for synchronized attributes Connector Space (CS) Staging area for inbound or outbound synchronized attributes Metaverse (MV) Central (SQL) store of identity information Matching CS entries to a single MV entry is called “join” © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

9 Windows Authentication
Kerberos V5 RFC 1512 Open standard Windows Cross Forest/Realm Authentication

10 Windows Kerberos Logon
Active Directory Windows Domain Controller KDC Client Authenticates to Domain Controller (Authentication) Ticket Server grants Ticket(s) to client Client Machine

11 Kerberos Authentication
Mutual Authentication Application Server (target) 4. Present service ticket at connection setup Target 5. Mutual auth using unique session key 2. Lookup Service, Compose SPN TGT 3. Request service ticket for <spn> Windows Active Directory Key Distribution Center (KDC) Windows domain controller

12 Windows and Application Single Sign On (SSO) Windows desktop logon
Active Directory Exchange Logon to Windows Web Service File Share Single Sign-on to: Windows File servers Windows Web applications Exchange SQL Server BizTalk Server Other Microsoft applications 3rd Party Integrated Apps ERP/CRM © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

13 Windows and Enterprise SSO Extending the Windows desktop logon
X-Forest Forest Trust and Kerberos/NTLM X-Realm Realm Trust & Kerberos X-Platform Host Integration Service BizTalk SSO © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

14 Windows Domain Controller KDC
Windows X-Realm (X-Forest) SSO Windows 2003 Forest Kerberos Realm Realm Trust Windows Domain Controller KDC UNIX KDC

15 Windows X-Realm (X-Forest) SSO Windows Trust & Kerberos
Windows 2003 Forest Kerberos Realm Realm Trust Windows KDC UNIX KDC 2 X-realm TGT 3 TICKET 1 TGT 4 TICKET XP Client (Host-realm mapping) UNIX Server (Name-based authorization) © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16 Windows X-Platform SSO Host integration services & BizTalk SSO
Active Directory Logon to Windows UNIX BizTalk Adapters (Microsoft and Partners Also can use Services for Unix for NIS bi-directional sync of passwords etc. Mainframe/ AS400 Host Integration Server Windows to RACF accounts Windows to 0S/400 Security System Bi-Directional Password Synchronization © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

17 Certificate Services/PKI
Necessary plumbing - PKI should be considered like other Infrastructure components (DNS, DHCP etc). Technology Enabler for many applications including Network Security (VPN, IPsec, Wireless 802.1x) Smartcard (Logon, Digital Signatures, Authentication) Secure Web Secure File Encryption Very low cost – Auto-enrollment, No per certificate costs. Low user involvement/impact It now just works! Windows Certificate Services/PKI takes away much of the pain that used to be associated with PKI Easy to deploy, secure, reliable, very high functionality, very low cost of ownership. Will commoditise PKI The bad old days of large, expensive, failed PKI projects are hopefully over. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

18 Smartcard Authentication
Applications Logon VPN Authentication Digital Signatures Advantages Two factor security Reduces password resets $25 average per support call 30% of all support calls password resets Average 1.75 calls/month/user For 50,000 users password reset costs approx. >$4 million/year.

19 Windows Smart Cards Smart Card Logon
Windows Active Directory Reader SC 1 Card insertion displays PIN dialog Key Distribution Center (KDC) 4 Kerberos PKINIT 5 KDC returns Ticket 2 User inputs PIN Windows domain controller

20 Smart Cards for Admins All Administrators can use Smart cards
Smart card credentials for terminal server sessions

21 Certificate based Network Authentication
Microsoft IAS (Radius) Server built-in to Windows 2000/2003 server Provides support for authentication of VPN clients and wireless (802.1x) Typically uses certificates to authenticate computers and users

22 Windows and Web SSO Web SSO on FE with AD authorization on BE
B2C Passport Integration B2B Microsoft Web SSO Partners N-tier applications Protocol Transition & Constrained Delegation © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

23 Web SSO for B2C apps Passport Integration & AD
Active Directory (3) PUID mapped to AD account & user context impersonated (2) Passport auth built into IIS 6 returns PUID (4) User is authorized based on AD account. IIS 6 Web Server (1) Customer accesses Web site using standard browser Applications Let Passport deal with forgotten user passwords Manage customer/employee permissions the same way © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

24 Federated Identity Management
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

25 What is Federated Identity?
Federated Identity allows customers, partners and end-users to use Web services without having to constantly authenticate or identify themselves to the services within their federation. This applies both within the corporation and across the Internet. Michael Beach, The Boeing Company, Catalyst 2003 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26 Windows 2003 has Federated Identity Management Today SSO & authorized access for external users
External domain trust UNIX Kerberos realm trust Requires mapped account Forest trust Passport integration © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

27 TrustBridge Federated Web Services
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 What is TrustBridge? Goals Components
Extend secure web applications Enable interoperable, secure web services WS-Security compliant web service Components Federation Server Security Runtime Logon Server Browser proxy to secure web services Allowing customers to securely authenticate and share user identities across business and security boundaries © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29 Federation Information Model
Organization A Private Namespace Organization B Private Namespace Business Level Agreement Defines: Common Namespace Contractual terms & conditions Auditing requirements Etc. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

30 TrustBridge Federation Server Security token service, Trust & Policy mgt
Organization A Private Namespace Organization B Private Namespace Federation Servers Issue tokens: Manage: Trust -- Keys Security -- Claims required Privacy -- Claims allowed Audit -- Identities , authorities Federation Server Federation Server © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

31 Federated Identity Mgt in Action Cross-platform, cross-organization SSO
Exchange Web Service Collaboration Active Directory Intranet Applications TrustBridge Federation Server (STS) WS Security Application WS Security Application Supplier A Supplier B Requires XRML Requires SAML © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

32 Distributed AppSec Standards
Kerberos Trust Policy X.509v3 SAML Authorization Policy XrML . . . Application WS-Security (WS-*) XML and SOAP Apps understand specific tokens or claims Security Token Services translate tokens From what principal has to what app needs WS-* provide standard stack & envelope © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

33 TrustBridge and Windows Authorisation Manager
Windows Authorisation Manager updated to support TrustBridge XML Add new token support XrML SAML Integrate with ASP.NET Roles & TrustBridge Security Runtime Common Authorization Policy & Engine for Win32 apps, Web apps & Web services © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

34 Passport and Federation Evolution from monolithic authentication authority to federated identity mgt service Passport authority (current) Authentication SSO for B2C web applications Identity Management Managed name spaces for enterprises (mycompany.com) Authentication for instant messaging Passport web service (2004) Federated Identity Management Support the Windows and TrustBridge WS-* stack Interoperate with any WS-* compliant web service, regardless of its underlying platform Co-develop [with TrustBridge] robust Web SSO protocol for browser clients © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

35 Going forward Don’t build/buy apps that need private user creds
Consolidate redundant LDAP directories AD for Infrastructure Directory Factor global vs local digital identity data AD & ADAM store data where/how apps need it Ensure consistency & utility of digital identity data MIIS provisions & synchronizes distributed data Start federated identity management project Today: Windows Trust & Kerberos, .NET web services Future: TrustBridge & WS-Security © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

36 Additional Resources Oasis http://www.oasis-open.org/
Windows Server Microsoft Identity Management MSDN Web Services Oasis Web Services Interoperability (WS-I) W3C © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

37 © 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

38 Microsoft Identity Integration Server (MIIS) 2003
MIIS includes support for a wide variety of identity repositories including, Active Directory®, Active Directory Application Mode (ADAM), NT 4.0 Files (LDAP Directory Interchange Format, Attribute value pair text files, Delimited text files, Directory Services Markup Language, Fixed-width text files) Exchange Global Address Lists (Exchange 5.5, 2000 and 2003), Notes Microsoft SQL 7 and 2000, Oracle 8i and 9i, DB2, Access, Excel etc databases Other directories – Novell, Sun iPlanet Provision User Accounts Manage Passwords Visual Studio .NET Integration Languages supported Visual Basic .NET, Visual C++ .NET, Visual C# .NET, Visual J# .NET, or third party (Perl etc).

39 Windows Smart Cards Smart Card Logon
Reader SC 1 Card insertion causes Winlogon to display GINA 4 LSA accesses smart card and retrieves cert from card 2 User inputs PIN 8 Smart card decrypts the TGT using private key allowing LSA to log user on 3 GINA passes PIN to LSA 6 KDC verifies certificate then looks up principal in DS 5 Kerberos sends certificate in a PKINIT login request to the KDC LSA Kerberos Kerberos KDC 7 KDC returns TGT, encrypted with a session key which is in turn encrypted using user’s public key

40 Web SSO for B2B apps Microsoft Partners & AD
Enterprise Extranet “Trusted” Business Partner Web App 1 SSO Agent Web App 2 Delegated Admin Cookie Authorization Check SSL Session EAM Web SSO Corporate Identities Active Directory Authentication LDAP Bind Active Directory Partner Identities © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

41 Passport or 3rd Party web SSO Signed Messages, S/MIME/SMTP
Web SSO for N-tier Apps Protocol Transition/Constrained Delegation & AD Active Directory KDC Passport Integration Protocol Transition KDC Verifies Policy: Allowed-To-Delegate-To U s e r Passport or 3rd Party web SSO Constrained Delegation Basic Digest SSL Signed Messages, S/MIME/SMTP Kerberos XMLDSIG/HTTP Cert Front End Application Server Back End Application Server © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

42 What’s Driving Federated Identity Transition from sealed to porous environment
Network security derived from isolation Seal the environment Manage the perimeter Security not guaranteed if the seal is broken Defense in depth Today’s business model “cracks” the seal , Web-applications, Supply chain & Inventory mgt, Collaboration, Outsourcing … Edge defense not sufficient in porous environment Apps must service users from other security domains Need distributed authentication & authorization Big policy, security & management problem! © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

43 TrustBridge Security Runtime
Application Logic Security Runtime Security Tokens SOAP Authenticate Trust Policy Policy Lookup Authorize Authorization Policy Security Tokens SOAP Create Tokens © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

44 Web Services Authorization & RBAC Platform independent Object Model
AzAuthorizationManager AzApplication AzApplicationGroup LDAP Query AzScope AzRole AzTask w/ BizRule AzOperation Policy Object Model AzClientContext Init methods AccessCheck Runtime Object Model Windows Authorization API Web Services Front End E-Commerce Application LOB ADD: SAML & XrML Export/Import Windows Authorization API Authorization Administration Manager Active Directory XML SQL Policy Stores Common Roles Mgt UI Federation should follow Business level agreements Authorization should follow Business user roles © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

45 TrustBridge Logon Server SOAP rich client proxy for browsers
Active Directory “TrustBridge” Web-based Logon Server Web Service Web Front End User authenticates to Logon server (forms based) TrustBridge validates credentials with Active Directory TrustBridge creates the requested security token Logon server returns token to client Client forwards token to web front end Front end sends WS-Security msg with token to web service Security Token Security Message © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

46 Windows Kerberos Domain Controller Windows Server(s) Client Machine
Applications Files Windows Server(s) ACL Devices Active Directory Domain Controller KDC Client Authenticates to Domain Controller (Authentication) Ticket Server grants Ticket(s) to client Client requests a resource and presents a ticket Request Ticket (Authorization) 4. Resource Server verifies the ticket, compares it to the Access Control List (ACL) on the resource and grants or denies access

Download ppt "Identity Management David Hoyle Consultant"

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.

Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.
SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation

SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Implementing and Administering AD FS

Implementing and Administering AD FS
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Understanding Active Directory

Understanding Active Directory
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Identity Management with Microsoft Identity Integration Server.

Identity Management with Microsoft Identity Integration Server.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Identity and Access Management

Identity and Access Management
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Similar presentations

Ads by Google