Beruflich Dokumente
Kultur Dokumente
CENTRIFY CORP.
Active Directory and DirectControl
APRIL 2005
ABSTRACT
Microsoft’s Active Directory is now the de facto standard in most enterprises for
providing authentication, authorization, account access, computer policy and
infrastructure management for Windows systems and applications. Active
Directory has proven itself to be highly scalable, very secure and resilient under
just about any load. However, in many of these enterprises, there is usually no
single way for providing these same services to UNIX, Linux, Mac and Java-
based environments. Most companies end up managing these systems with a
variety of directory solutions, some of which are centralized and some of which
are managed at each individual machine.
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association with any real
company, organization, product, domain name, e-mail address, logo, person, place or event is intended or
should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording,
or otherwise), or for any purpose, without the express written permission of Centrify Corporation.
Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.
Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
WP-004-2005-05-09
Contents
Centralized directories for computing platforms have been around for almost as long as
computer networks. The concept behind a directory was to provide a place to put user,
and in some cases, computer account information so that a) information about a user,
such as the user ID or the user’s real name, was stored in a one consistent way and
leveraged for each system that the user used, and b) information was stored in a central
location instead of being copied or created on multiple different systems. Historically,
each computer operating system evolved with its own directory system. On UNIX
systems, Sun’s Network Information System (NIS) became popular. On Windows
systems, Novell’s NDS and Microsoft’s NT4 domain system were most commonly used
in the 1990s.
In this decade, both UNIX and Windows directories have gradually evolved to favor
Lightweight Directory Access Protocol (LDAP)-based technology. These solutions
include Sun’s Java System Directory Server (formerly known as iPlanet or SunOne
Directory), eDirectory from Novell, OpenLDAP on Linux and Active Directory from
Microsoft. The good news for customers was that all these directories had a common
underlying structure based on the LDAP protocol, and each system had a similar method
for storing user and computer information. However, as is the case with most “open
systems” technology, there were enough differences between each solution that in fact
these systems did not fully interoperate. As a result, most organizations still end up
maintaining separate directory systems for each operating system platform.
Another critical factor that is driving customers to look for a single directory system is
the need for tighter centralized security controls over the access of sensitive data.
Enterprises want to ensure that users are granted secure access to only the systems, data
and applications essential to their day-to-day jobs. Tracking and auditing system access is
now a required feature as new rules for customer data protection are imposed on
organizations. As the number of directories increased within an organization, the task of
managing user access became more complex. The ideal solution would be to have one
central, secure directory for all computers, and control user identity, access and policy
from that one system.
Centralized directory services offer numerous benefits to the administrator and the
computer user, including:
Centralized password management and consistent user names. Users can have
one user ID and one password that work on multiple machines as opposed to having
to remember different logins and passwords for each system.
Once the decision has been made to consolidate directory services into fewer directory
systems, the question arises: Which directory can best serve your organization?
While many organizations that use Windows-based systems have moved to Microsoft’s
Active Directory system, most only use it for managing Windows accounts. This is
because Microsoft provides little support for non-Windows systems within Active
Directory (although a NIS translator for Active Directory is available with the Microsoft
Services for UNIX product). Other directories, such as Sun’s Java System Directory
Server or Novell’s eDirectory, may seem like more logical choices since they provide
better cross-platform support. However, many customers are reluctant to use these
products to serve Windows clients because of concerns over compatibility with directory-
based Windows applications, such as Microsoft Exchange, SQL Server and Internet
Information Services (IIS). Active Directory was designed to work with these
applications. Other directory solutions may require substantial customization to work
with these applications or, in some cases, may not work at all. In addition, Sun’s
directory was not designed as a Network Operating System directory for Windows
workstations.
Active Directory begins with a foundation of capabilities that are common to any
enterprise directory. Active Directory provides:
Most customers, however, now demand something more than just an enterprise user
directory. Complex infrastructure environments, requirements for strong, verifiable
security, and regulatory compliance have changed the way people think about identity
management so much that the term “enterprise authentication infrastructure” probably
better describes what most customers need. Meeting these additional challenges is where
Active Directory really shines.
combined the strengths of these two technologies to best leverage the open
extensibility of LDAP and the highly secure, ticket-based authentication of Kerberos.
For example, a key advantage of Active Directory’s ticket-based authentication
system is that, once the user has successfully logged into a system, his or her
credentials can be used to automatically access other systems and applications based
on established security access rights.
Microsoft’s Group Policy capability extends Active Directory beyond identity and
access management to policy and configuration management, which is crucial for
meeting regulatory requirements. Administrators have full multi-level control over
applying policies to accounts and systems through the Group Policy system.
Active Directory further extends its management capabilities by integrating into the
directory such key infrastructure services as DNS, VPN, certificate services, remote
access services, printer management, Smartcard / biometric security and Radius. This
means that different infrastructure services can be enabled for targeted machines and
users, and these services can be associated with other services and system policies in
a totally integrated way. Other infrastructure solutions such as Microsoft’s ISA
Server and Identity Integration Server also work within the Active Directory
architecture. Additionally, applications can easily leverage the directory’s account,
computer and management interfaces to provide a seamlessly integrated, secure
experience. Microsoft Exchange, IIS and SQL Server are just a few examples of
Active Directory-integrated applications. End-users also have easy access to
infrastructure information in Active Directory, using features such as looking up
other users in the Global Catalog, location-based printer discovery and server
browsing – all without having to know directory and infrastructure concepts.
Active Directory is now a mature, well established technology that has proven to be
highly scalable and secure. Active Directory’s distributed model automatically
replicates information to other sites, even over slow links, thereby ensuring both
fault tolerance with automated failover and increased performance through
automated discovery of the closest Active Directory server. In addition, Active
Directory is one of the easiest-to-use directory / infrastructure solutions in the market
– based on the familiar Windows look-and-feel and established interfaces such as
Windows “Wizards” and the Microsoft Management Console (MMC).
The business case for leveraging Active Directory as a true enterprisewide directory /
infrastructure solution is also strong:
With Active Directory built and supported by Microsoft – the largest software
company in the world – there is little risk in deploying an Active Directory solution.
Microsoft is firmly committed to Active Directory and continues to invest in
enhancing and expanding its capabilities.
The Centrify DirectControl suite is the only seamlessly integrated solution that
comprehensively extends Microsoft Active Directory's identity management, access
control and Group Policy services to your UNIX, Linux, Java and web platforms.
Centrify DirectControl is quick and easy to deploy, does not require costly or intrusive
changes to existing systems, and uniquely integrates your multiple UNIX/Linux identities
into Active Directory. By using DirectControl, administrators no longer need to manage
accounts on each individual UNIX, Linux or Mac system, but instead can use Active
Directory for identity and policy management.
On the Windows side, DirectControl consists of a console for Windows systems that is
very similar to the Active Directory Users and Computers Microsoft Management
Console. DirectControl enables the storage and management of UNIX user and computer
attributes in Active Directory and joins these new attributes to existing user and group
accounts.
On the UNIX or Linux system, DirectControl consists of a service that controls login
authentication and directory lookup services, and vectors those calls back to the Windows
Active Directory system. Additionally, utilities are included to join the UNIX system to
the Active Directory domain and perform diagnostic tasks. The DirectControl suite is
supported on most of the popular UNIX, Linux and Mac platforms in use today.
With both Active Directory and DirectControl installed, an organization can easily
deploy a single directory capable of serving a vast majority of the users and computing
platforms in the organization. In addition to the benefits of Active Directory highlighted
earlier, the customer can now recognize substantial new benefits with the combination of
the two technologies. The following sections describe these new benefits, which now
span Windows, UNIX, Linux, Mac and Java platforms.
One directory is now used for managing access to Windows and UNIX-based
systems, including logon times and permitted users and groups. The administrator
can use a central console to temporarily disable access to systems or user accounts to
allow for maintenance or security tasks.
One single account record is used for each user’s identity, password and credential
information. The system also manages password policies such as length, complexity,
resets, login failure lockouts and aging. Administrators can provision or
decommission users for all systems with one account record update.
DirectControl allows you to map special UNIX accounts such as root to trusted
Active Directory users. No longer do administrators have to manage special UNIX
accounts machine by machine.
Groups can be managed centrally, including the ability to map UNIX groups to
Active Directory groups. Using DirectControl Zones, IT managers have the ability to
also manage access to systems based on pre-established roles. Access rights for each
user, group and computer can easily be mapped and tracked using the tools in
DirectControl and Active Directory. In addition, the logging of user logins and
system access attempts, for all systems in the domain, is stored in one central
location. These reporting tools help with conformance of data access regulations.
Both the Active Directory solution set and the DirectControl suite leverage the same,
easy-to-use, Windows-based interface through Wizards and Microsoft Management
Consoles.
Users now have a single username and password that can be used to access all
authorized systems. Users are no longer required to memorize and manage
passwords as they move from one platform to the next.
Through DirectControl’s credential caching feature, UNIX users are now able to log
into their systems even if they are disconnected from the central network. This is
consistent with the standard Windows client user experience, which supports offline
domain user logins.
Companies will see lower management and training costs due to the use of a single
consolidated interface for identity, policy and infrastructure management.
IT departments no longer need to purchase and maintain directory and user licenses
and support contracts for multiple directory systems.
The Group Policy engine can now be leveraged to manage system policies across all
platforms.
Centrify’s DirectControl is the only solution to offer you the flexibility to maintain
multiple UNIX IDs linked to a single Active Directory account using DirectControl
Zones. This feature is indispensable for IT managers who are migrating multiple
legacy identity systems to Active Directory.
The possibility of managing user identity information, security credentials, system policy
and infrastructure services across multiple systems from a single enterprise directory has
been a goal of IT managers for years.
With Centrify’s DirectControl and Microsoft’s Active Directory, you can now extend the
directory you already own to UNIX, Linux, Mac and Java environments and realize
substantial benefits for your organization through lower costs, better security, simplified
management and increased productivity.
Single identity and policy directory using DirectControl and Active Directory
Centrify Corporation
444 Castro St., Suite 1100
Mountain View, CA 94041