Dealing With Multiple Identity Stores
By Tony Bailey, Senior Product Manager, Security and Compliance Solutions
See other Security Tip of the Month columns.
As soon as a network environment has more than one location to store digital identities, the problem of how to manage multiple identities emerges.
Identity management includes the process and technologies for provisioning, deprovisioning, managing, and synchronizing digital identities while complying with governing policies. Identity integration deals with linking identity information in multiple directories, databases, and other identity stores. Integration provides a unified view of users, and can implement identity provisioning and deprovisioning across multiple stores.
Microsoft offers two related applications for identity integration:
Microsoft Identity Integration Server 2003, Enterprise Edition (MIIS 2003)
Identity Integration Feature Pack for Microsoft Windows Server 2003 Active Directory
The central problem of managing digital identity is ensuring that you can add and remove security principals in the centralized identity store that the Active Directory service maintains, as well as in other identity stores for applications that are not fully integrated with Active Directory.
Provisioning often needs to tie in with the organization's operational procedures. For example, when hiring a new employee, the employee's manager might need to approve the provisioning process. There are three primary ways of adding workflow to the provisioning mechanism:
MIIS 2003 rules extensions. You can implement simple workflow-driven provisioning by using MIIS 2003 rules extensions. A change of state in a connected database, such as in a human resources (HR) application, would then begin an automated provisioning sequence. The rules extensions in MIIS 2003 govern the creation of digital identities in the appropriate identity stores. However, this mechanism would not allow for any manual approval processes.
Simple workflow. You can also implement a simple workflow application, probably with a Web-based interface, that allows manual workflow steps within the automatic provisioning process. This option might cover the scenario where a new employee requires manager approval; however, managers can only approve their own new employees. When the HR department creates a new employee account, they enter the manager’s name into the workflow application so that a notification e-mail is sent to the manager who must approve the new employee. When a manager logs on to the Web site, a list of the manager’s new employees is presented for approval. After approval is given, the simple application then creates the new user accounts in all the relevant identity stores.
Microsoft BizTalk Server 2004 orchestration. BizTalk Server 2004 orchestration provides advanced workflow capabilities for complex heterogeneous environments.
Another identity management option is that you delegate the management of certain aspects of the digital identity to Active Directory. You can delegate administration by using the built-in access control mechanisms that Active Directory provides in a choice of interfaces. If an Active Directory schema object has a properly configured authorization policy for its access control lists (ACLs), the Microsoft Management Console (MMC) provides a way to delegate management of any Active Directory object, including the user accounts that represent digital identities.
Another popular interface choice for managing identities is to create an Active Directory–integrated Web application that provides account and attribute management. Microsoft partners that specialize in access management typically include this functionality in their products.
For more information about the delegation of administration capabilities in Active Directory, see "Design Considerations for Delegation of Administration in Active Directory" on Microsoft TechNet.
Many environments include systems and applications that cannot be readily integrated with the security features in the Microsoft Windows Server 2003 operating system and in Active Directory. Such systems typically rely on different authentication protocols, or they use a separate identity store for authentication. However, many of these systems use passwords for authentication. You can achieve a better user experience—although this method might also increase the attack surface—through provisioning and synchronizing accounts, and managing credentials (passwords) that are used for logging on to Active Directory with accounts and passwords used in the other systems.
Microsoft products that perform password management include:
MIIS 2003. Provides for password propagation between connected directories by using a Windows Management Instrumentation (WMI) interface. MMIS 2003 provides pre-built Web pages for password changes and resets.
Microsoft Windows Services for UNIX. Performs password propagation between Active Directory and the UNIX platform.
Microsoft Windows Services for NetWare. Performs password propagation between Active Directory and NetWare.
Microsoft Host Integration Server (HIS). Performs password synchronization between Active Directory and various host-based systems.
Active Directory Custom Password Notification Filters. The Windows Software Development Kit (SDK) and the "Password Management" paper in this series include information on developing a custom password notification filter to implement enhanced password management services.
You can manage accounts and passwords with other systems, especially other directory systems and identity store databases, by using MIIS 2003. This product includes connectors that integrate with the most common directories and databases, making it simple to deploy a password management mechanism. MIIS 2003 supports password management in the following ways:
Help desk reset. Help desk personnel can reset user passwords by using the Web interface that is provided with MIIS 2003. You can configure the password change to flow to Active Directory and other directories supported by MIIS 2003 for password management.
Web-initiated changes. Users change passwords through a common Web-based password change application. The password is then distributed to all MIIS 2003–supported directories and systems, including Active Directory.
Windows initiated changes. Users change passwords through the Change Password dialog box on Windows-based client computers. The Active Directory password notification filter obtains the changed password and then distributes it to other systems through MIIS 2003. This functionality is not currently built into MIIS 2003 but you can implement it by using the Microsoft Visual Studio .NET development system with custom coding, as shown in the sample included with the "Password Management" paper in this series.
Other system-initiated changes. Users change passwords through non-Windows-based operating systems. The password is obtained through mechanisms supported on the operating system and then distributed through MIIS 2003. This capability is only supported for non-Microsoft applications that integrate with Active Directory or MIIS 2003.
For detailed guidance, take a look at the Microsoft Identity and Access Management Series.