What's New for Identity Management in Windows Server 2008
Updated: May 1, 2008
Applies To: Windows Server 2008
Establishing a valid user of information or resources in your environment requires that the user be able to provide two pieces of information to your network for authentication and proof of identity. The following Windows authentication technologies have changed for the Windows Server® 2008 and Windows Vista operating systems.
To simplify development of smart card software tools (which is typically performed by the smart card provider), a common cryptographic service provider (CSP) implements all the standard operating system cryptographic functions that hardware and software developers need. In addition, integrated non-Microsoft card modules make it easier to rapidly deploy a smart card solution and enable protected, predictable communications between the CSP and other components of the smart card infrastructure. With Windows Server 2008 and Windows Vista, improvements to the Kerberos authentication protocol provide users with the experience of entering their PIN less often.
In addition, restrictive requirements in Windows Server 2003 for specific types of certificates types have been loosened, and functional changes have been made to smart card logon.
Windows Server 2008 has new features to support 802.1X authenticated wired connections, 802.3 Ethernet connections, and 802.11 wireless connections for client computers running Windows Server 2008 and Windows Vista. These features enable you to use Group Policy to configure settings on multiple domain members running Windows Server 2008 and Windows Vista so that they can connect to an 802.1X Ethernet network. As an alternative to Group Policy–based client configuration for 802.1X wired and wireless network access, you can now use wired Netsh commands (Netsh lan) and wireless Netsh commands (Netsh wlan) in logon scripts. Additionally, Windows Server 2008 provides more configuration options. Administrators can now configure multiple profiles to connect to one wireless network, using a common service set identifier (SSID), but with each profile specifying unique security properties.
Windows Server 2008 and Windows Vista operating systems include a Backup and Restore Wizard that allows users to back up user names and passwords they have requested Windows to remember for them into a file encrypted by using the Advanced Encryption Standard (AES). This new functionality allows users to restore the user names and passwords on any computer running Windows Vista. Restoring a backup file on a different computer allows a user to effectively roam or move their saved user names and passwords.
Authentication protocols are implemented in Windows by security service providers (SSPs). Windows Server 2008 and Windows Vista introduces a new authentication package called the Credential Security Service Provider (CredSSP) that provides a single sign-on (SSO) user experience when starting new Terminal Services sessions. CredSSP enables applications to delegate users' credentials from the client computer (by using the client-side SSP) to the target server (through the server-side SSP) based on client policies. CredSSP polices are configured via Group Policy, and delegation of credentials is turned off by default.
This feature enables users to determine whether their accounts were used (or were attempted to be used) without their knowledge. When this feature is enabled and the computer running Windows Vista is joined to a Windows Server 2008 functional-level domain, the following information is displayed after a successful interactive logon:
Date and time of the last successful logon by that user
Date and time of the last unsuccessful logon attempt with the same user name
The number of failed logon attempts since the last successful logon with the same user name