Identity & Access Management
MIIS Gets your Directories in Sync
At a Glance:
- Managing diverse credential information
- Using management agents
- Becoming familiar with the MIIS metaverse
Trying to maintain security and identity information in a large,
heterogeneous network can be difficult and complicated. And this can put your network at risk. Fortunately, Microsoft Identity
Integration Server (MIIS) 2003 allows you to synchronize identity information from many different directories and services into a single, organization-wide solution. This can help protect your network's security and simplify management.
Some of the major capabilities of MIIS 2003 include:
- Directory synchronization
- Account provisioning
- Certificate publishing
- Group management
- Management of Global Address Lists (GALs) for diverse e-mail systems
- Management and synchronization of passwords
There are four major components of MIIS 2003. They are the connected data sources, management agents, connector spaces, and the metaverse. I'll explain each concept briefly and describe how they all fit together.
Connected Data Sources
A connected data source is a system that provides information to or receives information from MIIS 2003. Many systems can act as a connected data source including directory services (such as Active Directory®), databases, and even individual files. The connected data sources currently supported by MIIS 2003 Service Pack 1 (SP1) are shown in Figure 1.
Every connected data source has a corresponding management agent. Each management agent acts to control the flow of information between its connected data source and MIIS. If you modify synchronized data in either the connected data source or within MIIS (via defined rules), the management agent will keep MIIS 2003 and the connected data sources consistent. Since there is a management agent for each supported connected data source type, the types of management agents are the same as the types of connected data sources supported by MIIS 2003. If you need to connect a data source not listed in Figure 1, MIIS also provides a generic management agent that can be configured to connect to any system that provides programmatic access to its data, called the extensible connectivity management agent. In Figure 2 an Active Directory management agent (called NewAgent) has been created.
Figure 1 Supported Sources
|Active Directory Application Mode (ADAM)
|Active Directory Global Address List (GAL)
|Attribute-Value Pair text file
|Delimited text file
|Directory Services Mark-up Language (DSML) 2.0
|Exchange Server 5.5
|Exchange Server 5.5 (bridgehead server)
|Fixed-Width text file
|IBM DB2 Universal Databases
|IBM Resource Access Control Facility (RACF)
|IBM Tivoli Directory Server
|LDAP Data Interchange Format (LDIF)
|Lotus Notes 4.6, 5.0, and 6.x
|Microsoft Exchange Server 2000 (use the management agent for Active Directory)
|Microsoft SQL Server 7.0
|or SQL Server 2000
|Netscape Directory Servers
|Novell eDirectory 8.6.2, 8.7, and 8.7.x
|Oracle Database 8i or 9i
|Sun ONE Directory Server: 4.x and 5.x
|Windows NT 4.0
Figure 2 Creating a Management Agent
Management agents are all very similar in their construction, with only slight variations depending on their type. All management agents perform some common tasks regardless of their type. These tasks include schema discovery, configuring the connector filter, configuring join and projection rules, configuring attribute flow, configuring deprovisioning, and configuring rules extensions.
Management agents also support password management, which will be important to know later in the article. The management agents that natively support password management in MIIS 2003 SP1 are: Active Directory, Active Directory Application Mode (ADAM), Lotus Notes, Sun and Netscape Directory Servers, Novell eDirectory, and Windows NT® 4.0. Any of the management agents can be programmatically extended to support password management.
The connector space is a staging area for information coming into or going out from a given management agent. The information that is staged in a management agent's connector space is used to synchronize with the metaverse or is exported out to its connected data source. Each connected data source has its own reserved logical area within the connector space that is used by its corresponding management agent. The connector space does not actually contain the connected data source as an object itself, but rather contains a subset of the connected data sources' attributes, as defined on the management agent. MIIS uses the connector space object instead of making direct queries to the connected data source when processing business rules. This improves synchronization speed between the metaverse and the connected data sources.
The metaverse is a collection of tables that contains information about connected identities from the connected data sources. These tables are stored in a SQL Server database and contain all the aggregated information about a specific entity as it exists in all of the connected data sources. Attributes and objects flow into and out of the metaverse. Updates flowing in are used to update the metaverse; updates going out are used to update the connected data sources through their respective connector space. The metaverse contains its own schema, which defines which object types and attributes the metaverse can contain. All objects in the metaverse must be of one of the types defined in the metaverse schema. The metaverse schema contains the following default objects, but can be easily extended:
- organizational unit
Now that you have some background on the structure and components of MIIS 2003 SP1 and how they interact, let's discuss the password management functionality in more detail.
Password Management in MIIS
Passwords are one of the weakest security points in a network, but the use of secure passwords can become a source of contention between administrators and users. Users would rather have nice, easy-to-remember passwords (or truthfully, none at all), whereas administrators want to implement more restrictive password requirements. This is of even more concern on networks with disparate directories where users may have several accounts with varying levels of password requirements to access each of these directories or services. MIIS 2003 SP1 has a number of new password management and synchronization features that can help. Let's see how the use of the password management and synchronization capabilities help you control passwords and reduce administrative efforts.
- Auditing features let you track changes to or setting of passwords through the use of entries written to the Event Log.
- Developers have the ability to perform password management functions through an API.
- An administrator or a user can reset passwords through a central point or through a Web services application.
- Integrated third-party solutions can be used to extend the capabilities of MIIS 2003.
- Password policies as defined in Active Directory, for example, can be enforced across other systems.
A number of security groups are created by default when you install MIIS 2003. Two of these groups are used specifically in support of password management, MIISBrowse and MIISPasswordSet, while the others, MIISAdmins, MIISOperators, and MIISJoiners are used in support of MIIS 2003. A listing of these groups and a description of their functions is shown in Figure 3.
Figure 3 Security Groups
|MIISBROWSE Security Group
||Members of this group have permission to gather information about a user’s accounts when doing search operations with WMI queries
|MIISPasswordSet Security Group
||Members can perform account search, password set, and password change operations using the password management interfaces with WMI.
|MIISAdmins Security Group
||Members of this group have full access to everything in Identity Manager.
|MIISOperators Security Group
||Members have access to Operations in the Identity Manager only. MIISOperators can run management agents, view synchronization stats, and save the run histories. Members must also be members of the MIISBrowse group to open links in synchronization statistics.
|MIISJoiners Security Group
||Members have access to Joiner and Metaverse Search in Identity Manager. MIISJoiners can join or project disconnectors by using Joiner and they can use Metaverse Search to view object properties and disconnect objects from the metaverse.
Password Change Notification Service
The management of passwords is a costly and time-consuming process for many administrators. Fortunately, this process has been greatly enhanced with a new feature in MIIS 2003 SP1—the Password Change Notification Service (PCNS). This new service allows for the secure updating of password resets to be sent to an MIIS 2003 server. When a password reset is initiated on a domain controller, either by a user who presses Ctrl+Alt+Del, or by an administrator, the request is intercepted. The intercepted request is encrypted and then forwarded on to the MIIS 2003 server and from there to all connected data sources (that are configured for password management) through synchronization. To see how to install the PCNS and configure a management agent, see the sidebars by the same names.
Randy Muller, MCT, MCSE, MCSA, MCDST, teaches a variety of networking, security, and other computer classes. He is a former Army Signal Corp Officer and has been teaching since 2000. You can contact Randy at firstname.lastname@example.org.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited
In this article, I have discussed the major components of MIIS 2003 and how they work together. I've also given you a brief overview of the password management and synchronization features available through the PCNS. All this should put you on the road to successful identity synchronization and password management across your organization. Now that you've been introduced to all the great features available in MIIS 2003 SP1, you'll almost certainly want to take a look at more info, which you can find at microsoft.com/windowsserversystem/miis2003/default.mspx