Active Directory and DirectControl



Similar documents
Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

Centrify-Enabled Samba

An Overview of Samsung KNOX Active Directory and Group Policy Features

How To Use Directcontrol With Netapp Filers And Directcontrol Together

Centrify's Solution for Migrating UNIX Directories to Active Directory

Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite

Windows Least Privilege Management and Beyond

Managing UNIX Generic and Service Accounts with Active Directory

Windows Security and Directory Services for UNIX using Centrify DirectControl

Major Retailer Achieves Compliance With the PCI Data Security Standard

Centrify Identity and Access Management for Cloudera

Centralized Mac Home Directories with ExtremeZ-IP

Virtualization Case Study

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Whitepaper: Centeris Likewise Identity 3.0 Security Benefits

Likewise Security Benefits

Mac OS X and Directory Services Integration

Google Apps Deployment Guide

Automating Cloud Security with Centrify Express and RightScale

Samsung KNOX: An Overview for Business Customers

Office 365 Single Sign-On: High Availability Without High Complexity

Using Apple Remote Desktop to Deploy Centrify DirectControl

A Practical Path to Unified Identity Across Data Center, Cloud and Mobile

Microsoft and Novell - A Case Study in Identity Federation

Active Directory Comapatibility with ExtremeZ-IP A Technical Best Practices Whitepaper

Active Directory Compatibility with ExtremeZ-IP

Best Practices for Adding Macs to Microsoft Networks

Single Sign-On for Kerberized Linux and UNIX Applications

MBAM Self-Help Portals

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

The Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway

identity management in Linux and UNIX environments

Netop Remote Control Security Server

Red Hat Enterprise ipa

How to Secure a Groove Manager Web Site

Centralizing Mac Home. Live Webinar David McNeely Centrify Geordie Korper Group Logic

Defender 5.7. Remote Access User Guide

PeopleSoft Enterprise Directory Interface

Centralized Identity and Access Management of Cross-Platform Systems and Applications with Active Directory and the Centrify Suite

Hyper-V Server 2008 Setup and Configuration Tool Guide

How the Quest One Identity Solution Products Enhance Each Other

Centrify Suite 2012 Express

ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains

Lab Answer Key for Module 9: Active Directory Domain Services. Table of Contents Lab 1: Exploring Active Directory Domain Services 1

Macintosh Printer Management using Centrify DirectControl Group Policies

Windows Services. Support Windows and mixed-platform workgroups with high-performance, affordable network services. Features

Integrated Authentication

CA SiteMinder SSO Agents for ERP Systems

Centrify Server Suite 2014

Utilizing LDAP for User Profile and Corporate Structure Integration

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

Host Access Management and Security Server

White Paper. Software version: 5.0

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

Active Directory Change Notifier Quick Start Guide

Centrify Mobile Authentication Services for Samsung KNOX

Update and Installation Guide for Microsoft Management Reporter 2.0 Feature Pack 1

ADMT v3 Migration Guide

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Centralized Management for UNIX, Linux, Mac and Java with Active Directory and DirectControl

Management Reporter Integration Guide for Microsoft Dynamics GP

Active Directory and Linux Identity Management

CRM to Exchange Synchronization

ProxySG TechBrief LDAP Authentication with the ProxySG

Using Centrify s DirectControl with Mac OS X

CRM to Exchange Synchronization

Module 1: Introduction to Active Directory Infrastructure

Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide

IBM Tivoli Access Manager for Enterprise Single Sign-On

Windows Authentication on Microsoft SQL Server

Microsoft Windows Server 2003 and Tecplot Software

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Directory-enabled Lights-Out Management

White paper December Addressing single sign-on inside, outside, and between organizations

Installing Management Applications on VNX for File

Stop Password Sprawl with SaaS Single Sign-On via Active Directory

How To Take Advantage Of Active Directory Support In Groupwise 2014

Enterprise Solution for Remote Desktop Services System Administration Server Management Server Management (Continued)...

Web Applications Access Control Single Sign On

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

SmoothWall Virtual Appliance

Migrating Active Directory to Windows Server 2012 R2

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Citrix XenApp 6 Fundamentals Edition for Windows Server 2008 R2 Administrator's Guide

Microsoft Hyper-V Server 2008 R2 Getting Started Guide

DIGIPASS Authentication for GajShield GS Series

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

AD RMS Step-by-Step Guide

NetIQ Identity Manager Setup Guide

An Analysis of Propalms TSE and Microsoft Remote Desktop Services

Release Notes for Version

The Benefits of an Industry Standard Platform for Enterprise Sign-On

etoken TMS (Token Management System) Frequently Asked Questions

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

Transcription:

WHITE PAPER CENTRIFY CORP. Active Directory and DirectControl APRIL 2005 The Right Choice for Enterprise Identity Management and Infrastructure Consolidation ABSTRACT Microsoft s Active Directory is now the de facto standard in most enterprises for providing authentication, authorization, account access, computer policy and infrastructure management for Windows systems and applications. Active Directory has proven itself to be highly scalable, very secure and resilient under just about any load. However, in many of these enterprises, there is usually no single way for providing these same services to UNIX, Linux, Mac and Javabased environments. Most companies end up managing these systems with a variety of directory solutions, some of which are centralized and some of which are managed at each individual machine. Huge benefits can be gained by consolidating identity, policy and infrastructure management into a single centralized solution, thereby saving time and money in administrative overhead, lowering training requirements and increasing productivity. With the popularity of Active Directory, many companies would like to leverage their Active Directory investment and offer these services beyond their Windows platforms. UNIX, Linux and Mac platforms are the second largest base of systems in many large companies, so integrating these systems into Active Directory would be highly beneficial. Fortunately, there is a solution to meet this need Centrify s DirectControl suite. This paper discusses the drivers for consolidating identity, policy and infrastructure management with Active Directory and accomplishing the integration of UNIX, Linux, Mac and Java with DirectControl.

ACTIVE DIRECTORY AND DIRECTCONTROL Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2005 Centrify Corporation. All rights reserved. Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. WP-004-2005-05-09 CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED. PAGE II

ACTIVE DIRECTORY AND DIRECTCONTROL Contents 1 Why centralized directories make sense... 1 1.1 What is a centralized directory?... 1 1.2 Benefits of centralized directories... 2 2 Enterprise capabilities of Active Directory... 3 2.1 Active Directory's unique features and benefits... 3 2.2 The business case for Active Directory... 4 3 Extending Active Directory with Centrify DirectControl... 5 3.1 What is Centrify DirectControl?... 5 3.2 The combined benefits of DirectControl and Active Directory... 6 3.2.1 Centralized management and security... 6 3.2.2 Ease of use and increased productivity... 6 3.2.3 Lower cost... 7 3.2.4 Extensible identity and policy management... 7 4 Active Directory and DirectControl the right choice... 7 5 How to contact Centrify... 8 CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED. PAGE III

1 Why centralized directories make sense 1.1 What is a centralized directory? Centralized directories for computing platforms have been around for almost as long as computer networks. The concept behind a directory was to provide a place to put user, and in some cases, computer account information so that a) information about a user, such as the user ID or the user s real name, was stored in a one consistent way and leveraged for each system that the user used, and b) information was stored in a central location instead of being copied or created on multiple different systems. Historically, each computer operating system evolved with its own directory system. On UNIX systems, Sun s Network Information System (NIS) became popular. On Windows systems, Novell s NDS and Microsoft s NT4 domain system were most commonly used in the 1990s. Typical directory situation with multiple identities across different systems In this decade, both UNIX and Windows directories have gradually evolved to favor Lightweight Directory Access Protocol (LDAP)-based technology. These solutions include Sun s Java System Directory Server (formerly known as iplanet or SunOne Directory), edirectory from Novell, OpenLDAP on Linux and Active Directory from CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 1

Microsoft. The good news for customers was that all these directories had a common underlying structure based on the LDAP protocol, and each system had a similar method for storing user and computer information. However, as is the case with most open systems technology, there were enough differences between each solution that in fact these systems did not fully interoperate. As a result, most organizations still end up maintaining separate directory systems for each operating system platform. Another critical factor that is driving customers to look for a single directory system is the need for tighter centralized security controls over the access of sensitive data. Enterprises want to ensure that users are granted secure access to only the systems, data and applications essential to their day-to-day jobs. Tracking and auditing system access is now a required feature as new rules for customer data protection are imposed on organizations. As the number of directories increased within an organization, the task of managing user access became more complex. The ideal solution would be to have one central, secure directory for all computers, and control user identity, access and policy from that one system. 1.2 Benefits of centralized directories Centralized directory services offer numerous benefits to the administrator and the computer user, including: User accounts can be stored in a single secure database as opposed to being stored and managed at each machine. The result is lower management costs because less time is required to provision or decommission a user s account even for use on multiple machines. Access permissions and policies can be centrally managed, resulting in better security for all systems. Administrators have immediate control over access to machines and no longer need to manage access rights machine by machine. Additionally, policies such as password length or access times can be easily applied to all systems. Centralized password management and consistent user names. Users can have one user ID and one password that work on multiple machines as opposed to having to remember different logins and passwords for each system. Once the decision has been made to consolidate directory services into fewer directory systems, the question arises: Which directory can best serve your organization? CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 2

2 Enterprise capabilities of Active Directory While many organizations that use Windows-based systems have moved to Microsoft s Active Directory system, most only use it for managing Windows accounts. This is because Microsoft provides little support for non-windows systems within Active Directory (although a NIS translator for Active Directory is available with the Microsoft Services for UNIX product). Other directories, such as Sun s Java System Directory Server or Novell s edirectory, may seem like more logical choices since they provide better cross-platform support. However, many customers are reluctant to use these products to serve Windows clients because of concerns over compatibility with directorybased Windows applications, such as Microsoft Exchange, SQL Server and Internet Information Services (IIS). Active Directory was designed to work with these applications. Other directory solutions may require substantial customization to work with these applications or, in some cases, may not work at all. In addition, Sun s directory was not designed as a Network Operating System directory for Windows workstations. Active Directory begins with a foundation of capabilities that are common to any enterprise directory. Active Directory provides: Centralized user and group account management, including the ability to maintain manager / worker relationships. Full control over password management including password aging, password complexity, and forced password resetting, as well as the ability to temporarily disable an account. Active Directory can also easily manage hours of use for each user and computer. A distributed model for high availability, increased performance and organizational compartmentalization, including the ability to manage crossdomain relationships and trusts. This means that users in each part of the organization can always access their systems, even in the event of a server failure. Most customers, however, now demand something more than just an enterprise user directory. Complex infrastructure environments, requirements for strong, verifiable security, and regulatory compliance have changed the way people think about identity management so much that the term enterprise authentication infrastructure probably better describes what most customers need. Meeting these additional challenges is where Active Directory really shines. 2.1 Active Directory's unique features and benefits Some of the unique technical features and benefits include: Active Directory is based on proven enterprise-ready technologies LDAP for directory services and Kerberos for secure authentication. Microsoft has uniquely CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 3

combined the strengths of these two technologies to best leverage the open extensibility of LDAP and the highly secure, ticket-based authentication of Kerberos. For example, a key advantage of Active Directory s ticket-based authentication system is that, once the user has successfully logged into a system, his or her credentials can be used to automatically access other systems and applications based on established security access rights. Microsoft s Group Policy capability extends Active Directory beyond identity and access management to policy and configuration management, which is crucial for meeting regulatory requirements. Administrators have full multi-level control over applying policies to accounts and systems through the Group Policy system. Active Directory further extends its management capabilities by integrating into the directory such key infrastructure services as DNS, VPN, certificate services, remote access services, printer management, Smartcard / biometric security and Radius. This means that different infrastructure services can be enabled for targeted machines and users, and these services can be associated with other services and system policies in a totally integrated way. Other infrastructure solutions such as Microsoft s ISA Server and Identity Integration Server also work within the Active Directory architecture. Additionally, applications can easily leverage the directory s account, computer and management interfaces to provide a seamlessly integrated, secure experience. Microsoft Exchange, IIS and SQL Server are just a few examples of Active Directory-integrated applications. End-users also have easy access to infrastructure information in Active Directory, using features such as looking up other users in the Global Catalog, location-based printer discovery and server browsing all without having to know directory and infrastructure concepts. Active Directory is now a mature, well established technology that has proven to be highly scalable and secure. Active Directory s distributed model automatically replicates information to other sites, even over slow links, thereby ensuring both fault tolerance with automated failover and increased performance through automated discovery of the closest Active Directory server. In addition, Active Directory is one of the easiest-to-use directory / infrastructure solutions in the market based on the familiar Windows look-and-feel and established interfaces such as Windows Wizards and the Microsoft Management Console (MMC). 2.2 The business case for Active Directory The business case for leveraging Active Directory as a true enterprisewide directory / infrastructure solution is also strong: Since Active Directory is an integral part of Windows infrastructure and networking, it has already become a ubiquitous and irreplaceable component within your IT environment. CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 4

Many organizations have already made investments to migrate to Active Directory and deploy it companywide. It makes good business sense to fully leverage those investments by extending Active Directory to other platforms, versus the cost of trying to maintain different solutions for different platforms. Typically, most of your organization s internal identity information is already stored in Active Directory. Why spend extra time, money and resources to move it or replicate it to another system? With Active Directory built and supported by Microsoft the largest software company in the world there is little risk in deploying an Active Directory solution. Microsoft is firmly committed to Active Directory and continues to invest in enhancing and expanding its capabilities. Given these capabilities, Active Directory would be an excellent choice to provide centralized, cross-enterprise directory and infrastructure services except that it is missing one essential feature it does not include capabilities to easily support non-windows client systems. However, the solution landscape has recently changed, and there is now a way to extend the features and benefits of Active Directory to non-windows systems and applications. Centrify s DirectControl suite includes all of the necessary software to allow UNIX, Linux, Mac and Java environments to use Active Directory as a central user identity, infrastructure and policy engine. 3 Extending Active Directory with Centrify DirectControl 3.1 What is Centrify DirectControl? The Centrify DirectControl suite is the only seamlessly integrated solution that comprehensively extends Microsoft Active Directory's identity management, access control and Group Policy services to your UNIX, Linux, Java and web platforms. Centrify DirectControl is quick and easy to deploy, does not require costly or intrusive changes to existing systems, and uniquely integrates your multiple UNIX/Linux identities into Active Directory. By using DirectControl, administrators no longer need to manage accounts on each individual UNIX, Linux or Mac system, but instead can use Active Directory for identity and policy management. On the Windows side, DirectControl consists of a console for Windows systems that is very similar to the Active Directory Users and Computers Microsoft Management Console. DirectControl enables the storage and management of UNIX user and computer attributes in Active Directory and joins these new attributes to existing user and group accounts. On the UNIX or Linux system, DirectControl consists of a service that controls login authentication and directory lookup services, and vectors those calls back to the Windows Active Directory system. Additionally, utilities are included to join the UNIX system to CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 5

the Active Directory domain and perform diagnostic tasks. The DirectControl suite is supported on most of the popular UNIX, Linux and Mac platforms in use today. 3.2 The combined benefits of DirectControl and Active Directory With both Active Directory and DirectControl installed, an organization can easily deploy a single directory capable of serving a vast majority of the users and computing platforms in the organization. In addition to the benefits of Active Directory highlighted earlier, the customer can now recognize substantial new benefits with the combination of the two technologies. The following sections describe these new benefits, which now span Windows, UNIX, Linux, Mac and Java platforms. 3.2.1 Centralized management and security One directory is now used for managing access to Windows and UNIX-based systems, including logon times and permitted users and groups. The administrator can use a central console to temporarily disable access to systems or user accounts to allow for maintenance or security tasks. One single account record is used for each user s identity, password and credential information. The system also manages password policies such as length, complexity, resets, login failure lockouts and aging. Administrators can provision or decommission users for all systems with one account record update. Active Directory s highly secure, token-based authentication, using industry standard Kerberos, can be used across Windows, UNIX, Linux, Mac and Java platforms. This results in a single sign-on experience that spans all Windows, UNIX and Linux systems. DirectControl allows you to map special UNIX accounts such as root to trusted Active Directory users. No longer do administrators have to manage special UNIX accounts machine by machine. Groups can be managed centrally, including the ability to map UNIX groups to Active Directory groups. Using DirectControl Zones, IT managers have the ability to also manage access to systems based on pre-established roles. Access rights for each user, group and computer can easily be mapped and tracked using the tools in DirectControl and Active Directory. In addition, the logging of user logins and system access attempts, for all systems in the domain, is stored in one central location. These reporting tools help with conformance of data access regulations. 3.2.2 Ease of use and increased productivity Both the Active Directory solution set and the DirectControl suite leverage the same, easy-to-use, Windows-based interface through Wizards and Microsoft Management Consoles. CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 6

Users now have a single username and password that can be used to access all authorized systems. Users are no longer required to memorize and manage passwords as they move from one platform to the next. Through DirectControl s credential caching feature, UNIX users are now able to log into their systems even if they are disconnected from the central network. This is consistent with the standard Windows client user experience, which supports offline domain user logins. 3.2.3 Lower cost Companies will see lower management and training costs due to the use of a single consolidated interface for identity, policy and infrastructure management. IT departments no longer need to purchase and maintain directory and user licenses and support contracts for multiple directory systems. The combination of DirectControl and Active Directory leverages your existing investment in Microsoft licenses, support, applications and knowledge. 3.2.4 Extensible identity and policy management The Group Policy engine can now be leveraged to manage system policies across all platforms. Developers have the ability to extend Active Directory-enabled applications beyond Windows to UNIX and Java-based applications. Centrify s DirectControl is the only solution to offer you the flexibility to maintain multiple UNIX IDs linked to a single Active Directory account using DirectControl Zones. This feature is indispensable for IT managers who are migrating multiple legacy identity systems to Active Directory. 4 Active Directory and DirectControl the right choice The possibility of managing user identity information, security credentials, system policy and infrastructure services across multiple systems from a single enterprise directory has been a goal of IT managers for years. Active Directory is a proven, secure, scalable, highly available distributed infrastructure and identity management solution. Active Directory is backed by the world s largest software vendor Microsoft and is therefore a low risk, well supported, long-term solution. DirectControl is built by a leading identity management firm, and Centrify has established strong partnering relationships with Microsoft and other major enterprise vendors. CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 7

With Centrify s DirectControl and Microsoft s Active Directory, you can now extend the directory you already own to UNIX, Linux, Mac and Java environments and realize substantial benefits for your organization through lower costs, better security, simplified management and increased productivity. Single identity and policy directory using DirectControl and Active Directory 5 How to contact Centrify Centrify Corporation 444 Castro St., Suite 1100 Mountain View, CA 94041 U.S. Sales Office: +1 (650) 961-1100 Enquiries: info@centrify.com Web site: www.centrify.com CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information