You are on page 1of 11


APRIL 2005

Active Directory and DirectControl

The Right Choice for Enterprise Identity Management and Infrastructure Consolidation

ABSTRACT Microsoft’s Active Directory is now the de facto standard in most enterprises for providing authentication, authorization, account access, computer policy and infrastructure management for Windows systems and applications. Active Directory has proven itself to be highly scalable, very secure and resilient under just about any load. However, in many of these enterprises, there is usually no single way for providing these same services to UNIX, Linux, Mac and Javabased environments. Most companies end up managing these systems with a variety of directory solutions, some of which are centralized and some of which are managed at each individual machine. Huge benefits can be gained by consolidating identity, policy and infrastructure management into a single centralized solution, thereby saving time and money in administrative overhead, lowering training requirements and increasing productivity. With the popularity of Active Directory, many companies would like to leverage their Active Directory investment and offer these services beyond their Windows platforms. UNIX, Linux and Mac platforms are the second largest base of systems in many large companies, so integrating these systems into Active Directory would be highly beneficial. Fortunately, there is a solution to meet this need – Centrify’s DirectControl suite. This paper discusses the drivers for consolidating identity, policy and infrastructure management with Active Directory and accomplishing the integration of UNIX, Linux, Mac and Java with DirectControl.

Except as expressly provided in any written license agreement from Centrify. people. photocopying. mechanical. WP-004-2005-05-09 © CENTRIFY CORPORATION 2004-2005. Unless otherwise noted. logos. e-mail address. person. Active Directory. copyrights. place or event is intended or should be inferred. e-mail addresses. product. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. without the express written permission of Centrify Corporation. All rights reserved. recording. Complying with all applicable copyright laws is the responsibility of the user. trademarks. Microsoft. places and events depicted herein are fictitious. is subject to change without notice. products.CENTRIFY WHITE PAPER ACTIVE DIRECTORY AND DIRECTCONTROL Information in this document. organizations. domain name. ALL RIGHTS RESERVED. or for any purpose. no part of this document may be reproduced. or transmitted in any form or by any means (electronic. or other intellectual property. organization. PAGE II . trademarks. and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. or otherwise). Windows NT. including URL and other Internet Web site references. © 2005 Centrify Corporation. or other intellectual property rights covering subject matter in this document. Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. logo. Centrify may have patents. patent applications. domain names. Windows. copyrights. the furnishing of this document does not give you any license to these patents. Without limiting the rights under copyright. stored in or introduced into a retrieval system. and no association with any real company. the example companies.

..................................................... 3 2... 1 1....2 Benefits of centralized directories ..........1 Centralized management and security .2.1 What is Centrify DirectControl? ..................................................2................. 5 3............................2 Ease of use and increased productivity ...........................1 What is a centralized directory? ............ 6 3......... PAGE III .1 Active Directory's unique features and benefits .... 3 2......................... 4 3 Extending Active Directory with Centrify DirectControl ....2.......... 8 © CENTRIFY CORPORATION 2004-2005.................................................................. 1 1.......... 2 2 Enterprise capabilities of Active Directory .......3 Lower cost ............................2 The business case for Active Directory .......................................2 The combined benefits of DirectControl and Active Directory ... 6 3.............4 Extensible identity and policy management ......CENTRIFY WHITE PAPER ACTIVE DIRECTORY AND DIRECTCONTROL Contents 1 Why centralized directories make sense................... 7 4 5 Active Directory and DirectControl – the right choice ........ 6 3......2............ 7 How to contact Centrify ................................................................................... 5 3................................... 7 3................................................................................................................................................... ALL RIGHTS RESERVED..............................................................

Historically. OpenLDAP on Linux and Active Directory from © CENTRIFY CORPORATION 2005. both UNIX and Windows directories have gradually evolved to favor Lightweight Directory Access Protocol (LDAP)-based technology. Sun’s Network Information System (NIS) became popular. AND JAVA 1 1. ALL RIGHTS RESERVED. On Windows systems. LINUX. Novell’s NDS and Microsoft’s NT4 domain system were most commonly used in the 1990s. computer account information so that a) information about a user.1 Why centralized directories make sense What is a centralized directory? Centralized directories for computing platforms have been around for almost as long as computer networks. eDirectory from Novell. These solutions include Sun’s Java System Directory Server (formerly known as iPlanet or SunOne Directory). UNIX. such as the user ID or the user’s real name. On UNIX systems.CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS. 1 . The concept behind a directory was to provide a place to put user. Typical directory situation with multiple identities across different systems In this decade. and in some cases. each computer operating system evolved with its own directory system. and b) information was stored in a central location instead of being copied or created on multiple different systems. was stored in a one consistent way and leveraged for each system that the user used.

there were enough differences between each solution that in fact these systems did not fully interoperate. The good news for customers was that all these directories had a common underlying structure based on the LDAP protocol. ALL RIGHTS RESERVED. The ideal solution would be to have one central. Tracking and auditing system access is now a required feature as new rules for customer data protection are imposed on organizations. as is the case with most “open systems” technology. 1. secure directory for all computers. resulting in better security for all systems. Centralized password management and consistent user names. However. Another critical factor that is driving customers to look for a single directory system is the need for tighter centralized security controls over the access of sensitive data. most organizations still end up maintaining separate directory systems for each operating system platform. AND JAVA Microsoft. UNIX. access and policy from that one system. including: User accounts can be stored in a single secure database as opposed to being stored and managed at each machine. LINUX. 2 . As the number of directories increased within an organization. Administrators have immediate control over access to machines and no longer need to manage access rights machine by machine. Additionally. and each system had a similar method for storing user and computer information. data and applications essential to their day-to-day jobs. Users can have one user ID and one password that work on multiple machines as opposed to having to remember different logins and passwords for each system. As a result. Enterprises want to ensure that users are granted secure access to only the systems.2 Benefits of centralized directories Centralized directory services offer numerous benefits to the administrator and the computer user. Once the decision has been made to consolidate directory services into fewer directory systems. the question arises: Which directory can best serve your organization? © CENTRIFY CORPORATION 2005. The result is lower management costs because less time is required to provision or decommission a user’s account – even for use on multiple machines. Access permissions and policies can be centrally managed.CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS. and control user identity. policies such as password length or access times can be easily applied to all systems. the task of managing user access became more complex.

However. increased performance and organizational compartmentalization. requirements for strong. In addition. may not work at all. UNIX. Active Directory was designed to work with these applications. even in the event of a server failure. 2. Microsoft has uniquely © CENTRIFY CORPORATION 2005. Sun’s directory was not designed as a Network Operating System directory for Windows workstations. however. Active Directory begins with a foundation of capabilities that are common to any enterprise directory. LINUX. including the ability to maintain manager / worker relationships. This is because Microsoft provides little support for non-Windows systems within Active Directory (although a NIS translator for Active Directory is available with the Microsoft Services for UNIX product). 3 . password complexity. many customers are reluctant to use these products to serve Windows clients because of concerns over compatibility with directorybased Windows applications. such as Sun’s Java System Directory Server or Novell’s eDirectory. now demand something more than just an enterprise user directory. and regulatory compliance have changed the way people think about identity management so much that the term “enterprise authentication infrastructure” probably better describes what most customers need.CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS. Other directory solutions may require substantial customization to work with these applications or. may seem like more logical choices since they provide better cross-platform support.1 Active Directory's unique features and benefits Some of the unique technical features and benefits include: Active Directory is based on proven enterprise-ready technologies – LDAP for directory services and Kerberos for secure authentication. ALL RIGHTS RESERVED. verifiable security. Meeting these additional challenges is where Active Directory really shines. and forced password resetting. Other directories. Complex infrastructure environments. as well as the ability to temporarily disable an account. AND JAVA 2 Enterprise capabilities of Active Directory While many organizations that use Windows-based systems have moved to Microsoft’s Active Directory system. Active Directory can also easily manage hours of use for each user and computer. most only use it for managing Windows accounts. Active Directory provides: Centralized user and group account management. SQL Server and Internet Information Services (IIS). in some cases. Most customers. such as Microsoft Exchange. A distributed model for high availability. Full control over password management including password aging. This means that users in each part of the organization can always access their systems. including the ability to manage crossdomain relationships and trusts.

his or her credentials can be used to automatically access other systems and applications based on established security access rights. Active Directory is one of the easiest-to-use directory / infrastructure solutions in the market – based on the familiar Windows look-and-feel and established interfaces such as Windows “Wizards” and the Microsoft Management Console (MMC). remote access services. 4 . LINUX. Microsoft’s Group Policy capability extends Active Directory beyond identity and access management to policy and configuration management. Other infrastructure solutions such as Microsoft’s ISA Server and Identity Integration Server also work within the Active Directory architecture. once the user has successfully logged into a system. This means that different infrastructure services can be enabled for targeted machines and users. applications can easily leverage the directory’s account. 2. Active Directory’s distributed model automatically replicates information to other sites. even over slow links. using features such as looking up other users in the Global Catalog. certificate services. and these services can be associated with other services and system policies in a totally integrated way. Active Directory further extends its management capabilities by integrating into the directory such key infrastructure services as DNS. printer management. well established technology that has proven to be highly scalable and secure. thereby ensuring both fault tolerance with automated failover and increased performance through automated discovery of the closest Active Directory server. which is crucial for meeting regulatory requirements. In addition. a key advantage of Active Directory’s ticket-based authentication system is that. computer and management interfaces to provide a seamlessly integrated. © CENTRIFY CORPORATION 2005. location-based printer discovery and server browsing – all without having to know directory and infrastructure concepts. Active Directory is now a mature. UNIX. VPN. Microsoft Exchange.2 The business case for Active Directory The business case for leveraging Active Directory as a true enterprisewide directory / infrastructure solution is also strong: Since Active Directory is an integral part of Windows infrastructure and networking. Additionally. End-users also have easy access to infrastructure information in Active Directory. it has already become a ubiquitous and irreplaceable component within your IT environment. IIS and SQL Server are just a few examples of Active Directory-integrated applications. Smartcard / biometric security and Radius. Administrators have full multi-level control over applying policies to accounts and systems through the Group Policy system. ticket-based authentication of Kerberos. For example. secure experience. ALL RIGHTS RESERVED. AND JAVA combined the strengths of these two technologies to best leverage the open extensibility of LDAP and the highly secure.CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS.

versus the cost of trying to maintain different solutions for different platforms. and vectors those calls back to the Windows Active Directory system. It makes good business sense to fully leverage those investments by extending Active Directory to other platforms. DirectControl consists of a service that controls login authentication and directory lookup services. does not require costly or intrusive changes to existing systems. infrastructure and policy engine. By using DirectControl. UNIX. Additionally. most of your organization’s internal identity information is already stored in Active Directory. Linux or Mac system. Linux. DirectControl enables the storage and management of UNIX user and computer attributes in Active Directory and joins these new attributes to existing user and group accounts. Active Directory would be an excellent choice to provide centralized. utilities are included to join the UNIX system to © CENTRIFY CORPORATION 2005. the solution landscape has recently changed. money and resources to move it or replicate it to another system? With Active Directory built and supported by Microsoft – the largest software company in the world – there is little risk in deploying an Active Directory solution. On the Windows side. Given these capabilities. Mac and Java environments to use Active Directory as a central user identity. administrators no longer need to manage accounts on each individual UNIX. access control and Group Policy services to your UNIX.CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS. and uniquely integrates your multiple UNIX/Linux identities into Active Directory. cross-enterprise directory and infrastructure services except that it is missing one essential feature – it does not include capabilities to easily support non-Windows client systems.1 Extending Active Directory with Centrify DirectControl What is Centrify DirectControl? The Centrify DirectControl suite is the only seamlessly integrated solution that comprehensively extends Microsoft Active Directory's identity management. Why spend extra time. Centrify DirectControl is quick and easy to deploy. LINUX. AND JAVA Many organizations have already made investments to migrate to Active Directory and deploy it companywide. Java and web platforms. but instead can use Active Directory for identity and policy management. and there is now a way to extend the features and benefits of Active Directory to non-Windows systems and applications. Microsoft is firmly committed to Active Directory and continues to invest in enhancing and expanding its capabilities. ALL RIGHTS RESERVED. However. 3 3. Centrify’s DirectControl suite includes all of the necessary software to allow UNIX. On the UNIX or Linux system. Linux. 5 . Typically. DirectControl consists of a console for Windows systems that is very similar to the Active Directory Users and Computers Microsoft Management Console.

DirectControl allows you to map special UNIX accounts such as root to trusted Active Directory users. AND JAVA the Active Directory domain and perform diagnostic tasks. The system also manages password policies such as length. including the ability to map UNIX groups to Active Directory groups. UNIX. the customer can now recognize substantial new benefits with the combination of the two technologies. easy-to-use. 3. This results in a single sign-on experience that spans all Windows. for all systems in the domain. Administrators can provision or decommission users for all systems with one account record update. group and computer can easily be mapped and tracked using the tools in DirectControl and Active Directory. complexity. the logging of user logins and system access attempts. The following sections describe these new benefits. Mac and Java platforms. LINUX. Mac and Java platforms. UNIX and Linux systems. No longer do administrators have to manage special UNIX accounts machine by machine. login failure lockouts and aging. Linux and Mac platforms in use today. including logon times and permitted users and groups. The administrator can use a central console to temporarily disable access to systems or user accounts to allow for maintenance or security tasks. is stored in one central location. UNIX.2 The combined benefits of DirectControl and Active Directory With both Active Directory and DirectControl installed. Linux. In addition. One single account record is used for each user’s identity. 3. Active Directory’s highly secure. Using DirectControl Zones. Groups can be managed centrally. resets. IT managers have the ability to also manage access to systems based on pre-established roles. using industry standard Kerberos. an organization can easily deploy a single directory capable of serving a vast majority of the users and computing platforms in the organization. token-based authentication. 6 .2. The DirectControl suite is supported on most of the popular UNIX.CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS. Windows-based interface through Wizards and Microsoft Management Consoles. © CENTRIFY CORPORATION 2005.2. UNIX.2 Ease of use and increased productivity Both the Active Directory solution set and the DirectControl suite leverage the same. Access rights for each user. can be used across Windows. Linux.1 Centralized management and security One directory is now used for managing access to Windows and UNIX-based systems. which now span Windows. ALL RIGHTS RESERVED. 3. In addition to the benefits of Active Directory highlighted earlier. These reporting tools help with conformance of data access regulations. password and credential information.

IT departments no longer need to purchase and maintain directory and user licenses and support contracts for multiple directory systems. © CENTRIFY CORPORATION 2005. Through DirectControl’s credential caching feature. well supported. Developers have the ability to extend Active Directory-enabled applications beyond Windows to UNIX and Java-based applications.2. security credentials. This is consistent with the standard Windows client user experience. policy and infrastructure management. DirectControl is built by a leading identity management firm. and Centrify has established strong partnering relationships with Microsoft and other major enterprise vendors.3 Lower cost Companies will see lower management and training costs due to the use of a single consolidated interface for identity. applications and knowledge.CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS.2. Active Directory is a proven. 4 Active Directory and DirectControl – the right choice The possibility of managing user identity information. 7 . AND JAVA Users now have a single username and password that can be used to access all authorized systems. UNIX. UNIX users are now able to log into their systems even if they are disconnected from the central network. highly available distributed infrastructure and identity management solution. secure. scalable. The combination of DirectControl and Active Directory leverages your existing investment in Microsoft licenses. Users are no longer required to memorize and manage passwords as they move from one platform to the next.4 Extensible identity and policy management The Group Policy engine can now be leveraged to manage system policies across all platforms. system policy and infrastructure services across multiple systems from a single enterprise directory has been a goal of IT managers for years. ALL RIGHTS RESERVED. which supports offline domain user logins. This feature is indispensable for IT managers who are migrating multiple legacy identity systems to Active Directory. support. Centrify’s DirectControl is the only solution to offer you the flexibility to maintain multiple UNIX IDs linked to a single Active Directory account using DirectControl Zones. long-term solution. 3. LINUX. Active Directory is backed by the world’s largest software vendor – Microsoft – and is therefore a low risk. 3.

AND JAVA With Centrify’s DirectControl and Microsoft’s Active Directory. Sales Office: +1 (650) 961-1100 Enquiries: info@centrify. ALL RIGHTS RESERVED. simplified management and increased productivity. better security.. Suite 1100 Mountain © CENTRIFY CORPORATION 2005. CA 94041 U.centrify. LINUX. Single identity and policy directory using DirectControl and Active Directory 5 How to contact Centrify Centrify Corporation 444 Castro St. UNIX. Mac and Java environments and realize substantial benefits for your organization through lower costs.S. Linux.CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS. 8 . you can now extend the directory you already own to Web site: www.