Centrify Resource Center

Home  |  Centrify Resource Center
Tom Kemp's Centrify Blog

Why Leverage Active Directory for Linux Identity Management? Part 2

Monday, January 14, 2008

In my last blog post I described the benefits of reducing identity "silos" and moving toward a single directory for your heterogeneous infrastructure. In this blog post I will describe some of the technical and business reasons why organizations should consider leveraging Active Directory to be "the" central directory for UNIX-based systems and applications, as well as non-Microsoft applications running on Windows.

The Technical Case for Extending Active Directory to non-Microsoft Platforms

Some of the unique technical features and benefits that come to mind include:

  • More than just a LDAP directory service, part 1: integrated Kerberos support. Active Directory is based on proven enterprise-ready technologies - LDAP for directory services and Kerberos for secure authentication. Microsoft has uniquely combined the strengths of these two technologies to best leverage the open extensibility of LDAP and the highly secure, ticket-based authentication of Kerberos. For example, a key advantage of Active Directory's ticket-based authentication system is that, once the user has successfully logged into a system, his or her credentials can be reused to automatically access other systems and applications based on established security access rights. For more on Kerberos and how DirectControl supports it, see my blog entry on Kerberos.
  • More than just a LDAP directory service, part 2: integrated Group Policy support. Microsoft's Group Policy capability extends Active Directory beyond identity and access management to policy and configuration management, which is crucial for meeting regulatory requirements. Administrators have full multi-level control over applying policies to accounts and systems through the Group Policy system. Centrify provides rich and robust Group Policy support for UNIX, Linux and Mac.
  • Rich infrastructure and application integration. Active Directory further extends its management capabilities by integrating into the directory such key infrastructure services as DNS, VPN, certificate services, RADIUS, remote access services, printer management, and smart card- and biometric-based security. This means that different infrastructure services can be enabled for targeted computers and users, and these services can be associated with other services and system policies in a totally integrated way. Other infrastructure solutions such as Microsoft's ISA Server and Identity Lifecycle Manager also work within the Active Directory architecture, and DirectControl extends other infrastructure components to integrate tightly with Active Directory. Additionally, applications can easily leverage the directory's account, computer and management interfaces to provide a seamlessly integrated, secure experience. Microsoft Exchange, IIS and SQL Server are just a few examples of Active Directory-integrated applications. End-users also have easy access to infrastructure information in Active Directory, using features such as looking up other users in the Global Catalog, location-based printer discovery and server browsing — all without having to know directory and infrastructure concepts.
  • Mature solution with enterprise capabilities. Active Directory is now a mature, well established technology that has proven to be highly scalable and secure. Active Directory's distributed model automatically replicates information to other sites, even over slow links, thereby ensuring both fault tolerance with automated failover and increased performance through automated discovery of the closest Active Directory server. In addition, Active Directory is one of the easiest-to-use directory / infrastructure solutions in the market — based on the familiar Windows look-and-feel and established interfaces such as Windows "Wizards" and the Microsoft Management Console (MMC).
  • Can be easily extended to non-Microsoft systems and applications using DirectControl. Active Directory can be easily extended to Linux, UNIX and Mac systems and applications using DirectControl. The same cannot be said about other directories, which don't have a nicely packaged and productized "DirectControl equivalent" to make Windows systems and applications (such Microsoft Exchange and SQL Server) plug nicely into them.

The Business Case for Extending Active Directory to Linux, UNIX and Mac Platforms

The business case for leveraging Active Directory as a true enterprisewide directory and infrastructure solution is also strong:

  • You already own it and have the skill set to support it. Because Active Directory is an integral part of Windows infrastructure and networking, it has already become a ubiquitous and irreplaceable component within your IT environment. Many organizations have already made investments to migrate to Active Directory and deploy it companywide. It makes good business sense to fully leverage those investments by extending Active Directory to other platforms, versus the cost of trying to maintain different solutions for different platforms. Here is what the analyst firm Enterprise Strategy Group said in this Identity and Access Management report:

"What's so special about AD? After years of experience, large enterprises have refined [their] Active Directory implementation and strong AD administration skills. Centrify products can act as software glue between this existing stronghold and burgeoning IAM requirements. ESG Research indicates that this is a particularly shrewd move since AD is a staple at most large organizations - a whopping 81% use Active Directory, which is four times the size of the next closest response [see Figure below]. As a result, building on top of a ubiquitous platform like Microsoft Active Directory should certainly appeal to the majority of enterprise organizations."

Network directories currently deployed

  • Your organization's digital identities are already stored in Active Directory. Typically, most of your organization's internal identity information is already stored in Active Directory. Why spend extra time, money and resources to move it or replicate it to another system?
  • Well supported. Because Active Directory is built and supported by Microsoft - the largest software company in the world - there is little risk in deploying an Active Directory solution. Microsoft is firmly committed to Active Directory and continues to invest in enhancing and expanding its capabilities. Centrify is the only solution of its class to be Windows 2003 certified, ensuring tight compatibility, and has a strong, collaborative and supportive partnership with Microsoft.
  • Respected analyst firms are supportive of extending Active Directory to non-Microsoft systems and applications. For example, Gartner Group says this of Active Directory interoperability: "Using Active Directory for Unix administration and authentication reduces user repository complexity and simplifies the user sign-on experience" and "Using Active Directory as an identity and authentication repository for Unix platforms is technically sound and can provide real benefits for end users and administrators." (Source: Gartner Group, July 18, 2007, Research Report #G00149425). Also see this Enterprise Strategy Group report entitled for another endorsement of the approach that Centrify takes using Active Directory: "Centrify Adds Value to Active Directory — and the Business" (June 2007).

The Bottom Line

Hopefully you will agree that these technical and business reasons for using DirectControl to extend Active Directory throughout the enterprise are very compelling. I will close this blog entry with the summary from the aforementioned ESG analyst report:

"Business pressures demand IAM improvements, but this isn't easy. Today's IAM infrastructure is a jigsaw puzzle of identity repositories and silos, so piecing together a cohesive view can be a time consuming, manual process. Management tools can help, but most are either too narrow, exceedingly expensive to purchase or overwhelmingly difficult to deploy.

The Centrify recipe is simple: make the tools you already count on more productive by extending their reach and capabilities. Centrify layers its authentication, access control and auditing sauce on top of ubiquitous Active Directory to make this happen. This makes Centrify one of the rare companies that figured out how to add a whole lot of value without a lot of ripping, replacing, re-architecting or training."

It is always great to get such praise, but it is not going to our heads . In my next blog entry I will give you my thoughts on a new customer case study that we just published that describes how a large pharmaceutical company is delivering UNIX single sign-on within their enterprise using DirectControl and Active Directory.

Categories: Regulatory Compliance, All
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows LiveTailrank

< Previous Article: Why Leverage Active Directory for Linux Identity Management? Part 1
> Next Article: Centrify Recognized by Linux Magazine as "Top 20 Company to Watch" for Windows and Linux Interoperability


View a 5-Minute Demo
3-Part Webinar Series What Gartner Says About Using Active Directory for Centralized Authentication, Auditing and SSO
White Paper Centralized Identity and Access Management with Active Directory View
Now
Video Chalktalk Library Detailed overviews of Centrify solutions and technology

Centrify's DirectControl extension of the Group Policy framework to non-Microsoft platforms lets customers further leverage their investment in Active Directory.

Michael Dennis
Lead Program Manager
Windows Group Policy
Microsoft Corp.