Microsoft to extend Active Directory

LAS VEGAS - Microsoft is racing to fill gaps and integrate technology into its identity management platform before customers shift to tools from other vendors.

Active Directory is being driven beyond its authentication and authorization roots, the company told attendees last week at the NetPro Directory Experts Conference, an independent forum focused on Active Directory and Microsoft Identity Integration Server (MIIS).

The plan, originally outlined in February, is to make Active Directory, and a handful of add-ons for such tasks as rights management, a hub that supports many technologies targeted at identity and access management, including sophisticated provisioning tools now lacking from the Microsoft lineup.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

LAS VEGAS - Microsoft is racing to fill gaps and integrate technology into its identity management platform before customers shift to tools from other vendors.

Active Directory is being driven beyond its authentication and authorization roots, the company told attendees last week at the NetPro Directory Experts Conference, an independent forum focused on Active Directory and Microsoft Identity Integration Server (MIIS).

The plan, originally outlined in February, is to make Active Directory, and a handful of add-ons for such tasks as rights management, a hub that supports many technologies targeted at identity and access management, including sophisticated provisioning tools now lacking from the Microsoft lineup.

While that is a noble goal, some analysts urge caution. "Active Directory is more stable and scaleable than many predicted it would be," says John Enck, an analyst with Gartner. "But you can't use [Active Directory] for everything."

Enck says Microsoft needs to add or improve workflow, password management, user self-service and delegated administration capabilities to Active Directory and MIIS, the core of its identity platform. Both are foundation elements for Microsoft's strategy.

Ultimately Microsoft would like this core to support strong credentials, access control, single sign-on, federated identity, information rights protection, process automation and auditing. The strategy also calls for integration with Microsoft's Identity Metasystem initiative, user-centric privacy controls called InfoCard, a Longhorn middleware technology called Windows Communication Foundation and a slate of Web services-based protocols.

Users at the conference said they agree with the message and want to build out their Active Directory deployments to deal with the realities of privacy and access controls dictated by regulatory compliance issues.

Microsoft's moves have been fueled by a recent wave of consolidation among identity vendors that has seen IBM, Oracle, Sun, Novell and others moving to create identity management platforms.

While some users are waiting for Active Directory to catch up with their needs, others say they have moved ahead with third-party tools for such things as workflow, single sign-on and Web-based access controls.

"It is a shame Microsoft is late in the game," says Larry Brandolph, infrastructure engineering manager for Cigna in Philadelphia, which has been driven by federal regulations to adopt privacy and other controls supported by its Active Directory rollout. He says Cigna has rolled out third-party products to support identity needs such as role-based access control and Web single sign-on. "We'd have to rip that out to go with Microsoft, but first we'd have to do all the testing to see if it is reliable and scaleable."

While he says that is not happening, the company is rolling out Windows Server 2003 to add new user certificate-based auto-enrollment and other features supported by the operating system.

Brandolph says, however, that identity technologies Microsoft is developing, such as federation and user self-service, could indirectly help Cigna when integrating with partners. "We can tell partners if they have the Microsoft federation services they can send us standardized authorization tokens we can use with our systems."