Skip Links

Microsoft touts groundbreaking 'clip-on' for Active Directory

SQL-based add-on offers capabilities never before available in directory

By , Network World
November 18, 2009 10:44 AM ET

Network World - LOS ANGELES -- Microsoft will pass out beta code Wednesday it hopes will define the next evolution of directories. It's a modular add-on that is built on a database and designed to add querying capabilities and performance never before possible in a directory.

The code is so early-stage it does not have an official name, although internally Microsoft calls it Next Generation Active Directory (NGAD). Microsoft introduced NGAD, which it calls a directory federation technology, on the second day of its annual Professional Developers Conference going on this week.

Microsoft sets Windows Azure production date

NGAD, however, is not a replacement for Active Directory but a "clip-on" that provides developers a single programming API for building access controls into applications that can run either internally, on devices or on Microsoft's Azure cloud operating system. Users will not have to alter their existing directories but will have to option to replicate data to NGAD instances.

NGAD stores directory data in an SQL-based database and utilizes its table structure and query capabilities to express claims about users such as "I am over 21" or "Henry is my manager." To ensure security, each claim is signed by an issuing source, such as a company, and the signatures stay with the claim no matter where it is stored.

"You can answer questions in your directory that are currently impossible to even ask," says Kim Cameron, identity architect at Microsoft. "You can find out who had access to a file last September." He says NGAD is a reshaping of the programming model for Active Directory.

In addition, the directory design means multitudes of new cloud or other applications won't be hammering the central Active Directory architecture with lookup requests and administrators don't have to perform often tricky updates to directory schema to support those new applications.

"I don't want to do anything to let anybody think that I am going to diddle with Active Directory infrastructure, yet I want to leverage the infrastructure," Cameron says.

The intent is to create a "logical directory" that shares architecture elements such as schema and APIs but is not one monolithic identity store. Instead, users have multiple NGADs deployed to support specific cloud, internal or device-based applications.

"From the point of view of AD these would look like domain controllers, but you could do these magic queries," Cameron says. "I could say who are all the people who report up to Microsoft CEO Steve Ballmer; in AD that query would take hours."

The most unique characteristic of NGAD is its SQL database foundation. It includes an SQL-based "Repository", a central management database for application metadata that includes an identity deployment model. NGAD also introduces a schema called System.Identity and a System.Identity API. The API exposes the schema to developers through LINQ.

The directory also incorporates the "M" modeling language. The System.Identity schema has been available in Microsoft's Oslo CTP but the API is new.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News