Microsoft to extend Active Directory

Microsoft is racing to fill gaps and integrate technology into its identity management platform before customers shift to tools from other vendors.

LAS VEGAS – Microsoft is racing to fill gaps and integrate technology into its identity management platform before customers shift to tools from other vendors.

Active Directory is being driven beyond its authentication and authorization roots, the company told attendees last week at the NetPro Directory Experts Conference, an independent forum focused on Active Directory and Microsoft Identity Integration Server (MIIS).

The plan, originally outlined in February, is to make Active Directory, and a handful of add-ons for such tasks as rights management, a hub that supports many technologies targeted at identity and access management, including sophisticated provisioning tools now lacking from the Microsoft lineup.

While that is a noble goal, some analysts urge caution. “Active Directory is more stable and scaleable than many predicted it would be,” says John Enck, an analyst with Gartner. “But you can’t use [Active Directory] for everything.”

Enck says Microsoft needs to add or improve workflow, password management, user self-service and delegated administration capabilities to Active Directory and MIIS, the core of its identity platform. Both are foundation elements for Microsoft’s strategy.

Ultimately Microsoft would like this core to support strong credentials, access control, single sign-on, federated identity, information rights protection, process automation and auditing. The strategy also calls for integration with Microsoft’s Identity Metasystem initiative, user-centric privacy controls called InfoCard, a Longhorn middleware technology called Windows Communication Foundation and a slate of Web services-based protocols.

Users at the conference said they agree with the message and want to build out their Active Directory deployments to deal with the realities of privacy and access controls dictated by regulatory compliance issues.

Microsoft’s moves have been fueled by a recent wave of consolidation among identity vendors that has seen IBM, Oracle, Sun, Novell and others moving to create identity management platforms.

While some users are waiting for Active Directory to catch up with their needs, others say they have moved ahead with third-party tools for such things as workflow, single sign-on and Web-based access controls.

“It is a shame Microsoft is late in the game,” says Larry Brandolph, infrastructure engineering manager for Cigna in Philadelphia, which has been driven by federal regulations to adopt privacy and other controls supported by its Active Directory rollout. He says Cigna has rolled out third-party products to support identity needs such as role-based access control and Web single sign-on. “We’d have to rip that out to go with Microsoft, but first we’d have to do all the testing to see if it is reliable and scaleable.”

While he says that is not happening, the company is rolling out Windows Server 2003 to add new user certificate-based auto-enrollment and other features supported by the operating system.

Brandolph says, however, that identity technologies Microsoft is developing, such as federation and user self-service, could indirectly help Cigna when integrating with partners. “We can tell partners if they have the Microsoft federation services they can send us standardized authorization tokens we can use with our systems.”

For others, Microsoft can’t move fast enough. An IT architect with a Fortune 500 company who requested anonymity says he is waiting for the Windows Workflow Foundation (WWF) and hopes it is up to the task of replacing his aging workflow engine. Microsoft plans to ship WWF as part of a feature in Longhorn Server code-named Gemini.

He says he will be evaluating Gemini over the next nine months. “For a utility service like workflow, it has to be in the [operating system] because you know it will be available.” He says a common workflow engine distributed across his global network will make reliability, management and support easier.

Today, MIIS relies on workflow services from BizTalk, but integration among applications and business processes can be complex.

“Now that [Active Directory] is moving beyond domain services we need to take our planning up a notch,” says Peter Houston, senior director of identity and access management for Microsoft. Houston says the goal is to have “out-of-the-box” capabilities for such functions as compliance or auditing. “It is about more scenario-based capabilities rather than [Active Directory] and MIIS as a collection of technologies. We would rather understand the business scenarios and enable those out of the box.”

Observers say Microsoft has other decisions to make, such as if it will add Virtual Directory capabilities to its platform; some of its competitors are embracing the technology.

“For identity, Microsoft needs to look at virtualization,” says Nick Nikols, an analyst with the Burton Group. He says the company needs to examine cross-platform integration, which today is provided by partners Centrify and Quest.

“Is [Microsoft’s] target to be a full-fledged identity player? I’m not sure yet.”