Change in Microsoft Vista security system promises Windows migration headaches

Corporate users with third-party, Windows-based authentication systems such as VPNs could face a difficult transition to Microsoft’s Vista because of an overhaul of the core Windows logon architecture, according to independent software vendors and analysts.

The good news for users is that those same observers say Vista, which is being touted for its security features, will eventually deliver a more secure and flexible authentication architecture than exists today in Windows.

But ISVs say rewriting their code for the new architecture will produce headaches that will extend to their customers that have deployed strong authentication such as biometrics or tokens, enterprise single sign-on and a number of other systems integrated with the Windows authentication architecture.

“Not only the vendors, but the customers that have [authentication systems] already deployed are going to go through a lot of pain,” says one ISV who asked not to be named. “We knew there were going to be changes, but we didn’t know there would be wholesale changes.”

Users will have to go through testing periods after vendors deliver new interfaces for their products. During migrations, users will have key security infrastructures that straddle two different authentication environments, one for Vista and one for earlier versions of Windows, until migrations are complete. They also will have to support different client-side code and separate interfaces that will present retraining issues, experts say.

In addition, users with any homegrown authentication mechanisms linked to Windows will have to rewrite their code from the ground up.

ISVs also have to completely rewrite and certify the custom code they write to interface with Winlogon, the Windows process that manages logon and logoff. That task will be painful in part because ISVs say Vista’s new authentication architecture is incomplete in the beta released in February. The new architecture, called Winlogon Re-Architecture, includes a model for building modules called Credential Provider. The February CTP also was the first time Microsoft included in the release notes the fact that the GINA architecture had been abandoned even though the company had started talking about it at its Professional Developers Conference last September.

The previous model, called Graphical Identification and Authentication (GINA), is used by ISVs such as Check Point, Cisco, Citrix, Nortel, Novell, RSA Security and Symantec to link their authentication technology into the Windows authentication architecture.

“There are things built into GINA that are not in the existing Winlogon module you get with the Vista beta,” says the ISV who requested anonymity. “Other pieces must be coming in later betas. If not, this makes the strategy of waiting for the first Vista service pack even more valid.” Historically, many corporate users have waited for Service Pack 1 of a new operating system before adopting it.

The ISV says customers with multiple products that hook into GINA will have the most difficult support and migration issues.

“There will be a relatively significant migration challenge to go from a GINA-dependent architecture to the new Vista authentication interfaces,” says the ISV, adding that a systems integrator told him he “anticipates a big business in helping customers migrate.”

Another systems integrator says users always have faced this danger with custom code added to Windows.

“No doubt there is going to be an impact on the industry; every time you change Windows code there is an impact on the industry,” says Nelson Ruest, a consultant and systems integrator with Resolutions Enterprises in Victoria, British Columbia.

“We often recommend to our customers to be very careful about custom modifications to the Windows environment. Vendors’ GINA integrations are 100% custom code,” he says.

Ruest says Vista will replace a GINA architecture – which dates back to Windows NT – that has problems of its own.

The issue over the Vista authentication architecture began to emerge last week when RSA CEO Art Coviello lamented in a press interview the fact that Vista is not providing native support initially for RSA’s SecureID for Windows. RSA refused to comment further, but the company will have to rewrite its GINA code using the Credential Provider model.

Microsoft also refused comment on Coviello’s remarks. A company spokesman says the strategic direction now is Smart Cards, which Microsoft is supporting natively in Vista.

The GINA model is a Dynamic Link Library file that displays in Windows the “Press Ctrl+Alt+Del to log on” screen and accepts a username and password.

The Credential Provider model is based on .Net, Component Object Model and Windows Shell Extensions, and supports the creation of modules that plug into Winlogon.

The GINA model is based on Win32, but Windows can run only one copy of it. A complex method called chaining is required to support the use of multiple GINA models. Vendors can modify GINA to include their interface on the logon screen or write their own GINA to replace the logon interface completely. With Credential Provider, vendors will not be able to replace the logon user interface.

“To extend authentication we need to move away from GINA,” says Austin Wilson, director of product management for Windows client at Microsoft. He said GINA replacements are difficult to write and often present problems when service packs and security fixes are applied to the operating system. Those issues are solved in the Credential Provider model, Wilson says.

He said all the tools needed to write Credential Providers are in the Vista beta today, but he did acknowledge that there would not be any backward compatibility for GINA.

“ISVs have to write [Credential Providers], and customers have to move to them, but in the long run it should provide more flexibility, stability and a more consistent experience,” Wilson says.

Some analysts say given the inevitability of change, the next move is up to vendors and users.

“This is a wake-up call for the vendors,” says Phil Schacter, vice president and group services director for the Burton Group. “For users the question is, do I roll out a GINA architecture in parallel at the same time I bet on Vista and its different architecture?”

Complete Vista coverage