Microsoft paves the way for third-party interoperability

Opinion
Aug 15, 20054 mins

* The Active Directory Interoperability Program for ISVs

Any sentence that includes the words “Windows” and “interoperability” usually is not flattering to the Redmond software giant. Frequently we’re tempted to laugh or chuckle at what the company means when it uses the term “interoperability.” CEO Steve Ballmer reflected the company’s take on interoperability when he told the Massachusetts Software Council, at a meeting a year ago, that Microsoft’s platforms offer better interoperability with the company’s other technology, such as .Net, thereby reducing the total cost of ownership of Windows. So it was really refreshing to note that at last month’s Tech Ed Europe conference, one of the highlights was the many new and revised interoperability initiatives that Gates and Co., were launching.

In particular, Kim Saunders Microsoft’s director of Interoperability Programs (who even knew Microsoft had one?) talked about new initiatives for Active Directory interoperability. The new offerings include the Active Directory Interoperability Program, which features the Active Directory Password Change Notification Service for use by independent software vendors (ISV), a third-party-developed OpenLDAP (Lightweight Directory Access Protocol) Management Agent for Microsoft Identity Integration Server 2003, plus new third-party support for Active Directory Federation Services (ADFS), due with Windows Server 2003 R2.

While this initiative doesn’t commit Microsoft to developing interoperability software, it does ease the path for ISVs to create products that interoperate among various operating system platforms – most notably, Windows and Linux.

The Active Directory Interoperability Program for ISVs includes:

* Interoperability Developer Labs – For testing Active Directory interoperability projects in Redmond.

* Active Directory Password Change Notification Service – A technology package that enables ISVs and enterprise customers to deploy solutions that more easily integrate their Active Directory infrastructures with non-Active Directory applications and services.

* IP and Protocol Technology Licensing for Active Directory Interoperability -Provides intellectual property and protocol technology licensing for identity and directory services interoperability.

Some of the IP and protocol technology offered for licensing include:

* Kerberos PAC (Privilege Attribute Certificate) Group Membership, which provides the Kerberos PAC authentication and key distribution protocol used to authenticate two principals to each other and establish a cryptographic key that the two can use to secure any messages. The license may be used in client- and server-side implementations. Scenarios include communicating for Windows 2000-specific group membership authorization data carried in the field of a Kerberos ticket for use by servers in performing access control.

* Authentication/Directory Servers – Provides authentication and authorization service protocols used between Windows clients and Windows domain controllers. The license is for use in server-side implementations (e.g., application and Web servers). Scenarios include communicating with Windows client logon and security subsystems for authentication, authorization and access control, policy enforcement, or usage accounting and audit information data packets.

* Active Directory Client – Provides authentication and authorization service protocols used between Windows clients and Windows domain controllers. The license is for use in client-side implementations (on desktops, workstations or other devices, including servers acting as clients). Scenarios include communicating with Windows domain controllers for local logon and communicating with other Windows servers for network access using Windows domain user credentials.

* Group Policy Client – Provides group policy service protocols used between Windows clients and Windows servers. The license is for use in client-side implementations (on desktops, workstations or other devices, including servers acting as clients). Scenarios include communicating with Windows domain controllers for application of group policy for enabling the management of configuration and other policies for all machines and users in a domain.

* Domain Services Interaction (DSIP) – Provides authentication and authorization service protocols used between Windows member servers and Windows clients, and between Windows member servers and Windows domain controllers. The license is for use in server-side implementations (e.g., application and Web servers). Scenarios include communicating with Windows clients and servers and with Windows domain controllers for pass-through authentication of remote requests from Windows clients and servers to Windows domain controllers. 

Some vendors have already released versions of the above noted scenarios, but they had to reverse-engineer Windows in order to do it and that method is notorious for breaking very easily when a new version of Windows is shipped. This new program should go a long way towards making the care and feeding of heterogeneous networks more efficient and elegant. That, in turn, should lead to a more secure, robust network as well as one that’s more “administrator friendly.” Sounds good to me.

There’s more to the Windows interoperability story, so browse over at your leisure and take a look.