Active Directory as an Interoperability Rendezvous

• By Scott Bekker
• March 14, 2005

It seems slightly odd at first because Active Directory runs only on Windows and Microsoft itself felt the need to launch a separate metadirectory product, Microsoft Identity Integration Server, to fill the multi-platform need.

There is logic to using Active Directory. That logic centers on the ubiquity of Windows servers; Microsoft's requirement that all servers after Windows NT 4.0 use Active Directory; and the difficulties of maintaining multiple identities for each user.

Windows servers are almost everywhere. According to research from IDC, Windows servers account for more than half of new server unit shipments. Running a modern authentication network based on Windows 2000 Server or Windows Server 2003 domain controllers requires Active Directory. Several recent surveys, including one by ENT last year, indicate that the majority of organizations have Active Directory deployed by now.

Linux, too, is surging everywhere, and while purchases of Unix-based systems are on the decline, clearly the installed systems are working and will not be replaced soon. Even in heavily Windows-oriented shops, it's common to find non-Windows servers that users must log on to for some applications. But there's no single identity management solution for Unix or Linux that is, or will be, anywhere near as widespread as Active Directory on the Windows side. By default, Active Directory is becoming the omnipresent directory technology.

Meanwhile, several usability, security and management problems that have been around for years, continue to nag. Users continue to balk at maintaining multiple strong passwords. Password resets top the list of busywork that occupies help desk employees. Security is undermined by password-filled sticky notes at users' desks or by common username/password combinations used by entire workgroups.

Single sign-on solutions and metadirectories are some of the ways organizations have tried to fix these longstanding problems. However, the synchronization and maintenance efforts can make administration of these solutions seem like more trouble than simply letting the insecure and unmanaged current situation limp along.

Recently, there's been a lot of activity in the interoperability market around Active Directory. In January 2004, Vintela released Vintela Authentication Services, which joins Unix and Linux servers to Active Directory forests so users sign on to non-Microsoft resources through their Active Directory credentials. Last month, another company, Centrify, introduced similar technology called DirectControl.

There are some indications that Microsoft might absorb this emerging market. In November, Microsoft made a minority investment in Vintela. Then, Vintela hired a main product manager for Microsoft Identity Integration Server, Jackson Shaw, as a vice president. In a news release about the hire, Vintela pointed out that Shaw had been part of the management team that groomed metadirectory firm Zoomit for acquisition by Microsoft. Centrify, meanwhile, is founded by Tom Kemp, formerly of NetIQ -- the firm that sold Microsoft Operations Manager to Microsoft.

On the other hand, there are similarities in the interoperability market to the data center market. In that market, Microsoft partnered heavily with major firms with enterprise credibility, such as IBM, HP, Unisys and EMC. Those firms did the front-end selling and took the support calls for some of Microsoft's enterprise-focused products, such as Windows Datacenter Server. Letting partners do the selling in a market where Microsoft had less credibility was a politically astute move. On interoperability, again, customers may have more trust in an independent agent with strong technical ties to Microsoft than in Microsoft itself.

With many things in IT, a set of problems by themselves may not cause people to jump on solutions. A problem, coupled with a fairly straightforward fix, can prompt a run on a technology. The emergence of widespread Active Directory deployments may mean it's easiest to cobble together a solution for unified authentication through that Microsoft-centric directory technology.