WHITE PAPER

CENTRIFY CORP.
Active Directory and DirectControl
APRIL 2005

The Right Choice for Enterprise Identity Management and Infrastructure

Consolidation

ABSTRACT

Microsoft’s Active Directory is now the de facto standard in most enterprises for
providing authentication, authorization, account access, computer policy and
infrastructure management for Windows systems and applications. Active
Directory has proven itself to be highly scalable, very secure and resilient under
just about any load. However, in many of these enterprises, there is usually no
single way for providing these same services to UNIX, Linux, Mac and Java-
based environments. Most companies end up managing these systems with a
variety of directory solutions, some of which are centralized and some of which
are managed at each individual machine.

Huge benefits can be gained by consolidating identity, policy and infrastructure

management into a single centralized solution, thereby saving time and money
in administrative overhead, lowering training requirements and increasing
productivity. With the popularity of Active Directory, many companies would
like to leverage their Active Directory investment and offer these services
beyond their Windows platforms. UNIX, Linux and Mac platforms are the second
largest base of systems in many large companies, so integrating these systems
into Active Directory would be highly beneficial.

Fortunately, there is a solution to meet this need – Centrify’s DirectControl

suite. This paper discusses the drivers for consolidating identity, policy and
infrastructure management with Active Directory and accomplishing the
integration of UNIX, Linux, Mac and Java with DirectControl.
CENTRIFY WHITE PAPER ACTIVE DIRECTORY AND DIRECTCONTROL

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association with any real
company, organization, product, domain name, e-mail address, logo, person, place or event is intended or
should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording,
or otherwise), or for any purpose, without the express written permission of Centrify Corporation.

Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.

© 2005 Centrify Corporation. All rights reserved.

Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.

WP-004-2005-05-09

© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED. PAGE II

CENTRIFY WHITE PAPER ACTIVE DIRECTORY AND DIRECTCONTROL

Contents

1 Why centralized directories make sense...................................................... 1

1.1 What is a centralized directory? ................................................................. 1

1.2 Benefits of centralized directories ............................................................... 2

2 Enterprise capabilities of Active Directory ................................................... 3

2.1 Active Directory's unique features and benefits ............................................ 3

2.2 The business case for Active Directory ........................................................ 4

3 Extending Active Directory with Centrify DirectControl ............................... 5

3.1 What is Centrify DirectControl? .................................................................. 5

3.2 The combined benefits of DirectControl and Active Directory ......................... 6

3.2.1 Centralized management and security ............................................... 6

3.2.2 Ease of use and increased productivity .............................................. 6

3.2.3 Lower cost ..................................................................................... 7

3.2.4 Extensible identity and policy management ........................................ 7

4 Active Directory and DirectControl – the right choice .................................. 7

5 How to contact Centrify ............................................................................... 8

© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED. PAGE III

CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS, LINUX, UNIX, AND JAVA

1 Why centralized directories make sense

1.1 What is a centralized directory?

Centralized directories for computing platforms have been around for almost as long as
computer networks. The concept behind a directory was to provide a place to put user,
and in some cases, computer account information so that a) information about a user,
such as the user ID or the user’s real name, was stored in a one consistent way and
leveraged for each system that the user used, and b) information was stored in a central
location instead of being copied or created on multiple different systems. Historically,
each computer operating system evolved with its own directory system. On UNIX
systems, Sun’s Network Information System (NIS) became popular. On Windows
systems, Novell’s NDS and Microsoft’s NT4 domain system were most commonly used
in the 1990s.

Typical directory situation with multiple identities across different systems

In this decade, both UNIX and Windows directories have gradually evolved to favor
Lightweight Directory Access Protocol (LDAP)-based technology. These solutions
include Sun’s Java System Directory Server (formerly known as iPlanet or SunOne
Directory), eDirectory from Novell, OpenLDAP on Linux and Active Directory from

© CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 1

CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS, LINUX, UNIX, AND JAVA

Microsoft. The good news for customers was that all these directories had a common
underlying structure based on the LDAP protocol, and each system had a similar method
for storing user and computer information. However, as is the case with most “open
systems” technology, there were enough differences between each solution that in fact
these systems did not fully interoperate. As a result, most organizations still end up
maintaining separate directory systems for each operating system platform.

Another critical factor that is driving customers to look for a single directory system is
the need for tighter centralized security controls over the access of sensitive data.
Enterprises want to ensure that users are granted secure access to only the systems, data
and applications essential to their day-to-day jobs. Tracking and auditing system access is
now a required feature as new rules for customer data protection are imposed on
organizations. As the number of directories increased within an organization, the task of
managing user access became more complex. The ideal solution would be to have one
central, secure directory for all computers, and control user identity, access and policy
from that one system.

1.2 Benefits of centralized directories

Centralized directory services offer numerous benefits to the administrator and the
computer user, including:

ƒ User accounts can be stored in a single secure database as opposed to being

stored and managed at each machine. The result is lower management costs
because less time is required to provision or decommission a user’s account – even
for use on multiple machines.

ƒ Access permissions and policies can be centrally managed, resulting in better

security for all systems. Administrators have immediate control over access to
machines and no longer need to manage access rights machine by machine.
Additionally, policies such as password length or access times can be easily applied
to all systems.

ƒ Centralized password management and consistent user names. Users can have
one user ID and one password that work on multiple machines as opposed to having
to remember different logins and passwords for each system.

Once the decision has been made to consolidate directory services into fewer directory
systems, the question arises: Which directory can best serve your organization?

© CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 2

CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS, LINUX, UNIX, AND JAVA

2 Enterprise capabilities of Active Directory

While many organizations that use Windows-based systems have moved to Microsoft’s
Active Directory system, most only use it for managing Windows accounts. This is
because Microsoft provides little support for non-Windows systems within Active
Directory (although a NIS translator for Active Directory is available with the Microsoft
Services for UNIX product). Other directories, such as Sun’s Java System Directory
Server or Novell’s eDirectory, may seem like more logical choices since they provide
better cross-platform support. However, many customers are reluctant to use these
products to serve Windows clients because of concerns over compatibility with directory-
based Windows applications, such as Microsoft Exchange, SQL Server and Internet
Information Services (IIS). Active Directory was designed to work with these
applications. Other directory solutions may require substantial customization to work
with these applications or, in some cases, may not work at all. In addition, Sun’s
directory was not designed as a Network Operating System directory for Windows
workstations.

Active Directory begins with a foundation of capabilities that are common to any
enterprise directory. Active Directory provides:

ƒ Centralized user and group account management, including the ability to

maintain manager / worker relationships.

ƒ Full control over password management including password aging, password

complexity, and forced password resetting, as well as the ability to temporarily
disable an account. Active Directory can also easily manage hours of use for each
user and computer.

ƒ A distributed model for high availability, increased performance and

organizational compartmentalization, including the ability to manage cross-
domain relationships and trusts. This means that users in each part of the
organization can always access their systems, even in the event of a server failure.

Most customers, however, now demand something more than just an enterprise user
directory. Complex infrastructure environments, requirements for strong, verifiable
security, and regulatory compliance have changed the way people think about identity
management so much that the term “enterprise authentication infrastructure” probably
better describes what most customers need. Meeting these additional challenges is where
Active Directory really shines.

2.1 Active Directory's unique features and benefits

Some of the unique technical features and benefits include:

ƒ Active Directory is based on proven enterprise-ready technologies – LDAP for

directory services and Kerberos for secure authentication. Microsoft has uniquely

© CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 3

CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS, LINUX, UNIX, AND JAVA

combined the strengths of these two technologies to best leverage the open
extensibility of LDAP and the highly secure, ticket-based authentication of Kerberos.
For example, a key advantage of Active Directory’s ticket-based authentication
system is that, once the user has successfully logged into a system, his or her
credentials can be used to automatically access other systems and applications based
on established security access rights.

ƒ Microsoft’s Group Policy capability extends Active Directory beyond identity and
access management to policy and configuration management, which is crucial for
meeting regulatory requirements. Administrators have full multi-level control over
applying policies to accounts and systems through the Group Policy system.

ƒ Active Directory further extends its management capabilities by integrating into the
directory such key infrastructure services as DNS, VPN, certificate services, remote
access services, printer management, Smartcard / biometric security and Radius. This
means that different infrastructure services can be enabled for targeted machines and
users, and these services can be associated with other services and system policies in
a totally integrated way. Other infrastructure solutions such as Microsoft’s ISA
Server and Identity Integration Server also work within the Active Directory
architecture. Additionally, applications can easily leverage the directory’s account,
computer and management interfaces to provide a seamlessly integrated, secure
experience. Microsoft Exchange, IIS and SQL Server are just a few examples of
Active Directory-integrated applications. End-users also have easy access to
infrastructure information in Active Directory, using features such as looking up
other users in the Global Catalog, location-based printer discovery and server
browsing – all without having to know directory and infrastructure concepts.

ƒ Active Directory is now a mature, well established technology that has proven to be
highly scalable and secure. Active Directory’s distributed model automatically
replicates information to other sites, even over slow links, thereby ensuring both
fault tolerance with automated failover and increased performance through
automated discovery of the closest Active Directory server. In addition, Active
Directory is one of the easiest-to-use directory / infrastructure solutions in the market
– based on the familiar Windows look-and-feel and established interfaces such as
Windows “Wizards” and the Microsoft Management Console (MMC).

2.2 The business case for Active Directory

The business case for leveraging Active Directory as a true enterprisewide directory /
infrastructure solution is also strong:

ƒ Since Active Directory is an integral part of Windows infrastructure and networking,

it has already become a ubiquitous and irreplaceable component within your IT
environment.

© CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 4

CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS, LINUX, UNIX, AND JAVA

ƒ Many organizations have already made investments to migrate to Active Directory

and deploy it companywide. It makes good business sense to fully leverage those
investments by extending Active Directory to other platforms, versus the cost of
trying to maintain different solutions for different platforms.

ƒ Typically, most of your organization’s internal identity information is already stored

in Active Directory. Why spend extra time, money and resources to move it or
replicate it to another system?

ƒ With Active Directory built and supported by Microsoft – the largest software
company in the world – there is little risk in deploying an Active Directory solution.
Microsoft is firmly committed to Active Directory and continues to invest in
enhancing and expanding its capabilities.

Given these capabilities, Active Directory would be an excellent choice to provide

centralized, cross-enterprise directory and infrastructure services except that it is missing
one essential feature – it does not include capabilities to easily support non-Windows
client systems. However, the solution landscape has recently changed, and there is now a
way to extend the features and benefits of Active Directory to non-Windows systems and
applications. Centrify’s DirectControl suite includes all of the necessary software to
allow UNIX, Linux, Mac and Java environments to use Active Directory as a central user
identity, infrastructure and policy engine.

3 Extending Active Directory with Centrify DirectControl

3.1 What is Centrify DirectControl?

The Centrify DirectControl suite is the only seamlessly integrated solution that
comprehensively extends Microsoft Active Directory's identity management, access
control and Group Policy services to your UNIX, Linux, Java and web platforms.
Centrify DirectControl is quick and easy to deploy, does not require costly or intrusive
changes to existing systems, and uniquely integrates your multiple UNIX/Linux identities
into Active Directory. By using DirectControl, administrators no longer need to manage
accounts on each individual UNIX, Linux or Mac system, but instead can use Active
Directory for identity and policy management.

On the Windows side, DirectControl consists of a console for Windows systems that is
very similar to the Active Directory Users and Computers Microsoft Management
Console. DirectControl enables the storage and management of UNIX user and computer
attributes in Active Directory and joins these new attributes to existing user and group
accounts.

On the UNIX or Linux system, DirectControl consists of a service that controls login
authentication and directory lookup services, and vectors those calls back to the Windows
Active Directory system. Additionally, utilities are included to join the UNIX system to

© CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 5

CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS, LINUX, UNIX, AND JAVA

the Active Directory domain and perform diagnostic tasks. The DirectControl suite is
supported on most of the popular UNIX, Linux and Mac platforms in use today.

3.2 The combined benefits of DirectControl and Active Directory

With both Active Directory and DirectControl installed, an organization can easily
deploy a single directory capable of serving a vast majority of the users and computing
platforms in the organization. In addition to the benefits of Active Directory highlighted
earlier, the customer can now recognize substantial new benefits with the combination of
the two technologies. The following sections describe these new benefits, which now
span Windows, UNIX, Linux, Mac and Java platforms.

3.2.1 Centralized management and security

ƒ One directory is now used for managing access to Windows and UNIX-based
systems, including logon times and permitted users and groups. The administrator
can use a central console to temporarily disable access to systems or user accounts to
allow for maintenance or security tasks.

ƒ One single account record is used for each user’s identity, password and credential
information. The system also manages password policies such as length, complexity,
resets, login failure lockouts and aging. Administrators can provision or
decommission users for all systems with one account record update.

ƒ Active Directory’s highly secure, token-based authentication, using industry standard

Kerberos, can be used across Windows, UNIX, Linux, Mac and Java platforms. This
results in a single sign-on experience that spans all Windows, UNIX and Linux
systems.

ƒ DirectControl allows you to map special UNIX accounts such as root to trusted
Active Directory users. No longer do administrators have to manage special UNIX
accounts machine by machine.

ƒ Groups can be managed centrally, including the ability to map UNIX groups to
Active Directory groups. Using DirectControl Zones, IT managers have the ability to
also manage access to systems based on pre-established roles. Access rights for each
user, group and computer can easily be mapped and tracked using the tools in
DirectControl and Active Directory. In addition, the logging of user logins and
system access attempts, for all systems in the domain, is stored in one central
location. These reporting tools help with conformance of data access regulations.

3.2.2 Ease of use and increased productivity

ƒ Both the Active Directory solution set and the DirectControl suite leverage the same,
easy-to-use, Windows-based interface through Wizards and Microsoft Management
Consoles.

© CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 6

CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS, LINUX, UNIX, AND JAVA

ƒ Users now have a single username and password that can be used to access all
authorized systems. Users are no longer required to memorize and manage
passwords as they move from one platform to the next.

ƒ Through DirectControl’s credential caching feature, UNIX users are now able to log
into their systems even if they are disconnected from the central network. This is
consistent with the standard Windows client user experience, which supports offline
domain user logins.

3.2.3 Lower cost

ƒ Companies will see lower management and training costs due to the use of a single
consolidated interface for identity, policy and infrastructure management.

ƒ IT departments no longer need to purchase and maintain directory and user licenses
and support contracts for multiple directory systems.

ƒ The combination of DirectControl and Active Directory leverages your existing

investment in Microsoft licenses, support, applications and knowledge.

3.2.4 Extensible identity and policy management

ƒ The Group Policy engine can now be leveraged to manage system policies across all
platforms.

ƒ Developers have the ability to extend Active Directory-enabled applications beyond

Windows to UNIX and Java-based applications.

ƒ Centrify’s DirectControl is the only solution to offer you the flexibility to maintain
multiple UNIX IDs linked to a single Active Directory account using DirectControl
Zones. This feature is indispensable for IT managers who are migrating multiple
legacy identity systems to Active Directory.

4 Active Directory and DirectControl – the right choice

The possibility of managing user identity information, security credentials, system policy
and infrastructure services across multiple systems from a single enterprise directory has
been a goal of IT managers for years.

Active Directory is a proven, secure, scalable, highly available distributed infrastructure

and identity management solution. Active Directory is backed by the world’s largest
software vendor – Microsoft – and is therefore a low risk, well supported, long-term
solution. DirectControl is built by a leading identity management firm, and Centrify has
established strong partnering relationships with Microsoft and other major enterprise
vendors.

© CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 7

CENTRIFY WHITE PAPER CENTRALIZED IDENTITY AND POLICY MANAGEMENT FOR WINDOWS, LINUX, UNIX, AND JAVA

With Centrify’s DirectControl and Microsoft’s Active Directory, you can now extend the
directory you already own to UNIX, Linux, Mac and Java environments and realize
substantial benefits for your organization through lower costs, better security, simplified
management and increased productivity.

Single identity and policy directory using DirectControl and Active Directory

5 How to contact Centrify

Centrify Corporation
444 Castro St., Suite 1100
Mountain View, CA 94041

U.S. Sales Office: +1 (650) 961-1100

Enquiries: info@centrify.com

Web site: www.centrify.com

© CENTRIFY CORPORATION 2005. ALL RIGHTS RESERVED. 8