BPuhl’s Blog

A little bit of everything without actually being much of anything

Archive for April, 2008

Enterprise Identities – User Centric? Sort of…

Posted by BPuhl on April 28, 2008

During my presentation at the European Identity Conference, I decided to take a slightly different approach to the identity conversation and focus on the needs of the enterprise in an Identity2.0 world.  For those that know me, this shouldn’t be a huge surprise, I spend about 12+ hours of my day working on MS IT’s Identity and Access Management team, and the rest of the time sleeping or playing with my kids…so what I realized, was that while it is important to deal with problems like phishing, and user consent in a consumer world…as an enterprise IT guy…I just really didn’t care that much about the consumer problems (but I’m glad there are people working on it).

When it comes to enterprise identities though, one of the things which I received some feedback on, was a comment that I made during my session which went something like this:

User centric principles are still valid and relevant in an enterprise, but you must remember who the user is.  In an enterprise, it’s not the person sitting behind the keyboard, because they are not the owner of the digital identity.  When a person is hired, the enterprise issues that person a digital identity, which the enterprise owns, and which may be used by the person on behalf of the enterprise.  2 quick examples:


1.  When you leave your company, try to take your enterprise issued digital identity with you.  If it’s yours, you’ll be able to have it, and all of the corresponding access that came along with it.  But we all know that your account is terminated – and if not, then please go sit through some sessions on provisioning/deprovisioning.


2.  When is the last time that an enterprise gave a user the option of determining what information they were going to send to a line of business application?  I’m sorry Mr. Application, but my iCard says that you’re going to get my phone number, and I decline to give you this information…so I guess I just won’t do my job now.  NOT!

Recognizing the importance of understanding “who” the user is, immediately makes things like how cardspace can be leveraged in an enterprise and the importance of identity selectors in transitioning between user accounts much more interesting.


Posted in Digital Identity | Leave a Comment »

The Right Tools…

Posted by BPuhl on April 28, 2008

Wow!  Just got back from the European Identity Conference, and what an awesome experience.  3 days packed with everything that anyone could ever want about identity management, federation, and governance/compliance.  The event is hosted by Kuppinger Cole + Partner, an analyst firm which focuses on identity issues.

One of the things which I found extremely interesting, were the large number of conversations which focused around OpenID.  OpenID is a federation-like authentication technology, which allows a user from one domain, to authenticate to resources in another domain (web domains, not AD).  OpenID is understood to have some less than stellar security considerations, but at the same time, it’s incredibly easy to implement.

The conversations were interesting though, because they often came back around to the familiar:  Needing the right tool for the job.

OpenID is being “marketed” (term used loosely), for being used as a logon convenience for low impact sites, such as blogs.  This mostly makes sense, because of someone was malicious and hacked into your blog, it wouldn’t be the end of the world, and the trade-off of not needing to maintain a password is worth the risk.  But that’s the key point – THE TRADE-OFF OF CONVENIENCE IS WORTH THE SECURITY RISK.

Many times there were comments or discussions about how to make OpenID “more secure”, or to be able to use it in situations where the impact might be higher and you wanted more security.  Well, if you want more security, then you should look at using one of the “more secure” protocols, like SAML or WS-*.  The trade-off here though, is that these require much more overhead to implement and manage.

When you’re analyzing tools for a project though, the different authentication protocols (aw heck, let’s toss Kerberos and NTLM in just for fun as well)  are not all created equal, all have varying levels of management overhead, security, infrastructure, and ease-of-use which you need to consider. 

The good news is that there are a wide variety of technologies available.  It’s up to the technical folks to understand the differences, and make the right decisions, so that the users have the right balance of protection and user experience.

Posted in Digital Identity | Leave a Comment »

Logging in…

Posted by BPuhl on April 20, 2008

Fair warning, I don’t really expect this post to contain much substance (not that many of my posts do..but this time I know it)

Basically, this is just a simple rant about how hard it apparently is for me to deal with a changing pattern.  See, I’ve been logging into Windows workstations for a long time.  You walk up, hit CTRL+ALT+DELETE, type your PASSWORD, pound ENTER and poof, you’re in (note that I’m not making comments on when the desktop loads, or anything like that…just that “you’re in”)

But since I enjoy the taste of dogfood, and we’re running beta versions of Identity Lifecycle Manager “2” internally, I of course had to install the ILM2 client which enables the self service password reset portal.  Very cool, feature, basically when you log in the first time, you’re prompted with a series of questions that can be fed back to you as challenges when you click the “reset password” that is added under the password dialog on the Vista logon screen.

So here’s my pattern issue though.  Once the client is installed (at least the beta version), first you punch CTRL+ALT+DELETE, and you’re presented with the “select user account” screen, which requires an ENTER, and then the PASSWORD, and then ENTER again.  Do you have any idea how screwed up that extra ENTER is when you’re logging on?

To make matters worse, the LCD display on my desk has a nice long warm-up time from when I first start punching keys to when it decides that it’s going to wake up.  I had adjusted to this though, because I’ve always known that I could walk up, hit the right combo of keys and password, and by the time the screen lit up, my desktop would be showing.  Of course, without the extra ENTER, I’m all screwed up.

It took substantially longer than it probably should have though, for me to get used to the extra ENTER, but hey, I adapted (finally), and life is all good now.  Well, at least I thought it was…except last week, I uninstalled the client component.  And what happened?  That damn 2nd ENTER just disappeared on me, and now I’m back to normal C+A+D+PW+ENTER behavior!

How frustrating do you think this is?  Well it’s been kicking my ass for damn near a week now, so apparently it’s frustrating enough that I decided to write a blog post about it… 

I sincerely hope that in some pre-RTM version of the client, they fix that bug…  I don’t think anyone realized how ridiculously obnoxious changing this simple behavior could be.

Posted in Active Directory, Random Tecnical Stuff, Rants | 1 Comment »

Maximum Limits of AD

Posted by BPuhl on April 18, 2008

In case you were curious what the maximum number of objects that AD can hold…or anything else that could be considered “bar trivia” – Assuming that you hang out in a bar filled with Active Directory admins…

Then you probably want to take a look at this:  Active Directory Maximum Limits

Posted in Active Directory | Leave a Comment »

Upcoming Conferences

Posted by BPuhl on April 10, 2008

I’m confirmed as a speaker at a couple of upcoming conferences, talking about ADFS and Server 2008 Active Directory.  So, if you have a chance to make it to either of these, then come find me and say hi!

European Identity Conference

If you happen to be in the neighborhood April 22-25 (by neighborhood I mean, Munich, Germany), then I’ll be presenting at the European Identity Conference talking about what it’s been like to use federated identity in an enterprise.  I’ll also be participating in a panel discussion on federation that Wednesday afternoon.


TechEd 2008 – Orlando, FL

I made the cut again this year, to present in the SRV/MSIT track at TechEd, June 10-13.  I’ll be doing a breakout session on Active Directory with Windows Server 2008, and a chalk talk on identity management.  Still trying to get squeeze something in, maybe a chalk talk, about ADFS, but we’ll see how that ends up.

Edited to fix the TechEd Year – Thanks Brian D. for pointing that one out….oops 🙂

Posted in Active Directory, ADFS | 2 Comments »

AuthA, B, C…no, no…AuthN & AuthZ – yeah, that’s it!

Posted by BPuhl on April 4, 2008

So in a previous post, I said:

I want the authentication of YOUR users accessing MY data, to be as credible as the authentication of YOUR users accessing YOUR data.

And this is ABSOLUTELY true.  But I ONLY want the authentication portion…please, authenticate the user against your identity store, but let’s just stop there.  Is there really any need to stuff his token full of claims?  After all, claims are for AUTHORIZATION, and have nothing to do with AUTHENTICATION.  Presence of a valid token indicates authN.

So why do I want to separate authN from authZ?  Because in my opinion:

Authentication needs to be performed by the party who has the most credible source of the users digital identity.

Authorization though, has nothing to do with the user.  Authorization is all about the data which is being protected.  Therefore, the source of the authorization, is the owner of the data.

This is where claims based systems get interesting today, because the ideas they are based on were largely formed for the “user-centric” identity metasystem…or, to say it another way…the consumer market.  Putting the authorization data into the authentication token makes sense when it’s the users data.  For example, if I’m putting my personal data into a web 2.0 application, then that is still my data.

But what about when the data doesn’t belong to the user (or even the users enterprise) who is accessing it?  For example, Microsoft hosts a DMZ network to provide business partners with access to our data.  Do we want to allow our partners to start deciding which data they get access to?  Probably not.

So as enterprise federation continues to gain traction, it’s time to start exploring what’s required for the authentication to come from the partner, while still allowing the enterprise applications to own the authorization to their own data.

More to come on this…

Posted in ADFS, Digital Identity, Identity and Access, Random Tecnical Stuff | Leave a Comment »

In-Credible Identities!

Posted by BPuhl on April 4, 2008

In the AD world, we love our password policies.  We want them to be complex, and change frequently, and long, and never reused.  In fact, for years, one of the biggest complaints has been that we’ve only been allowed to have ONE password policy for the domain (HORROR!).  Fortunately, the uber-geeks in the AD product group have brought us into the light with Fine Grained Password Policy (HURRRAY!) in Windows Server 2008.

So that’s the AD world.

Let’s step just a bit to the left though, away from the directory servers, over into the web farm.  Ok…fine…take three steps left…then two steps forward into the next row of racks…  now walk down the aisle…  there, see that one…the one with the ADFS label on it.  Ok…good.

“Have I got a deal for you!” 
There are two doors, behind each one lies a possible solution to solving your authentication in the DMZ for business partners problem:

Behind door #1 – You can keep your directory, your provisioning system, and your custom password policies.  Issue a shiny-new identity for each of the business partners, and empower those users to change their passwords in your directory to keep their access.


Behind door #2 – Toss out that directory and provisioning system, and build in federation.  The users will use the username/passwords that get them access to their company’s “stuff” (your business partner), and now they can use those same accounts to access your resources.

Of course there’s a catch (there’s always a catch):

If you pick door #2, you don’t get to see what your partners password policies.  For all you know – and you might find out – they could REQUIRE that their users maintain at least 4 character passwords that never expire.  Or maybe not, you just don’t know. 


If you pick door #1, then you’ve got “strong access”, but you have no way of knowing when that user got fired or quit from their company.  In other words, no “de-provisioning”.  So it may be secure, but they are now “secure and malicious”, which doesn’t help much

This is the common argument that I seem to have with AD people when talking about ADFS.  They compare something new (ADFS) with something they know (AD), and the result is often a fear of losing control.  So it’s not surprising, but is a bit frustrating, that almost everyone still picks door #1.

If you have this conversation a few dozen times…using this (and other) blog posts as fodder for your thoughts…then you’ll likely come to the conclusion that we have as well – which is that de-provisioning trumps password policy. 

I want the authentication of YOUR users accessing MY data, to be as credible as the authentication of YOUR users accessing YOUR data.

Posted in ADFS | Leave a Comment »

ADFS auth with trusts…

Posted by BPuhl on April 4, 2008

This post falls under my “been asked 3 times in the past few days” rule…so it must qualify as a blog post:


1. If you have multiple AD DOMAINs and they are Forest and Trees (Parent Child sub-domain relationships) how many ADFS server(s) do you need? (one per DOMAIN or can a single server handle sub-domains?)

2. If you have multiple AD DOMAINs and these DOMAINs have established Trust relationships, but they are not sub-domains (each DOMAIN is separate.  How many ADFS server(s) do you need? (one per DOMAIN or can a single server handle multiple Trusted DOMAINs) (How does ADFS handle AD Trust relationships?)

3. If you have multiple AD DOMAINs and there is no Trust relationships between the DOMAINs how many ADFS server(s) do you need? (one per DOMAIN or can a single server handle multiple DOMAINs)

Answer:  (check this out, kill 3 birds with one stone)

First, note that the context of these questions is about “FS-A”‘s, or the user authentication portion of ADFS.

So the answer is, that ADFS works wonderfully across Windows trusts (regardless of type).  The requirements for ADFS, are that the user needs to be able to authenticate to the ADFS server.  Because ADFS is a web service which runs in IIS, this is analogous to saying that if a user could authenticate to ANY web application, then they are good to go.  The next thing that’s required, is that the ADFS server has to be able to query the directory of the user account, to get any claims information.  So if you’re passing something like first name, last name, and/or e-mail address – then the server will query the corresponding directory for that info.

With trusts in place, you can satisfy both the “user auth” and the “query AD” functions from any application, so ADFS will work.

Internally at Microsoft, we have a single ADFS instance which is used to authenticate all of our employee’s out to business partners.  Their user accounts live in 1 of 4 production forests (15 domains total), any of which are (or have) been running Windows 2000, Windows Server 2003, and/or Windows Server 2008 (all mixes of domain and forest functional modes) at any given time. No problems!

(so if you want specific answers:

1) 1 – single ADFS instance can service all domains in the forest

2) 1 – single AFDS instance can handle all domains and forests with trusts

3) 1 per forest – All domains in a forest have implicit trust relationships, but if there are no trusts between domains of different forests, then each forest will need their own ADFS instance

Posted in ADFS, Digital Identity, Identity and Access, Random Tecnical Stuff | 1 Comment »


Posted by BPuhl on April 4, 2008

By far, the most important thing to know about Active Directory Federation Services is this:

IT IS NOT ACTIVE DIRECTORY! It’s not even close. 


It’s a web service that gives out authorization tokens, but that’s not AD. 


So when you’re looking to start to deploy ADFS, take away all of the things that you know about AD:  DCLocator, replication, SRV records, multi-master…  get rid of them all.


Ok, now go break out the book on how to build a high-availability IIS web farm, and begin your ADFS deployment.

(important disclaimer:  Don’t take this as a negative, because it’s not meant to be.  It’s simply a reality check, because I suspect…actually, I hope…that many AD admins will sooner or later become ADFS admins)

Posted in Active Directory, ADFS, Nuggets, Random Tecnical Stuff | 1 Comment »

Machines Accounts

Posted by BPuhl on April 4, 2008

Don’t forget, computers are people too!

Posted in Active Directory, Nuggets, Random Tecnical Stuff | Leave a Comment »