Upload
hugo-tyler
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
SEC402
Developing Identity-aware apps on Microsoft’s Identity Platform (Part 2) David Mowers
Program Manager
Microsoft Security Solutions
Why attend this session?
Build apps that leverage existing AD infrastructure Identity Store
Build apps that use a local directory
Get introduced to .Net Framework interfaces for directories
Attended SEC320, get complete story
Aimed at Developers & Architects
Agenda
Microsoft Identity Platform (ADM310)
Application ScenariosIdentity Management (AuthN & AuthZ)
Personalization
Application Configuration
Accessing AD using .NET framework
Microsoft Identity Platform
AppApp
InfrastructureInfrastructureDirectory (AD)Directory (AD)
MetadirectoryMetadirectory(MMS)(MMS)
Application Application DirectoryDirectory
(ADAM)(ADAM)
Microsoft Identity Platform
Active Directory (AD)Main authentication systemPublishing point for globally-interesting profile data
Active Directory Application Mode (AD/AM)Lightweight standalone LDAP serverPersonalized Identity data store
Microsoft Metadirectory Services (MMS)Directory synchronizationIdentity provisioning
Agenda
Microsoft Identity Platform
Application ScenariosIdentity Management (AuthN & AuthZ)
Personalization
Application Configuration
Accessing AD using .NET framework
Common App Problems
Who are my users?
What role does this user play?
What is my user’s preference?
Where can I store my configuration?
What’s an easy API?
Application Scenarios
Identity Management (AuthN & AuthZ)Authenticating to the Infrastructure directory (SEC320)
Personalization
Existing App Support (LDAP)
Application Configuration
Customer Application Scenario
AuthN tier
Internet Internet
Extranet (DMZ)
AuthZ tier
Back-endDataStore
Internal Network
External forest Internal forest
Forest trust with selective authentication
.NET Passport authentication
Map Passport to AD Account
AuthorizationPolicy
Employee Application Scenario
AuthN tier
Internet Internet
Extranet (DMZ)
AuthZ tier
Back-endDataStore
Internal Network
External forest Internal forest
Forest trust with selective authentication
SSL Client Cert authentication
Map Certificate to AD Account
AuthorizationPolicy
Certificate Services
MMS 2003
Partner Application Scenario
AuthN tier
Internet Internet
Extranet (DMZ)
AuthZ tier
Back-endDataStore
Internal Network
External forest Internal forest
Forest trust with selective authentication
Username/Pwd
AuthenticatePartner
AuthorizationPolicy
Cross-Platform Intranet Access Scenario
contoso.com
Unix Serverw/ Apache
Windows user/IE
MIT realm
IIS
*NX Client/Mozilla
Authorization Tier
SQL backend Benefits:•Centralized ID Mgmt•Kerberos AuthN•SSO•Centralized AuthZ Policy
AzMan Web Service
Authenticating to the Infrastructure Directory
Multi tier app scenariosIntranet
Extranet
MSFT Identity platform
Authentication mechanisms
Authorization mechanisms
Trust mechanisms
Enabling the scenarios
Application Scenarios
Identity Management (AuthN & AuthZ)Authenticating to the Infrastructure directory (SEC320)
Personalization
Existing App Support (LDAP)
Application Configuration
Personalization – Best Practices
Reuse existing centralized identities
Apps should not create a new, isolated identity store
Individually decorate identities or groups of identities
Non-global, application-centric data
Where to store personalization data?
Application Partition
AD/AM
Personalization: App Partition
NOS ForestNOS Forest
AppAppAuthN/AuthZAuthN/AuthZ
VolatileVolatileprofile and/orprofile and/orconfig dataconfig dataApp PartitionApp Partition
AppApp(Location 2)(Location 2)
Replication
Replication
Introducing: AD/AM
Programming model, admin tools virtually identical to infrastructure Active DirectorySkill set easily transferableDownload from http://www.microsoft.com/adMulti-instance, light-weight, high-performance
Infrastructure Active Directory
LSASSLSASS
DSADSA
LDAPLDAP
SAMSAM
MAPIMAPI REPLREPL KDCKDC LanmanLanman
DNSDNS FRSFRS
dependencies
Active Directory Application Mode
DSAMAINDSAMAIN
DSADSA
LDAPLDAP REPLREPL
(Infrastructure AD minus legacy)
Personalization using AD/AM
Extend existing identities with application specific data
InfrastructureInfrastructureDirectoryDirectory
WebWebportalportal
Store/Store/retrieveretrieve
datadata
ClientClient
ServerServerMMS 2003MMS 2003(optional)(optional)
AD/AMAD/AM
Personalization: ADAM
NOS ForestNOS Forest
AppAppLocal dataLocal data
(local schema)(local schema)
GlobalGlobaldatadata
MetadirectoryMetadirectory
Sync’d Sync’d ID dataID data
AppApp
ReplicationReplication
AuthNAuthN
Personalization - synch
Use MMS to synchronize identity
Synchronization can be used to provision / de-provision app data
App developer needs to provide a method for de-provisioning personalized app data
Common key is object GUID to tie app data with centralized identity
Personalization - solutions
AD Application PartitionCentralized managementReuse existing processes (Backup/Restore)Robust multi-master replicationLocally, regionally, or globally interesting data
Application local ADAMNon-centralized directory controlMore flexible schemaRobust multi-master replicationNo reliance of Forest, Domain & DNSLocally interesting data with reuse
Application Scenarios
Identity Management (AuthN & AuthZ)Authenticating to the Infrastructure directory (SEC320)
Personalization
Existing App Support (LDAP)
Application Configuration
ADAM Bind Redirect Bind Proxy to Windows Principals
Scenario benefits from consolidation of identities – only windows identity is used; ADAM DN is just a manifestation of windows identity.
AD/AMAD/AM
InfrastructureInfrastructureDirectoryDirectory
AppApp
1. LDAP Connect1. LDAP Connect
ClientClient
ServerServer
3. Bind call 3. Bind call redirected to redirected to ADAD
2. LDAP Bind 2. LDAP Bind w/credsw/creds4. LDAP Bind4. LDAP BindSucceedsSucceeds
Global User Global User DataData
ADAM Bind Redirect Bind Proxy to Windows Principals
Proxy object in ADAM Local manifestation of Windows objectAugmented with app-specific local data
Redirect bind calls to WindowsSingle password experience by consolidating identity in AD - password not stored in ADAMDecommissioning is automatic
No changes needed to the appAbstract infrastructure environment from developer (domains, forests)Works with any trusted domains and forests
Application Scenarios
Identity Management (AuthN & AuthZ)Authenticating to the Infrastructure directory (SEC320)
Personalization
Existing App Support (LDAP)
Application Configuration
Application Configuration
Application specific configuration in ADAM OR in an App Partition
ADAMADAM
Infrastructure Active DirectoryInfrastructure Active Directory
AppAppStore/Store/
retrieveretrieveconfigconfig
ClientClient
Configuration inConfiguration inADAM or AppADAM or App
PartitionPartition
ServerServer
App PartApp Part
Agenda
Microsoft Identity Platform
Application ScenariosIdentity Management (AuthN & AuthZ)
Personalization
Application Configuration
Accessing AD using .NET framework
Accessing AD using .NET Framework
System.DirectoryServices
DSML
Other (C/C++, ADSI, ADO, Java/J2EE)
System.DirectoryServices
Part of .NET frameworkAssembly: System.DirectoryServices.DLLWritten on the top of native ADSITwo major classes do the majority of work
DirectoryEntryDirectorySearcher
Access to any LDAP server
Directory Object
Each object has a nameRelative Distinguished Name
E.g., OU=Sales
Each object has a pathDistinguished Name
Constructed based on its name and its ancestors
E.g., OU=Sales, DC=Fabrikam, DC=Com
Each Active Directory object also has GUID
Immutable , never changes
OU=SalesOU=Sales
CN=John SmithCN=John Smith
CN=Alice ReedCN=Alice Reed
DC=Fabrikam,DC=COMDC=Fabrikam,DC=COM
DirectoryEntry
Each object in the directory is represented as DirectoryEntry
What can you do with an object?Modify its properties
Rename, Move
Enumerate its children
Create children
Delete its children
Get its identity
Get its parent
DirectoryEntryDirectoryEntry DirectoryEntryDirectoryEntry
DirectoryEntry Example
using System.DirectoryServices;using System.DirectoryServices; DirectoryEntry entry = new DirectoryEntry( path);DirectoryEntry entry = new DirectoryEntry( path);Console.WriteLine(entry.Path);Console.WriteLine(entry.Path);Console.WriteLine(entry.Name);Console.WriteLine(entry.Name);Console.WriteLine(entry.GUID);Console.WriteLine(entry.GUID);
DirectoryEntry parent = entry.Parent;DirectoryEntry parent = entry.Parent;
Create a directory entry Create a directory entry object in memory, does object in memory, does notnot create object in the directorycreate object in the directory
Directory Path, a string thatDirectory Path, a string thatincludes distinguished name. includes distinguished name. (discussed later)(discussed later)
Path, Name,Path, Name,GUID, Parent are GUID, Parent are always availablealways available
Binding To An Object
Client can connect to any LDAP serverE.g., “LDAP://srv01”, LDAP://srv02”
If none specified, Active Directory Locator Service helps you locate nearby server
Client can bind to any object in the directorySpecify object’s distinguished name
Subject to access check
Path formatLDAP://[serverName/] [DistinguishedName]
Client may pass alternate credentials, specify authentication method, encryption mechanism, etc.
Binding Examples
DirectoryEntry();DirectoryEntry();
DirectoryEntry(“LDAP://srv01/CN=Alice, OU=HR, DirectoryEntry(“LDAP://srv01/CN=Alice, OU=HR, DC=Fabrikam,DC=COM”); DC=Fabrikam,DC=COM”);
DirectoryEntry(“LDAP://srv01/OU=HR, DC=Fabrikam,DC=COM”, DirectoryEntry(“LDAP://srv01/OU=HR, DC=Fabrikam,DC=COM”, userName, password); userName, password);
DirectoryEntry(“LDAP://DC=Fabrikam,DC=COM”, null, null,DirectoryEntry(“LDAP://DC=Fabrikam,DC=COM”, null, null, AuthenticationTypes.Secure ); AuthenticationTypes.Secure );
Navigation
Each DirectoryEntry has a collection object, named Children
To get to a specific child, use .Find()
To get its parent, use .Parent
for each(DirectoryEntry child in entry.for each(DirectoryEntry child in entry.ChildrenChildren)){{ Console.WriteLine(child.Name); Console.WriteLine(child.Name);}}
DirectoryEntry parent = entry.DirectoryEntry parent = entry.ParentParent;;
DirectoryEntry child = entry.DirectoryEntry child = entry.Children.FindChildren.Find(“OU=Sales”);(“OU=Sales”);
Directory Services Markup Language (DSML)
A Working Group - Technical Committee(Microsoft,Sun,IBM, Novell, Bowstreet, Oracle, Access 360, Netscape etc.)
DSMLv1Representing Directory Objects in XML
DSMLv2 Representing LDAP Operations in XML
Design Goals:Transport Independence
Full fidelity with LDAP
DSMLv2 is NOT a superset of DSMLv1
Why DSML is important?
Alllow Active Directory access via another standard protocol (e.g SOAP)Allow greater interop with other directory services ( e.g export/import scenario)Vast support of XML tools and APIDSML is transport independent, it opens up AD access to many different transports (HTTP, SMTP, SOAP over DIME)Firewall friendly Platform independence -- easily access AD with DSML Services for Windows via a different client platform such as Unix, Mac, or even small devices (cell, pda, etc)
DSMLv2 Over SOAP<se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/"><se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/"> <se:Body xmlns="urn:oasis:names:tc:DSML:2:0:core"><se:Body xmlns="urn:oasis:names:tc:DSML:2:0:core">
</se:Body></se:Body></se:Envelope></se:Envelope>
<batchRequest> <batchRequest> <searchRequest dn="dc=fabrikam,dc=com"<searchRequest dn="dc=fabrikam,dc=com" scope="wholeSubtree"scope="wholeSubtree" derefAliases="neverDerefAliases"derefAliases="neverDerefAliases" sizeLimit="1000">sizeLimit="1000"> <filter><filter> <substrings name=“anr"> <substrings name=“anr"> <final>davej</final><final>davej</final> </substrings> </substrings> </filter> </filter> <attributes><attributes>
<attribute name="telephoneNumber" /><attribute name="telephoneNumber" /> </attributes></attributes> </searchRequest></searchRequest></batchRequest></batchRequest>
DSMLv2 Soap Response<soap:Envelope <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" > xmlns:xsd="http://www.w3.org/2001/XMLSchema" > <soap:Body> <soap:Body>
</soap:Body></soap:Body></soap:Envelope></soap:Envelope>
<batchResponse xmlns="urn:oasis:names:tc:DSML:2:0:core“> <batchResponse xmlns="urn:oasis:names:tc:DSML:2:0:core“> <searchResponse> <searchResponse> <searchResultEntry dn="CN=David Johnson,…”><searchResultEntry dn="CN=David Johnson,…”> <attr name="telephoneNumber"> <attr name="telephoneNumber"> <value>+1 (243) 8430432</value> <value>+1 (243) 8430432</value> </attr> </attr> </searchResultEntry> </searchResultEntry> <searchResultDone> <searchResultDone> <resultCode code="0"descr="success"/> <resultCode code="0"descr="success"/> </searchResultDone> </searchResultDone> </searchResponse> </searchResponse></batchResponse></batchResponse>
DSML Implementation
DSMLv2Implemented as a SOAP Listener
Product: DSML Services for Windows
DSDE Command LineSimilar to LDIFDE
It communicates to DSMLv2 Server
Running on Windows 2000 and Windows Server 2003
SummaryNew apps should leverage infrastructure identity store
Increased security and productivity with lower costs
Use App partition or AD/AM for app specific data
Legacy apps can be converted on a case by case basis
Simplified .Net interfaces
Cross-platform access & flexibility
Reference AppendixAD/AM
http://www.microsoft.com/windows2000/technologies/directory/AD/redir-ws03-adam.asp
System.DirectoryServiceshttp://msdn.microsoft.com/library/en-us/cpref/html/frlrfSystemDirectoryServices.asp
DSML Websitehttp://www.microsoft.com/windows2000/server/evaluation/news/bulletins/dsml.asp
Windows Server 2003http://www.microsoft.com/windowsserver2003/default.mspx
ADSIhttp://msdn.microsoft.com/library/en-us/netdir/adsi/active_directory_service_interfaces_adsi.asp
C/C++ LDAP APIhttp://msdn.microsoft.com/library/en-us/netdir/ldap/lightweight_directory_access_protocol_ldap_api.asp
Identity Management Virtual Track
For the IT ProSEC400: UNIX & Kerberos Interop to Achieve Identity MgmtDEP311: Identity Management with Microsoft Metadirectory Services WIN310: AD Branch Office with Windows Server 2003ADM313: Managing Active Directory with MOMADM314: Delegating Administrative Tasks in Active Directory
For the DeveloperSEC320/402: Developing Identity-aware apps on Microsoft’s Identity Platform (Part 1& 2) OFC333: EAI Using SharePoint Portal ServerWEB311: Windows Platform Security Services for Web Services
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.