Microsoft Identity and Access Management Series

Platform and Infrastructure

Chapter 4: Designing the Infrastructure

Published: May 11, 2004 | Updated: June 26, 2006

Contoso evaluated several vendor platforms for identity and access management, including Microsoft. Based on the company's requirements, Contoso has chosen to standardize on the Microsoft Identity and Access Management platform. This chapter discusses the infrastructure design that resulted from this decision.

On This Page
Solution ConceptSolution Concept
Solution ArchitectureSolution Architecture
Enabled Solution ScenariosEnabled Solution Scenarios

Solution Concept

The key capabilities Contoso requires are provided by the following features of the Microsoft Identity and Access Management platform:

The Microsoft® Active Directory® directory service is compliant with the Internet Engineering Task Force (IETF) RFC 3377 — LDAP (version 3.0).

The extranet Active Directory which holds customer and partner account information can reside in the perimeter network and can support employee authentication without a trust relationship with the internal directory.

Active Directory provides several options for strong encryption of user credentials. Because of integration with strong network authentication protocols, such as the Kerberos version 5 authentication protocol, Secure Sockets Layer (SSL), or Transport Layer Security (TLS) client authentication, credentials are never distributed outside of the directory.

Active Directory in Microsoft Windows Server™ 2003 supports password-based credentials through the Kerberos version 5 protocol and Digest authentication protocols. Active Directory also supports public key infrastructure (PKI) credentials for client authentication through the Kerberos version 5, SSL, or TLS protocols.

Active Directory provides seamless authentication by using the Kerberos version 5, SSL, and TLS protocols.

Desktop client operating systems, such as Microsoft Windows® 2000 Professional, Windows® XP Professional, and workstations running either UNIX or Linux, seamlessly interoperate with the server operating system for authentication and authorization through the Kerberos version 5, Lightweight Directory Access Protocol (LDAP), and other standards-based protocols.

Windows Server 2003 and many client operating systems interoperate to authenticate users with a set of default credentials that are calculated or retrieved during the logon process. This authentication is transparent to the user and satisfies the user experience requirement for SSO.

Windows Server 2003 implements access control lists (ACL) and role-based authorization. Active Directory has robust and flexible mechanisms for expressing entitlements through group membership.

Windows Server 2003 Directory and Security Services implements several levels of trust, including cross-forest trust, external trust, PKI trust, and cross-realm trust with UNIX Kerberos realms.

Windows Server 2003 with Active Directory provides detailed auditing capabilities for all authentication, trust, authorization, and configuration operations that are performed on the system.

Solution Architecture

The solution architecture includes the following components:

Directory services

Authentication methods

Authorization methods

Trust mechanisms

Identity life-cycle management

Identity-aware applications

Directory Services

Successful operation of the Contoso identity and access management platform requires the Contoso team to identify the authoritative source for creating identity information, and an authoritative location for storing application and identity information. The team also needs to implement a suitable attribute information flow between directories.

The organization's current directory services configuration for its infrastructure includes the following:

An intranet Active Directory forest.

An extranet Active Directory forest.

A Sun One Directory Server 5.1 (formerly iPlanet Directory Server).

The extranet Active Directory forest cannot be used as the authoritative directory service, because it only contains shadow accounts for employees. The Sun One Directory Server 5.1 is scheduled for decommissioning after the application that depends on it has been rewritten to work with Active Directory.

The intranet Active Directory forest provides the current central repository for user accounts within Contoso. Therefore, the company selected the intranet Active Directory to act as the authoritative source for all directory and application-specific information.

The Contoso team will use an identity integration product to replicate certain directory objects to achieve the following:

Create accounts for all members of the Sales department in the extranet forest.

Use an attribute in Active Directory to identify which employees joined Contoso from the recently acquired company.

Replicate these accounts into Lotus Notes Release 6.5.4 and Sun ONE Directory Server 5.1.

Intranet Active Directory Forest

The intranet forest consists of an empty root domain corp.contoso.com and a single child domain na.corp.contoso.com. The na.corp.contoso.com domain contains the following organizational units (OU):

Employees

Solaris Workstations

Windows Clients

Groups

Disabled

Contacts

The step-by-step process for installing Active Directory on Windows Server 2003 and creating OUs is covered in the product documentation.

Extranet Active Directory Forest

The external forest contains a single domain perimeter.contoso.com. The perimeter.contoso.com domain runs at the Windows Server 2003 functional level and contains the following OUs:

Employees

Trial Users

Groups

There is no trust relationship between the internal and the external forest. The section on Trust later in this chapter discusses the reason for this.

Figure 4.1 shows the Active Directory structures for Contoso.

Figure 4.1. The Active Directory logical structure for Contoso

Figure 4.1. The Active Directory logical structure for Contoso

For more information about Active Directory, see the Windows Server 2003 Active Directory page.

For additional guidance, see the Designing and Deploying Directory and Security Services page.

Authentication Methods

Contoso chose authentication methods based on the characteristics of each method and the environment in which they will operate. The selection process resulted in a single authentication method for the intranet directory, and three methods for the extranet directory as shown in the following two figures.

Figure 4.2. Intranet authentication and authorization mechanisms in the Contoso infrastructure

Figure 4.2. Intranet authentication and authorization mechanisms in the Contoso infrastructure
See full-sized image

Figure 4.3. Extranet authentication and authorization mechanisms in the Contoso infrastructure

Figure 4.3. Extranet authentication and authorization mechanisms in the Contoso infrastructure

Authenticating to the Intranet Directory

The primary authentication mechanism for the internal network is the Kerberos version 5 protocol, which Windows Server 2003 and Windows XP Professional support natively. Many other platforms include Kerberos protocol libraries, especially various distributions of UNIX, including Linux. Contoso will use the Kerberos version 5 protocol wherever possible because it is a standards-based highly secure network protocol. Many platforms implement Kerberos version 5 protocol authentication, and for this reason, this protocol provides a good foundation for interoperability.

All managed client computers on the internal network, including computers running the Windows XP Professional and Sun Solaris operating systems, log on by using the Kerberos version 5 protocol to accounts in the internal forest. When they have logged on, users authenticate to specific resources, again using the Kerberos version 5 protocol.

Authenticating to the Extranet Directory

The external network uses several different types of authentication, because the Kerberos version 5 authentication protocol is not currently supported for web clients on Internet-facing applications in the Contoso environment. The three external, Internet-facing applications hosted in the Contoso perimeter network use the following distinct authentication methods:

Microsoft Passport.

Microsoft Windows Forms-based authentication.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) client certificate authentication.

All three of these authentication mechanisms use the extranet Active Directory forest as the identity store. The extranet domain contains user accounts with mappings for Passport and client certificate authentication, as well as secret password credentials for Windows Forms-based authentication.

Authorization Methods

The main authorization method Contoso will use employs access control lists (ACL) on file and print servers (not shown in Figure 4.3). However, Contoso will also use roles-based access control through Authorization Manager in Windows Server 2003. Authorization Manager interacts with Internet Information Services (IIS) 6.0 to provide both URL – level authorization and detailed, application-level entitlements for access to Web applications.

Contoso will use security groups to organize users, for example by department or role. These security groups will simplify the granting of entitlements to users, and reduce the administrative operations involved when users change jobs within the organization.

Trust

The Contoso team had the following set of choices to consider when implementing federation between the external directory and the internal infrastructure directory:

Cross-forest trusts

PKI–qualified subordination

Shadow accounts

Cross-Forest Trusts

Windows Server 2003 enables the use of trusts between forests. In the Contoso environment, this option was considered so that employees who use the external applications could authenticate to the internal directory through the trust relationship.

The company's long-term vision is to create and deploy applications that take advantage of end-to-end authentication. A necessary task before reaching that milestone is to undertake a thorough analysis of the internal network security, and then follow up with corrective action as needed to fix any problems identified.

In the end, the Contoso team decided not to establish such a trust in the organization's environment. A combination of security concerns specific to the Contoso scenario, and the fact that the company's application scenarios do not currently require the trust relationship informed this decision. In the Contoso case, the main concern is the security of the internal network rather than additional application functionality resulting from a trust relationship between the external and internal forest.

On the other hand, your organization could have scenarios in which you need to implement cross-forest trusts. For example, external users might need to authenticate against an external server and access information inside your organization's intranet. In this case, you could require that the user identity carries across with the application request from the Web server to the application data source. Such a scenario is possible by using the new Kerberos version 5 protocol delegation features, and cross-forest trust mechanisms included with Windows Server 2003.

PKI-qualified Subordination

Public Key Infrastructure (PKI) provides an organization with the ability to exchange data securely over a public network by using public-key cryptography. A PKI consists of certification authorities (CA) that issue digital certificates, directories that store the certificates (including Active Directory in Windows 2000 Server and Windows Server 2003), and X.509 certificates that are issued to security entities on the network. The PKI provides validation of certificate-based credentials and ensures that the credentials are not revoked, corrupted, or modified.

Qualified subordination is the process of cross-certifying CA hierarchies by using basic, policy, naming, and application constraints to limit which certificates are accepted from partner CA hierarchies, or a secondary hierarchy within the same organization. You can use qualified subordination to define which certificates issued by a partner's PKI are trusted by your organization. Qualified subordination also provides methods for compartmentalizing and controlling certificate issuance within an organization according to policy guidelines.

Contoso implemented a three-tier PKI infrastructure consisting of an issuing CA, an offline intermediate authority, and an offline root CA in accordance with Microsoft best practices. Contoso IIS administrators then requested server certificates from the issuing certificate authority to enable SSL encryption on the Internet Web applications on IIS. Contoso also enabled user certificate auto-enrolment policy in Active Directory for employees, and enabled Active Directory Mapper and client certificate mapping in IIS.

For more information about cross-forest trusts and PKI-qualified subordination, see the following pages on Microsoft.com:

Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003

Public Key Policies Concepts

Public Key Policies How To...

For more information about deploying Microsoft Certificate Services, download and review Ch. 16, "Designing a Public Key Infrastructure".

Shadow Accounts

The federation design that Contoso selected to implement authenticates internal users (employees) in the perimeter network applications by creating shadow accounts in the external Active Directory. These shadow accounts are only for certificate-based authentication. The shadow accounts contain a limited amount of authorization information relevant to the extranet application, such as name and group membership, but not the user's account password.

The Sales department employees use these shadow accounts to access an application hosted in the perimeter network. Because the shadow accounts are sufficient to access the external application, no trust is required between the external and internal forest.

Identity Life-Cycle Management

To manage the life cycle of digital identities, Contoso selected Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1). This product provides the necessary identity integration support for efficient synchronization, provisioning, and deprovisioning of digital identities. It also provides management agents that enable connections to the various identity stores within the Contoso environment.

The Contoso implementation will use Microsoft certificate services and policy configuration to enable user certificate auto-enrollment. The auto-enrollment capability makes user certificate management possible and cost-effective. In the Microsoft Identity and Access Management Framework, user authentication with client certificates is most appropriate for scenarios in which it adds an identifiable security benefit.

For example, client certificate authentication avoids the security risk associated with using passwords to authenticate to servers hosting the Sales and Contacts application in the perimeter network. Contoso only deploys certificate services and configures auto-enrollment on its internal network, as no application scenario requires certificate-based authentication for external customers and partners.

Identity-Aware Applications

To provide support for developing identity aware applications, Contoso implemented a policy of using the Kerberos version 5 authentication protocol with Active Directory domain controllers wherever possible. Applications that cannot use the Kerberos protocol for authentication (such as extranet applications) will instead use Windows Forms-based authentication for business-to-business (B2B) cases, Microsoft Passport for business-to-consumer (B2C) cases, and certificates or smart cards (in the future) for business-to-employee (B2E) cases.

Authorization will be provided by access control lists (ACL) for persistent objects, such as files and items in the directory. Web-based applications will use role-based access that uses Authorization Manager.

The Contoso Network

Figure 4.4 illustrates the full implementation of the Contoso identity and access management architecture.

Figure 4.4. The network layout of the Contoso identity and access management infrastructure

Figure 4.4. The network layout of the Contoso identity and access management infrastructure
See full-sized image

The implementation for the Contoso identity and access management technology architecture includes the following:

A firewall that isolates the external Active Directory from the internal network.

No direct connection from the Internet to the internal network.

No direct connection from the Internet to the external Active Directory.

A separate forest for the extranet.

Two Web servers running IIS 6.0 in the extranet that host the company's applications for sales employees and customers.

A perimeter network Web server that also hosts the certificate revocation list (CRL) distribution point to check certificates employees use when they authenticate to the external applications.

A Lotus Notes Release 6.5.4 application and a Sun ONE Directory Server 5.1 that provide services as part of the internal network.

Certificate services that are on the internal network.

The Contoso identity and access management platform is based on the Windows Server System Reference Architecture (WSSRA) developed by Microsoft and a number of leading hardware and software vendors. WSSRA (formerly Microsoft Systems Architecture 2.0 or MSA) provides tested step-by-step instructions for implementing large-scale IT infrastructures based on Microsoft technologies.

For more information about WSSRA, see the Windows Server System Reference Architecture page.

Appendix A to this document provides the settings to configure the Contoso environment in a Virtual PC (VPC) 2004 test environment.

Enabled Solution Scenarios

A Microsoft platform infrastructure enables the following solutions:

Identity aggregation and synchronization across multiple directories.

Password management, including password propagation to multiple directories.

Intranet access management, including UNIX and SAP integration with Active Directory.

Extranet access management, including support for B2B, B2C, and B2E environments.

Developing identity-aware ASP.NET applications, including support for intranet and extranet application development.

The underlying strategy for the company is to replace manual and inefficient administrative processes for managing digital identities with automated and efficient ones. Later papers in this series provide much more detail on each of these targeted areas that are outlined in the following sections.

Identity Aggregation and Synchronization

To provide identity aggregation and synchronization within the organization, Contoso chose to use MIIS 2003 with SP1 as the identity integration product that will integrate with all of the company's directory services and other identity stores, including:

The intranet Active Directory forest.

The extranet Active Directory forest (containing customers, partners, and employee shadow accounts).

The SunOne Directory Server 5.1 (formerly iPlanet Directory Server).

Lotus Notes Release 6.5.4.

For more information about this topic, see the "Identity Aggregation and Synchronization" paper in this series.

Password Management

To implement effective password management, Contoso chose the following components:

Group Policy in Active Directory to enforce password strength, complexity, and expiration.

A custom password filter and notification dynamic link library (DLL) that enables users to change their passwords in Active Directory and then propagates their changed passwords to other directories and identity stores.

MIIS 2003 with management agents (MA) that manage password changes with all connected directories.

A custom Windows Service using Windows Management Instrumentation (WMI) to provide a bridge between the Active Directory domain controllers and the MIIS 2003 MAs. This combination will propagate password changes to Lotus Notes Release 6.5.4 and Sun One Directory Server 5.1.

A customized Web application provided with MIIS 2003 to enable Helpdesk operators to reset user passwords in one location. MIIS 2003 will then propagate the password changes to the connected directories.

For more information, see the "Password Management" paper in this series.

Intranet Access Management

For intranet access management, Contoso standardized on the following configurations:

Employing the Kerberos version 5 authentication protocol for both authentication and data protection.

Using Active Directory domain controllers as Key Distribution Centers (KDC) for authentication that uses the Kerberos version 5 protocol.

Enabling application support within SAP R/3 and the UNIX workstations for authentication that uses the Kerberos version 5 protocol.

For more information, see the "Intranet Access Management" paper in this series.

Extranet Access Management

For extranet access management, Contoso chose the following architecture to grant access to Web applications for partners, customers, and employees:

An external Active Directory forest to manage accounts for all external users.

Self registration for establishing customer accounts in Active Directory.

Microsoft Passport Services for customer authentication and SSO.

Forms-based authentication with SSL encryption to protect the partner authentication sequence.

MIIS 2003 to provision employee shadow accounts into the external Active Directory forest.

Microsoft Windows Authorization Manager for roles-based authorization.

Microsoft Certificate Services for PKI.

IIS 6.0 to host the Web applications.

Microsoft Internet Security and Acceleration Server (ISA) to provide a perimeter network and access control between the internal and external networks.

For more information, see the "Extranet Access Management" paper in this series.

Developing Identity-Aware ASP.NET Applications

To ensure consistency when developing identity-aware applications, Contoso standardized on the following approaches:

Use the Kerberos version 5 protocol for intranet applications.

Use Kerberos authentication between application Web servers and back-end resources.

Perform authentication and authorization integration with Active Directory, which will provide the sole directory service for applications.

Use role-based access control within Web applications and ACLs on back-end server resources.

For more information, see the "Developing Identity-Aware ASP.NET Applications" paper in this series.


**
**

Download

Get the Microsoft Identity and Access Management Series

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions