Microsoft Identity and Access Management Series

Intranet Access Management

Chapter 1: Introduction to the Intranet Access Management Paper

Published: May 11, 2004 | Updated: June 26, 2006

Executive Summary

A common intranet access management infrastructure that integrates applications and platforms can produce significant benefits for organizations trying to improve the use and management of digital identities. For example, the use of a standard set of security protocols and the elimination of redundant identity stores can simplify infrastructure, reduce management efforts, enable single sign on (SSO), and make security auditing easier.

These benefits are primarily financial, including lower administration expenses, licensing fees, and application development costs. Additional benefits include greater security (because the attack surface is reduced) and better options for protecting access to sensitive organizational data.

Improving intranet access management through tight integration with common directory and security services is often very challenging in its technical aspects. A large portion of the challenge stems from the fact there is currently little straightforward guidance on how to configure platforms and applications for interoperability. This paper was written to address this problem, and discusses the business challenges, security issues, tools, and protocols involved.

This paper is part of the Microsoft Identity and Access Management Series.

The Business Challenge

Organizations have made significant investments in technology infrastructure over the last decade, but in many cases the infrastructure is not being used to its fullest capabilities. Almost every organization has inadvertently deployed competing and overlapping technology solutions to solve common intranet access management problems.

Most organizations have the following common business challenges related to intranet access management:

•	No SSO capability exists between applications, which results in user confusion, reduced productivity, and increased Helpdesk and administration costs.
•	The existence of multiple identity stores results in a high number of password reset requests.
•	Multiple, inconsistent approaches to security services (such as authentication and authorization) make it difficult to comprehensively protect valuable business data.

Employees at many organizations spend over a quarter of an hour per day signing in to different operating systems, directory services, and applications. This means that multiple authentication mechanisms in an organization with 10,000 computer users consume up to 2,666 hours every day. (Source: META Group research conducted on behalf of PricewaterhouseCoopers, June 2002.)

Multiple applications with different identity stores typically require different user names and passwords, which leads directly to increased Helpdesk costs to satisfy password reset requests.

Data protection is a central concern of today's organizations. Data about products, customers, and financials represents a significant amount of capital for many companies, and it is essential that this data is protected as it is accessed and acted on by knowledge workers. In addition to competitive threats that are caused by compromised data, many business sectors have also seen a significant increase in regulatory requirements for data protection. Failure to meet such requirements can cause organizations to incur financial penalties, a loss in customer confidence, or both.

The Business Benefits

The implementation of effective intranet access management within an organization can result in a number of business benefits, including:

•	Improved user productivity. If the amount of time that computer users spend on authentication could be reduced from 16 minutes to 2 minutes per day, an organization of 10,000 users could reclaim more than 2,300 hours each day, which is roughly the number of hours worked by one full-time employee in a year. SSO can facilitate this, as it improves knowledge worker productivity by 15 percent and logon efficiency by 18 percent.
•	Reduced Helpdesk costs. Fewer logon credentials for users to remember increases their ability to follow security policy and reduces Helpdesk calls from users for password resets.
•	Improved network security. Fewer logon credentials also helps improve the security of the network, because it reduces the likelihood that users will use unsuitable techniques to manage multiple passwords—such as writing them down.
•	Increased data protection. The security capabilities of the best infrastructure products can increase data protection and allow organizations to meet regulatory requirements.
•	Infrastructure consolidation. The creation of an environment for platform and application integration allows organizations to consolidate identity stores, which reduces both administrative and licensing costs.
•	Reduced administration. Cross-platform access management for a majority of an organization's applications helps it to realize an even greater return on the investment made to consolidate the identity stores. This opportunity exists because related cost savings will result through reduced administrative overhead.

Who Should Read This Paper

The intended audience for this paper includes architects, IT professionals and managers, technical decision makers, and consultants involved in identity and access management efforts.

Reader Prerequisites

This paper assumes the reader has a moderate knowledge of identity and access management concepts and technologies, which are described in the "Fundamental Concepts" paper in this series.

To implement the two solutions outlined in this paper, readers should have an understanding of the infrastructure described in the "Platform and Infrastructure" paper in this series and how to implement such an infrastructure. The different solution scenarios have the following additional requirements:

•	The first solution scenario requires a familiarity with UNIX administration and configuration.
•	The second solution scenario requires a familiarity with SAP administration and configuration.

Feedback

Please direct questions and comments about this guide to secwish@microsoft.com.

Top of page

Paper Overview

This paper discusses the business challenges, security issues, tools, and protocols for improving intranet access management through integration with Windows Server 2003 directory and security services.

The paper consists of the following seven chapters:

Chapter 1: Introduction

This chapter introduces the paper and describes the two main scenarios that the material in the paper covers.

Chapter 2: Approaches to Intranet Access Management

This chapter discusses different methods for improving intranet access management that include:

•	Direct integration with Microsoft Windows®-based server and client operating systems.
•	Custom integration with Windows-based directory and security services.
•	Integration through the Lightweight Directory Access Protocol (LDAP).
•	Credential mapping techniques that use enterprise single sign on (ESSO) products.
•	Synchronized user accounts and passwords across multiple systems.

The chapter lists the advantages and disadvantages of each method, and highlights situations in which each is most appropriate.

Chapter 3: Issues and Requirements

This chapter considers the Contoso Pharmaceuticals scenario, and highlights the technical issues and requirements for improving intranet access management in the Contoso environment.

Chapter 4: Designing the Solution

This chapter explains the design of two Contoso solution scenarios. It uses the information in the previous chapter to describe the intranet access management components for each scenario and how they interoperate.

Chapter 5: Implementing the Solution

This chapter provides step-by-step prescriptive guidance on how to implement each of the designs from the previous chapter. The chapter uses the Contoso identity and access management infrastructure as its foundation, and demonstrates how you can set up each intranet access management scenario in a secure and functional fashion.

Chapter 6: Testing the Solution

This chapter provides guidance on how to troubleshoot and validate the Contoso solution scenarios implemented in the previous chapter.

Chapter 7: Operational Considerations

The final chapter of the paper provides an overview of some core operational procedures required for day-to-day management of the two intranet access management solutions.

Solution Scenarios

Chapters 3 to 7 provide design and implementation details for the following two solution scenarios:

•	Integrating UNIX workstations with Active Directory.
•	Integrating SAP R/3 Application Server authentication by using Kerberos.

These scenarios were compiled to embody the typical challenges faced by organizations that wish to provide intranet access management services. Detailed prescriptive guidance is provided on how Microsoft technologies can address such challenges.

The fictitious company Contoso Pharmaceuticals (discussed previously in more detail in the "Platform and Infrastructure" paper in this series) serves as the organization for the prescriptive guidance examples.

Integrating UNIX Workstations with Active Directory

Integration of UNIX workstations with Active Directory can provide organizations with the following important benefits:

•	Users can log on to Active Directory from any workstation, regardless of whether it is running a Windows or UNIX operating system, with a single set of credentials.
•	Accounts used for UNIX workstations can benefit from the same user account security policy that is applied to Windows-based workstation users.
•	The Active Directory-integrated Kerberos version 5 protocol Key Distribution Center (KDC) can provide Kerberos-based credentials to UNIX workstation users that will provide them with seamless access to network resources in a secure manner.
•	IT administrators can focus their efforts on managing a single set of workstation users in Active Directory.

This solution scenario demonstrates how to configure UNIX workstations that run the Sun Solaris version 9 operating system as part of a Microsoft Windows Server™ 2003 domain, and then authenticate users to Active Directory by using the Kerberos version 5 protocol.

For more information about guidance and scenarios on how to integrate UNIX servers and UNIX server-based applications with Active Directory, see the Microsoft Solution Guide for Windows Directory and Security Services for UNIX.

Integrating SAP R/3 Application Server Authentication By Using the Kerberos Protocol

Mission-critical applications, including Enterprise Resource Planning (ERP) applications such as SAP, are typically deployed in enterprise environments with their own identity store and authentication mechanisms. The implementation of an application-specific identity store presents management, usability, and often security issues that your organization should address.

One way to address these problems is to integrate the application with a standards-based identity store such as Active Directory. SAP R/3 Application Server is an example of a third party, platform-neutral product that integrates with Active Directory by means of the Kerberos version 5 protocol.

Using the Kerberos version 5 protocol to integrate applications with Active Directory provides the following benefits.

•	Users gain the benefit of SSO from using their desktop logon credentials to access applications.
•	You can use the Kerberos version 5 protocol to provide a secure client/server application data channel.
•	Requirements to manage application-specific identity stores can be reduced and sometimes eliminated.

In this scenario, the SAP R/3 Application Server maps Active Directory principals to an account in the SAP identity store. Although this does not completely eliminate the need to provision and manage the entitlements of users within SAP (they are still required for SAP authorization purposes), the administrative burden is reduced because a different user password is no longer needed. Also, removing user access to multiple resources, including SAP, is easier because disabling user accounts in Active Directory also prevents users from authenticating to SAP.

For other alternatives that provide integration between SAP R/3 Application Server and Active Directory, download the "SAP and Active Directory Identity Management" white paper.

For more general information about SAP integration with Active Directory, SAP customers can log on to the Microsoft section of the SAP Service Marketplace by using their SAP extranet credentials.