Friday, September 28, 2007

MIT Kerberos Consortium - cutting through the smoke and smashing the mirrors

Apparently, a bunch of companies have formed a consortium to "further the technology".

Already in use by an estimated 100 million people through its longtime inclusion in other technologies, including popular products made by Apple, Microsoft, Red Hat, and Sun, backers of the new MIT Kerberos Consortium said that the group should help the platform -- invented at MIT 20 years ago -- remain relevant and accommodate new trends around shared infrastructure and mobile computing.

Let me start this by saying that anything that is done to help further Kerberos is a great thing. However, as I read this article there was a second when I saw through the smoke and mirrors and caught a glimpse of what was behind the curtain so here I go off on an rant...

  • "MIT Kerberos Consortium said that the group should help the platform" - Funny how it is called the "MIT Kerberos Consortium" and not the "Kerberos Consortium". Does everyone know that there are other companies out there that build Kerberos servers? Like Heimdal, for example? Should the statement really be something like: "said that the group should help the MIT platform"? Big difference - help MIT versus help the industry as a whole. Oh, and why suddenly is the IETF being marginalized? I'm pretty much used to seeing the IETF drive standards - just what we need, another cook in that kitchen.

  • "Anyone using Microsoft's Active Directory or Apple Mac Server has used [Kerberos] without even knowing it, and that's the level of success we're striving for," he said. "Our job now is to expand the envelope to bring Kerberos to new developers and uses." Oh, how true!! Anyone using AD is using Kerberos! Microsoft's Kerberos - not MIT's Kerberos! I wonder why Microsoft is not a founding member of the "MIT Kerberos Consortium"??

  • "Kerberos has grown incrementally until today". Are you kidding me?? If it wasn't for Microsoft - let me repeat that so it sinks in: If it wasn't for Microsoft you guys would have a pretty small club. Kerberos' claim to fame prior to the launch of Microsoft Windows 2000 was "DCE". Everyone remember DCE? Exactly, that's my point. Microsoft put Kerberos on the map my friends. Period, end-of-story. Kerberos would have died without Microsoft and, without a sound.

  • "Without Kerberos as part of the fabric of our existing infrastructure for ID management and a number of other uses, there's no way we could manage authentication across thousands of systems today". Very true indeed but which/what "thousands of systems" are we talking about? Oh, of course, the "thousands" of Microsoft servers, clients and web servers (based on IIS!) that are out there. Of course there are other servers that use Kerberos but please point me to the numbers that would show how they exceed what Microsoft has shipped.

  • Contrary to some rumors, consortium representatives reported that the Kerberos community has not had a falling-out with Microsoft and said that the platform's presence in Active Directory remains crucial based on the product's popularity among businesses. I'm sure (I know) Microsoft loves Kerberos. I love Kerberos. We all love Kerberos (and Barney). So why isn't Microsoft a member of the consortium then? Well, if I was Microsoft and most of my world was based on Kerberos would I want a bunch of jumped-up eggheads and vendor-neutral-my-eye folks telling me what to do?? Not a chance. After all, "I am Kerberos" (at least that's what I would say if I was at Microsoft.)

So, my prediction is that a lot of the folks who are contributing huge pots of money to the consortium have pretty much poured it down the drain. Nothing will come out of this unless or until the industry as a whole - including Microsoft - adopt whatever the consortium comes out with.

Build it and they will come? I doubt it. Microsoft is doing more for Kerberos than the "MIT Kerberos Consortium" will ever do...

Thursday, September 27, 2007

Microsoft's Enterprise Engineering Center

Where do you go when you want to do scalability testing for a product that is used by hundreds of customers to recovery Active Directory domain controllers and whole forests? You head over to building 25 on Microsoft's main campus to the Enterprise Engineering Center (EEC)!

We just finished up three full weeks of testing Quest's Recovery Manager Forest Edition in the EEC. We had 4 fully loaded, extremely high-end Dell servers with a back end multi-terabyte SAN to support nearly 450 domain controllers split up across 8 virtual servers.

We managed the whole thing with Microsoft's new System Center Virtual Machine Manager and monitored everything with Spotlight on Active Directory. The Microsoft AD team was so impressed with the setup that they are taking over the EEC to do Windows Server 2008 testing based on our environment. Nice!

We might be back to the EEC pretty soon to do scalability testing of Active Directory to 75 million users - yup, 75 million users - for a government customer that wants to see it with their own eyes. More on this later if it happens...

p.s. Thanks to Microsoft and the folks in the EEC who all pitched in to help us - you guys rock!

Technorati Tags:
, ,

Wednesday, September 26, 2007

We need your vote!

Lots of nominations for Quest products in the "2008 InfoSecurity Reader's Choice Global Product Excellence Awards"...

  • Quest ActiveRoles Server 6.0 - Access Solution
  • Quest ActiveRoles Server 6.0 -Compliance Solution
  • Quest ActiveRoles Server 6.0 - Identity Management
  • Quest InTrust Plug-in for Exchange - Best Software Product
  • Quest InTrust – Version 9.5 Auditing
  • Quest Group Policy Extensions for Desktops 3.0 - Endpoint Security
  • Quest Vintela Authentication Services 3.2 - Authentication

So get out there and vote for us!

Technorati Tags:

Tuesday, September 25, 2007

Welcome Symark to the ever expanding integration club...

Symark just announced that they are now going to integrate Unix/Linux machines with Active Directory - welcome! That's four companies in the club now:

1. Vintela - now Quest (we shipped in 2002)
2. Centrify
3. Centeris
4. Symark

In that order, too. Sorry TK, you tell people you were first but you weren't.

Normally, I don't blog about competitor's announcements but I had to laugh at this quote:
Jeff Nielsen, a product manager at Symark, cited several differentiating factors that he believes set Symark apart. "We took a Unix and Linux approach [to PowerADvantage]," Nielsen said. "All administration of the product can be done from the Linux and Unix command line; we wanted to make sure [IT managers] could work in the environment they like."

That's your differentiator? We've been doing that since inception:

Vintela Authentication Services also provides a powerful command line tool that have been designed for use (and scripting) by Unix administrators for managing Active Directory user and group information. These command line tools can be used from scripting environments or from Web backends. With Active Directory's advanced access control mechanisms, it is easy to allow Unix administrators to continue to manage just the Unix account information for users and groups. In addition, the functionality available from the command line is also available through an MMC-based graphical user interface.

Jeff, feel free to download an evaluation of VAS - see for yourself. Oh, and good luck!

Technorati Tags:
, ,

Saturday, September 22, 2007

FiOS finally!

I finally got Verizon's FiOS service installed on September 19th! I blogged about ordering the service back on August 28th. I ordered the 15Mb up/2Mb down service for $50/month and so far it is living up to expectations. Every time I run the speed test from SpeakEasy the results are pretty close to what I'm paying for. So, for the moment it's bye-bye to Comcast's high-speed internet.

In 2008, Verizon is supposed to get their TV license here so I may be able to kiss Comcast totally goodbye!

p.s. The last word from the wife: "Explain to me why we had to get this again??"

Friday, September 21, 2007

Quest's global ISV of the year award from Microsoft

I went over to Microsoft Studios today with Steve Dickson for the video taping of our award. It was really awesome as not only did they videotape Steve but also a number of Microsoft employees in different groups (AD, SQL, etc.) who all talked about the value of the partnership between Quest and Microsoft and how innovative we are (of course!).

It should be published in a month or so. I'll post a link when it's finally available.
Technorati Tags:

Thursday, September 20, 2007

Good policy makes good security

There's a story in NetworkWorld on how good policy makes for good security. In this case it is a story about Inergy Automotive Systems and how they have used identity management is making security a business enabler.

Inergy is using Quest's ActiveRoles product for part of their overall solution - with other products from vendors like IBM.

We now use Windows Active Directory along with Quest [Software’s] ActiveRoles Server. That helps us use Active Directory as a centralized store of data for phone book, employee contacts and organization charts and things like that, with really granular security delegation.

Customers are beginning to view - and use - Active Directory as a strategic piece within their IT environments even when other vendor's IDM suites or products are also in use.

Monday, September 17, 2007

Virtualization driving down power costs

From the VMWorld keynote this interesting tidbit...

AMD's Austin data center had a 79% reduction in power consumption after 117 servers consolidated down to 9 ESX Servers. For every $1 spent on HW, we spend 50 cents on energy.

That's a pretty incredible savings and cost. I wonder how hard would it be for me to virtualize my refrigerator, dryer and oven?

Technorati Tags:

Friday, September 14, 2007

Is there an identity management detective in the house?

I had a meeting here in Dresden with a CIO from a 500,000 employee German company. The basis for the meeting was to listen to the CIO's biggest pain points and determine how our company could help them.

The discussion was very interesting overall but especially interesting for me when he started describing the problems he was having with Active Directory identity management. When I started to drill into the problem he was completely unable to tell me who or what was changing Active Directory. In their environment it was simply impossible to know who (or what) was making changes.

The company is so political that he can't even get departments or divisions to answer the simple question of: "If you have a program or process that is creating, updating or deleting attributes or objects from Active Directory please describe."

Traditionally, our role as an ISV is to sell a product and start rationalizing the identity "crisis" for that customer. But what happens when you can't even identify who or what is making changes to an identity repository? Do you simply respond with a train load of consultants to start doing interviews and mapping processes? I guess that's an answer but how long will that take and will it be accurate and complete? (Even if it is accurate and complete I can assure you it will probably be out of date the next day/week/month)

So what do you do to help in this situation? Is there a role for an identity management "detective"?

Technorati Tags:


I took a lot of pictures since I have arrived here in Dresden. Click on the photo below to see them all.

Dresden, Germany

I was shocked when I found out we were having a user conference in Dresden. Mainly because I realized that Dresden was in the former "East Germany" and that it was also the scene of what a friend from the UK described as a "war crime committed by Britain and the US". Here's an interesting quote from Wikipedia:

The bombing of Dresden by the Royal Air Force and by the United States Army Air Force between February 13 and February 15, 1945, remains one of the more controversial Allied actions of that war. The inner city of Dresden was heavily destroyed during what proved to be the final weeks of war in Europe.

So, I expected to arrive in a Soviet-era type city that wasn't - how shall I say it? - in very good shape. Boy, was I surprised.

Dresden is one of the most beautiful cities I have ever visited. Germany has done an amazing job re-constructing the city - something that continues even today. In fact, I was told by a German that a significant portion of their tax is allocated to rebuilding the former East Germany. What a great job they have done.

If you ever get the opportunity to visit Dresden do so. You won't be sorry.

Technorati Tags:

Wednesday, September 12, 2007

Identity management audit is not identity audit

Here's a great post on identity audit not being equivalent to identity managment audit: Matt Flynn's Identity Management Blog: Identity Audit != Identity Management Audit. Here's the nut of Matt's argument...

Identity management systems along with other information security mechanisms are controls put in place to enforce organizational policies. Identity Audit provides an independent and wide-angled view of identity controls, identity behavior and identity power to ensure that policies are being enforced. IdA solutions are complementary to IdM systems and continue to provide value in environments where IdM systems aren't available (or required).

Quite right, Matt!

Technorati Tags:

You are a directory entry

If you're interested in identity and you haven't seen this YouTube presentation by Dick Hardt of Sxip then you need to check it out!!

Technorati Tags:
, ,

Tuesday, September 11, 2007

Reality tour lands in Amsterdam; next stop Dresden

This week I am in Amsterdam and Dresden talking about identity management, Windows Server 2008 and Backup and Recovery in Windows Server 2008.

I met with a good group of customers today from all over Europe and had the opportunity to sit through an excellent case study presented by HP that focused on how Vintela Authentication Services is helping one of their major customers in Sweden reduce costs, and improve security and compliance.

I'll post more as I get the presentations together and download the pictures off my camera.

Technorati Tags:
, , ,

Friday, September 07, 2007

Does your application support ADAM, Jabba?

OK, I recently posted asking the question "Does your application support AD?" and James McGovern was kind enough to comment on that post over at his blog by asking a follow-on question regarding support for ADAM...

Jackson Shaw asks the most wonderful question of software vendors. The funny thing is that he should have also asked this about ADAM. Do you know how many identity managements support Active Directory but not specifically ADAM? Likewise, many of the ECM vendors will say that they support Active Directory but for authentication. They will of course require you to copy the user store locally which is fugly. The real question is why aren't software vendors writing better directory-enabled code? Us customers desire it and many of us demand it yet it still doesn't happen...

James is quite right. I didn't ask about ADAM and I should have. ADAM was designed to be a viral product. I mean viral in a good way, not in the bad way. In other words, a product that could be easily installed by anyone and didn't require a committee to say "Sure, go ahead and try out that new directory service" and from that perspective it has been wildly successful.

Every customer meeting I go to always starts with a standard series of questions that I have just to help me maintain some statistics like...

  • What OS do you run your domain controllers on?

  • 32-bit? 64-bit?

  • When do you think you'll go to Windows Server 2008?

  • etc, and I *always* have this one:

  • Looking at, using, testing ADAM and if so, what are the specifics?

Not surprisingly, most customers are doing something with it. In fact, some customers are running >10 million users in ADAM for customer web-access and it frightens me that they don't have comprehensive recovery, audit and monitoring plans. Yes, this too is fugly.

So vendors, what are your plans? Within Quest I have dictated - kind of like Jabba the Hut - that all of our products treat AD and ADAM the same - if we support AD then we must support ADAM. I still have a bit of work to do there but we've got that support in a number of products already and more are coming.

Note to ADAM users: Ah, if it is a directory it is probably doing something critical. You might want to consider investing in backup, monitoring and audit tools. LDP.EXE is not the only tool you need...

Thursday, September 06, 2007

IdM vendors not supporting Exchange 2007?!

There are some storm clouds on the horizon that I don't think most people have seen yet and it will be interesting to see how the identity management vendors weather it...

Most identity management implementations include provisioning/de-provisioning of mailboxes and updating mailbox related information like distribution lists. In today's world, most mailboxes are probably Microsoft Exchange-based. If that's you, read on. If not, the bad weather is going to miss you entirely.

In Exchange 2000 and Exchange 2003 vendors relied on the "Recipient Update Service" - RUS - to interact with Active Directory. This made it easy to create, read, update and delete identity information for Exchange via Active Directory and LDAP.

In Exchange 2007, RUS is no more. RUS has been replaced by Exchange Management Shell cmdlets. The key word in that last sentence is "cmdlets". What the heck is a cmdlet?

A cmdlet is a command implemented by deriving a class from one of two specialized Windows PowerShell base classes --Microsoft.

What Microsoft has done in Exchange 2007 is move certain functionality to the Exchange Management Shell. Some of the functionality that has been moved to the Exchange Management Shell includes:

  • Mailbox creation (create mailbox, mail enable an Active Directory user)

  • Mailbox management (enable/disable mailbox, set mailbox attribute)

  • Distribution group management (set, enable, disable, add/delete members
And "moved" means that it is no longer possible in an Exchange 2007 environment to use Active Directory and LDAP to expose this functionality. What does that mean?

If your identity management provider does not update their product(s) to use PowerShell then they will cease to be able to create, delete or modify Exchange users or distribution lists. How serious of an issue will this be for you?

I've been trolling around looking to see which identity vendors have specifically announced support for Exchange 2007 I can't find anyone. Through Quest's ActiveRoles product we support all of these capabilites because we've built in support for PowerShell. When I checked some of the IDM vendors sites here's what I found:

  • IBM Tivoli Identity Manager 4.6: "Use the Active Directory connector" - When I checked their documentation they mention how the AD connector is used to set various Exchange attributes and for provisioning/deprovisioning mailboxes but there is no specific mention of Exchange 2007 support. My guess: IBM's TIM does not support Exchange 2007. My August posting to the Tivoli User Forum resulted in no responses - go figure.

  • Sun Java System Identity Manager 7.0: "Microsoft Exchange 2000 and 2003 are managed through the Microsoft Windows Active Directory 2000 and 2003 resources" - My guess: Sun's product does not support Exchange 2007. In fact, if you check out this post on their developer forum you'll see how one customer had to debug PowerShell scripts themselves.

  • Microsoft's Identity Lifecycle Manager 2007 (aka MIIS): This is the one solution that you'd expect to support provisioning Exchange 2007 mailboxes but it doesn't! The ILM 2007 FAQ does not list support for Exchange 2007.

Now this isn't the end of the world yet - as I said, the storm clouds are on the horizon - because this issue will only be manifested in a pure Exchange 2007 environment. Most of us are probably going to run a mixed environment for a period of time. However, better to be forewarned than have your hair on fire, your auditor's hair on fire and your boss' hair on fire, because provisioning/de-provisioning no longer works!

Start asking your IdM vendor about their plans to support Exchange 2007 now.

Tuesday, September 04, 2007

Connecting ILM 2007 with SharePoint Services

Alex Tcherniakhovski over at Microsoft has blogged on how to connect ILM 2007 with SharePoint Services. Alex is a great resource around ILM (and even Quest's ActiveRoles Server). Here's his post...

In this blog I explore the possibilities of using information stored in SharePoint Services V3.0 lists to drive provisioning processes (specifically integration with Active Directory). The idea behind this approach is to merge provisioning and synchronization capabilities of ILM with collaboration and workflow components of SharePoint Services 3.0.

Please, follow this link for a complete walkthrough.

This is my second posting on this subject. In my first post “Adding workflow components into your MIIS solutions” I examined the scenario of integration of ILM with SharePoint InfoPath Libraries. Both solutions have similar goals: to utilize workflow capabilities of WSS 3.0 and to propagate information stored in SharePoint throughout the enterprise. At the same time the underlying extensible management agents utilize different technologies to accomplish the integration with WSS 3.0. The connector for InfoPath libraries utilizes Microsoft.SharePoint.dll and the connector for SharePoint Lists leverages SharePoint Web Services. Since Microsoft.SharePoint.dll can only be utilized on the same server where WSS is running, the first solution is ideal for scenarios where Workflow needs to be added to ILM provisioning processes (in other words MIIS and WSS need to be running on the same box), also InfoPath forms provide richer capabilities to workflow (ex. Digital signatures, Role based views, data validation, etc). The List Connector, on the other hand, uses SharePoint Web Services; therefore MIIS and WSS could be running on different servers, this connector is ideal for scenarios where extracting employee information from WSS is required. I am hoping one day to combine those two connectors into one, so that we don’t have be concerned whether the data resides in a list or a InfoPath library. For now depending on what you are trying to accomplish you will have to choose the appropriate solution.

Additional Links:

Walkthrough: How to build an extensible management agent for MIIS
Adding workflow components into your MIIS solutions

Technorati Tags:
, , ,

Monday, September 03, 2007

Happy Birthday Kim!

Kim's Birthday Party

August 31st was Kim Cameron's birthday. Yours truly got to cook the "meat blob" that was served along with a wonderful platter of Mediterranean halibut. Ian, Kim's brother and his wife came down from Vancouver to partake in the festivities. I hadn't seen Ian in years so it was great to catch up with him.

Below is a picture of Jennifer Wu, Kim and myself enjoying some of Jennifer's Chinese dumplings. The three of us worked together at ZOOMIT. Jennifer was responsible for the directory synchronization and metadirectory engine and moved to Washington with the rest of us after the acquisition of ZOOMIT by Microsoft. She's moved over to work on the "Indigo" team now.

As usual the food was awesome, the wine was great and the company was exceptional.

Technorati Tags:
, ,