Wednesday, March 31, 2010

Customers are incompetent!

When I stumbled across this article in Computerworld - “Help Desks Under Pressure” – I was hoping it would talk about the help desk costs in this economy. It didn’t really talk about that too much but one of the tables (“Mounting Work”) caught my attention: “The number of incidents help desks are dealing with rose 8% from 2008 to 2009…Here are some of the reasons for the increase:”
- Infrastructure or product changes (upgrades, conversions, installations): 42%
- Expanded server offerings by the support center: 25%
- More customers: 19%
- Increased awareness of support center: 7%
- Lack of customer competency: 5%
- Poor product quality: 3%
The second last figure caught my eye: Lack of customer competency! So clearly the help desk customer, in some cases, are incompetent. It reminded me of the time I ran a help desk many years ago and my boss and I went to our chairwoman’s home to fix her printer. Yes, you know the answer. It was unplugged. However, in many cases – especially in this economic climate – training is sacrificed. Lack of training generally is the cause of “incompetence”. Except in the case of the printer power problem that two of use solved.

Oh, and let’s not even get started on “poor product quality”. At least that was bottom of the list at 3%.

Tuesday, March 30, 2010

Quest’s Use of Windows Azure

Get Microsoft Silverlight

Joey Snow from Microsoft interviews Dmitry Sotnikov on Quest’s use of Windows Azure. Joey takes a behind the scenes look at IT software as a service and Dmitri sketches out the architecture, including Windows Azure and Windows Live ID as part of this webcast. There’s also a demo of the Quest products that are using Azure. Check it out and if you’re pressed for time here’s the timeline of the webcast:

[0:01] Cloud solutions for Active Directory recovery, event log management, and SharePoint reporting

[2:19] IT staff’s concerns:  Security, Security, Security

[5:05] IT staff’s efforts and addressing compliance

[9:00] Application architecture on the white board

[14:35] Demo of working components, including federation


Thursday, March 25, 2010

There are significant IT problems hindering completion

That’s one of the comments from the article I referenced in yesterday’s blog post about HSPD-12. I decided to track down the referenced “report” and found it here:

I figured it would be interesting to read what the “significant IT problems” were. Many of the problems highlighted in the report had to do with funding, lack of manpower, higher priority projects and the like. We’ve all seen those in our jobs. What was most interesting to me was some of the more real, day-to-day problems that have cropped up as part of the project. Here’s a selection from the report – I’ve edited my excerpts but I've tried to preserve context and content as much as possible:
  • There are many unused and unaccounted for test accounts and cards currently active
  • There may be an excessive number of individuals with account access. Our analysis identified 11 “su,” or “super user,” accounts, which grant full access which allow the user to view and monitor system logs. The principle of least privilege must be implemented under DHS policy, and access to system logs should be restricted.
  • We identified three web application accounts that were not assigned to specific individuals. Two were system accounts, used to initially set up the system and create administrative accounts; both of these accounts can no longer be used to access any information or establish new accounts. The third was a temporary test account that was never deleted. Accounts that are not in use or have never been used should be deleted.
  • All IDMS EIWS users share one local administrator account.
  • Forty of the 1,539 deactivated (smart) cards, or 2.6%, were deactivated but incorrectly left active in (the physical access system). When physical access rights are still activated on a card, an individual may gain unauthorized access to DHS Headquarters facilities and areas.
What’s the moral of the story? Provisioning and de-provisioning aren’t working correctly, privileged accounts are not being audited or monitored appropriately and the principle of “least privilege” is not being followed consistently.

Are these problems ones that would only occur in this project? Only in the US government? Only with respect to smart cards or PKI? No. Absolutely not. They occur everywhere. However, it goes to show that *any* IT project really needs to be based on a solid identity and access management procedures and products. That’s only way that one can achieve compliance. That’s the only way that problems like the ones identified in the report can be avoided from the outset.

Wednesday, March 24, 2010

Smart card projects take time

I read this article over at Dark Reading about DHS being 3 years behind on their smart card roll-out. I thought HSPD-12 (more below on what it is) was a very ambitious project when it was kicked off. It’s run into a few bumps along the way unfortunately. I realize that you can’t characterize everyone’s experience with smart cards based simply on this one article but it does highlight that smart cards and PKI are not “easy”. My next post will dive into this in a bit more detail.
The Department of Homeland Security is three years behind schedule on a project to develop a standard smart-card identification method for federal employees and contractors, according to a DHS report.

The project -- officially called Homeland Security Presidential Directive 12 (HSPD-12): Policy for a Common Identification Standard for Federal Employees and Contractors -- requires that DHS develop a government-wide way to identify employees by issuing smart cards. The cards contain information about which IT applications and networks and facilities each employee is permitted access to.

The original completion for the issuance and use of identity cards was Oct. 27, 2008, according to the report, issued by inspector general Richard L. Skinner. However, as of Sept. 22, 2009, only 15,567 of the approximately 250,000 department employees and contractors have been issued identity credentials.

The program's target date for completion has now been pushed to Sept. 30, 2011, the end of the 2011 fiscal year.

Specifically, DHS plans to issue smart cards to 135,000 federal employees and contractors by the end of fiscal year 2010, and to the remaining 105,000 employees and contractors by the end of fiscal year 2011.

The report blames poor program management, including insufficient funding and resources, as well as a change in implementation strategy for issuing cards in June 2009, for falling behind schedule.

There are significant IT problems hindering completion of the directive, too, according to the report.

One of its biggest challenges is allowing what the report calls "logical access" to IT systems. The government does not have proper system security and account management controls in place to protect people's personal identity information from unauthorized access, it concluded.

In particular, DHS has been slow to implement government-wide identity-management and smart-card identification systems to handle the project. Coordinating efforts between various departments and their respective IT systems has been a significant challenge, according to the report.

The report offers a set of recommendations to get the program back on track so it can meet its new target completion date.

One basic recommendation is to make sure the project management office that is overseeing the project has the staffing and funding necessary to do its job properly.

Coming up with a reasonable estimate for how much completing the project will cost is also on the list. Problems with planning for the cost of the project within the federal budget have been one of the reasons the project has been insufficiently funded, according to the report.

On the IT side, DHS also appears to have a lot of work to do to implement the system in time.

The agency still needs to develop formal procedures for defining employee, or user, accounts and roles, as well as defining the privileges associated with those user accounts and roles.

It also must reconcile data and collaboration between a series of user configuration, card management, and account management systems, as well find and correct any inconsistencies between an identity-management system and government physical-access control systems.

Further, there are still no policies in place for how to control employee access in cases in which cards must be revoked, suspended, or destroyed, nor are there procedures for evaluating the physical security of enrollment centers where government employees are issued their cards, according to the report.
Technorati Tags: ,,

Tuesday, March 23, 2010

Guide to Claims-Based Identity and Access Control

The folks in the Microsoft Patterns and Practices group have just released their “Guide to Claims-Based Identity and Access Control.” You can download the guide here. You absolutely must read this. One of the few people outside of Microsoft that I have SERIOUS respect for told me this is the best thing he has ever read on this topic. 
The guide works progressively, with the simplest and most common scenarios explained first. It also contains a clear overview of the main concepts. Working source code for all of the examples can be found online (
This guide is well written with liberal doses of persona-based commentary, great examples and code samples. It’s worth reading this guide to understand the Microsoft lingo and slant on claims and authentication in Microsoft’s web services world.

<!-- RANT ON -->

I am; however, going to single out a particular persona comment that gives me concern:
When you decide what kinds of claims to issue, ask yourself how hard is it to convince the IT department to extend the Active Directory schema. They have good reasons for staying with what they already have. If they’re reluctant now, claims aren’t going to change that. Keep this in mind when you choose which attributes to use as claims.
Is the Active Directory schema still the tail that’s wagging the dog after 10 years?! Honestly, how can we progress if this will be the attitude of our IT departments? Maybe “Next Generation Active Directory” (NGAD) will solve the schema problem. Clearly, if I am developing a claims-aware application I need to be able to leverage Active Directory easily otherwise I’ll be looking for another directory to use – or a new IT department.

<!—RANT OFF –>

This guide is an excellent read.

Monday, March 22, 2010

Microsoft Forefront Identity Manager Case Study

 We now return to regularly scheduled programming. Now that I'm back from vacation that is!

Microsoft Forefront Identity Manager User Cuts Costs, Improves Compliance, Lays Convergence Foundation

I came across this case study on LinkedIn and stopped to read it. The "cuts cost" words in the title caught my attention. I'm always interested in any case study that highlights how a company cuts costs.The folks at First American Title give a good overview of what they've accomplished with FIM 2010 but unfortunately the case study lacks background on the "cuts cost" aspects that were mentioned in the title. The closest I could get to finding out how the cut costs was the following statement:
We think we are probably going to be able to redeploy at least one FTE from what we do now to other things because we are automating this.
If you ever sat in front of a CFO - or probably an CxO - and said you'd save costs by "redeploying" staff you'd be asked if that redeployment was "out the door" because redeploying staff is not a way to cut costs unless they happen to be taking a salary reduction.

Either way, this is a good case study but I'd have preferred to understand how First American Title cut costs and what their ROI was.Perhaps Microsoft is in the process of publishing a more detailed case study.

Friday, March 19, 2010

True story: The Great Turbot War

This is another true story from my Zoomit days:

Place: Toronto, Zoomit headquarters
Date: 1995

Picture the phone ringing:

Z: Hello? Zoomit Corporation.

Telefónica : (imagine a fairly thick Spanish accent) This is “Jorge” calling from Telefónica in Spain. We have a problem with your software and need some help.

Z: (It happens that the famous and soon to be Dr. Cameron was at his desk and when he heard it was Spain calling he wanted to speak to “Jorge”). It appears that your software maintenance has lapsed and according to our policy we can’t provide any support.

Jorge: We can get you a purchase order right away. Where should I have it faxed?

Kim: Even if you could fax it we still can’t support you.

Jorge: I don’t understand. Can you explain? My English isn’t so good.

Kim: Don’t you know we are at war? Canada and Spain are at war! Your navy is here. Our navy is protecting our little turbot from your Spanish trawlers. We’re taking your ships prisoner. We’re at war.

Jorge: Ah, sorry. What? Turbot? My English isn’t so good.

Kim: Yes, yes, the baby turbots. You’re netting them in your nets. The holes in the nets are too small. You’re killing our baby turbots and we’re at war with you.

Of course, Kim was just poking fun at Jorge but, as you know, Kim spent a lot of time in Halifax, Nova Scotia so he was aware of the plight of the baby turbots and quite sympathetic. My mother’s family were all fishermen in Newfoundland so I had sympathy for the poor little turbots, too. Poor “Jorge” couldn’t see (or hear) us laughing our guts out and rolling around the floor of the office. It was truly hilarious. Kim finally told “Jorge” we were just kidding – but still at war – and we’d help them as long as they promised not to eat turbot that were too small.

Of course, Canada won The Great Turbot War. Spanish paella hasn’t been the same since 1995.

Wednesday, March 17, 2010

Happy St. Patrick's Day!

I hope you all had an awesome St. Patrick's day! Here's the rainbow we had tonight after dinner! Very fitting finish to our St. Patrick's day dinner.

Tuesday, March 16, 2010

True story: Universal Widgets is not our reseller – they are our competitor!

This is a true story from my Zoomit days:

Place: Toronto, Zoomit headquarters
Date: 1996 or 1997

Picture the phone ringing:

Z: Hello? Zoomit Corporation.
Customer: This is Lt. McHale from the US Navy calling. I’d like to talk to someone in support regarding your product that we purchased.
Z: Hmmm, we have the US Navy listed as testing our product. You say you purchased it? Who did you purchase it from?
Customer: Yes, we purchased your product from Universal Widgets.
Z: OK, we’ll get someone to call you back right away.

We knew that the US Navy was not our customer. We were small enough at the time that we knew all of our customers – almost personally. We also knew that Universal Widgets was not our reseller – they were our competitor. It appeared that the US Navy called up Universal Widgets and asked them if they could purchase our product from them and they said “Yes!”. Universal Widgets actually billed the US Navy for our software, collected the money and never paid us – ever.

We supported the US Navy for many years after this incident. I don’t believe we ever told them about this. I hated “Universal Widgets” for doing this to us.  Most of the executives for Universal Widgets went on to other software companies and they repeated their bad behavior again and again. They are one of the few companies that I would tell people if I was in a meeting room with them and the lights went out my first reaction would be to reach for my wallet.

Universal Widgets were hosers. We hated them. And they did this to us again a few years later with a different customer! Hosers.

Technorati Tags: ,

Monday, March 15, 2010

Kim Cameron to receive Honorary Doctor of Civil Law from the University of King's College, Halifax

I happened across this announcement today. I know Kim is very proud of his alma matter and his time at King’s College. Congratulations, Kim!!!
The University of King's College is pleased to announce that will be Kim Cameron distinguished with an Honorary Doctor of Civil Law at its Encaenia Ceremonies on Thursday, May 20, 2010 at the Cathedral Church of All Saints in Halifax.

Kim Cameron is Chief Architect of Identity in the Identity and Security division at Microsoft and is widely considered a leader on identity issues. He has won numerous awards for his work including Digital Identity World's Innovation Award and was named as one of Network World's 50 Most Powerful People in Networking, both in 2005. Cameron graduated from King's with a bachelor's degree in physics and math at age 19. He developed his hacking skills while working on a master's degree of physics at King's and Dalhousie and moved on to study philosophy in Paris. In 1970 he started a doctorate thesis in computing and social phenomena at the Université de Montréal but was lured away by an equally fervent passion for music. By the mid-70s, he had joined the band Limbo Springs as lead guitarist, and the band eventually became the house act at Toronto's legendary Cheetah Club. While in Toronto, Cameron developed an interest in the microcomputer and was soon running the academic computing centre at George Brown. Along with a colleague he pioneered a meta-directory called Zoomit that they sold to Microsoft in 1999. In 2003 he went public with a technology he developed called InfoCard, which lets users control their identity information and is now a cornerstone of Microsoft's identity strategy. Cameron will be receiving an Honorary Doctor of Civil Law.

Friday, March 12, 2010

True story: Ah, we don’t have 6,000 contractors working here.

I had a great response to my earlier true story so I thought I’d relate another one. Plus, I’m on vacation and it’s easier to recount stories than deep-think authorization, why Novell - or Banyan for that matter – were unsuccessful despite having awesome products, etc. So here goes…

I think this took place in the winter of 1998 or 1999. I was a young VP of Sales at Zoomit Corporation tagging along on a final proof of concept for one of the largest heavy equipment manufacturers in the United States. We were asked to integrate the company’s telephone system, Windows NT directory (this was before Active Directory!), their mainframe system and employee database into our meta-directory product. If you ever done something like this you know that you set up your connectors to each of these systems and then spend the bulk of your time mapping individual identities across the various namespaces.

In this particular case we successfully mapped (“joined”) around 60,000 employees but we found that there were approximately 6,000 names that we couldn’t find telephone numbers for. Many of these names were listed in the mainframe and being an old “mainframer” I was suspicious that they had so many mainframe accounts with no associated telephone number. Our conclusion was that the employee database didn’t include their contractors.

When we met for the final review we presented our results and told them we found 6,000 names that were not associated with a telephone number and were not in the employee database. “Did you forget to give us access to the contractor database or was this a test of our engineers?” The company’s representatives looked at each other and finally their director said “We don’t have a contractor database. And, ah, we don’t have 6,000 contractors working here.”

It turns out that their mainframe staff never deleted or disabled any employees who left the company. Apparently, this had been going on for years. Now the obvious security problem had manifested itself when someone was re-hired and a few years later they were still able to log-on to the mainframe with their old credentials – exactly what happened in the previous true story. However, there was a very interesting side effect of the company finally deleting all those old accounts: Once the accounts were deleted from RACF - the mainframe security database – many batch jobs failed to run and the company got back some of their mainframe computing power. So here they were running gosh knows how many jobs that no one was ever bothering to look at. Amazing.

I’m on vacation next week too so I’ll see if I can troll around the memory banks for a few more oldies but goodies. In the meantime, here’s a picture of a new friend of mine down here in Manasota Key, Florida

Thursday, March 11, 2010

Elliott Associates and the takeover of Novell

Very interesting blog post by Andy Updegrove on this topic that you may want to read. I’ve included a few paragraphs below:
…Elliott is in a far better position than Novell's board and management, or of a technology company that may make a bid, so long as Elliott retains self-discipline and walks when the bidding exceeds the internal calculation that it has already certainly made that reflects a prudent purchase.

But these other chess players do have their own advantages.  First up, no one at Novell is going to want to be acquired by Elliott.  Why?  Because Elliott will almost certainly want to break Novell up and sell the pieces.  Indeed, while it has offered $2 billion for Novell, it has already acquired over 8% of Novell at a significant discount off that per-share bid number.  And Novell has almost $1 billion in cash.  So the rewards of a quick hit, followed by a quick breakup, make far more sense than trying to turn around the business of a company that has been struggling to reinvent itself for over 15 years.

What that means is that one would imagine that Novell's talent will be heading for the exits in droves if the Elliott bid looks like it might succeed.  Even if Elliott convinces the target that it plans to run the Company in the long term, the prospect of being managed by a fund with a reputation as a "Vulture Capitalist" better known for buying distressed third world debt is hardly likely to inspire loyalty.
Check out the rest of Andy’s post. It is well worth the read.

Wednesday, March 10, 2010

True story: After being away 2 years I wish I was de-provisioned!

This is a true story. Names have been changed to protect the innocent.

I had lunch with my friend “Jason” from Universal Widgets last week. We hadn’t talked for more than two years and Jason’s first comment was “Did you know I left Universal to go work for Galactic Widgets but I’ve gone back to Universal Widgets?” I was surprised because I had missed out on what my friend was up to for more than two years. But, here we were back at the beginning again. Anyway, we had a good discussion about what each of us were up to but the most interesting part of Jason’s story was his answer to this question: “How was your return to Universal?”

Jason answered that they hadn’t allocated his desk to anyone else so it looked as if a “Jason shrine” had developed while he was gone. “But the worse part of my return was that I was able to logon with my old userid and password!” Where had I heard this before? However, rather than agreeing with me Jason’s comment was: “The worse part was when I started Outlook and I had 25,000 unread messages!”

I guess there can be some things even worse than a security compromise with not being de-provisioned and that’s coming back to two years worth of unread e-mails! I think Jason is still too busy deleting messages to answer his phone…

Tuesday, March 09, 2010

SAML vs. XACML for Authorization: VHS versus Betamax?

I’ve had my first customer discussion around implementation of a SAML-based authorization system. Yes, I said SAML – not XACML. There are lots of companies out there building XACML management products. Axiomatics and BitKoo come to mind but while customers have been discussing the potential use of XACML I have yet to run into a customer who is actually writing applications that use XACML. But I have run into my first customer who is already using SAML for the authentication side of an application and now wants to enable attribute-based authorization via SAML. Why SAML? Because they are already using it for authentication.

Is SAML the right “thing” for authorization? Hmmm, I guess if I were a purist I’d say “No” but since I’m a pragmatist I’d say “If it works for your application then use it”. In either case, this brings me to wonder about SAML and XACML from an authorization perspective. Will there be a Betamax versus VHS war in the authorization space? Hard to say. I know Microsoft will be support SAML tokens with the release of ADFS V2 later this quarter. They won’t be supporting XACML.

Who will win the war? I don’t know but there’s something to be said about the fact that progress is being made faster with SAML than XACML. Draw your own conclusions…As they say, time will tell.

Monday, March 08, 2010

Windows Licensing in a Unix, Linux, Apple Mac, Java and Web World

Caution: I only play a Microsoft licensing expert on TV. However, I do have 6 years of experience in this area both working on Windows licensing and answering licensing questions while I worked at Microsoft.

Last week, during the RSA Conference, I had the opportunity to meet many customers and partners – always one of the most favorite parts of my job. One pleasant dinner at the Town Hall restaurant in San Francisco was memorable in what our customer had been told his Microsoft licensing requirements would be if he integrated his Unix and Linux systems with Windows and Active Directory. So, rather than pull all the relevant information together in an email I figured I write a blog post explaining the licensing, with references, and send him a link to this blog article. Perhaps someone else will benefit from this, too. Now, on to the questions:
Q: Do you need to purchase Windows client access licenses (CALs) for the Unix, Linux or Mac systems you are integrating with Windows and Active Directory?

A: Generally, no. I say generally because when you set up your Windows servers during installation you get asked if you want to set up your server for device-based CALs or user-based CALs. Nearly every customer I have worked with sets up their servers for user-based CALs. If you use user-based CALs then you do not need to purchase any additional CALs for the Unix, Linux or Mac systems that you integrate with Active Directory. The text directly below is cut-and-paste from this page on Windows Server 2008 R2 Client Licensing. Clearly, “Windows CAL for every named user accessing your servers from any device” is the way to go. (Licensing for previous versions of Windows Server are identical.)
Device-based or User-based Windows Client Access Licenses
There are two types of Windows Client Access Licenses from which to choose: device-based or user-based, also known as Windows Device CALs or Windows User CALs. This means you can choose to acquire a Windows CAL for every device (used by any user) accessing your servers, or you can choose to acquire a Windows CAL for every named user accessing your servers (from any device).

The option to choose between the two types of Windows CALs offers you the flexibility to use the licensing that best suits the needs of your organization. For example:
  • Windows Device CALs might make most economic and administrative sense for an organization with multiple users for one device, such as shift workers.
  • Whereas, Windows User CALs might make most sense for an organization with many employees who need access to the corporate network from unknown devices (for example, when traveling) and/or an organization with employees who access the network from multiple devices.
Q: My customers and suppliers are authenticating to Active Directory via a web service (Java, .Net, SAML, ADFS, etc.). I have insertyournumberhere of customers and suppliers who will be using this web service. Do I need a Windows CAL for each person who uses this web service or web application?

A: No. You must have a Windows CAL for anyone who could be reasonably classified as an employee, temporary worker or a contractor. However, for customers, suppliers or others who are “at arms-length” you do not need a Windows CAL. Again, the text below is pulled from the same page on Windows Server 2008 R2 Client Licensing. The relevant text is contained in the 3rd bullet below which discusses “external users” and the Windows Server 2008 External Connector license. The External Connector license costs $1,999 per server but this is far cheaper than purchasing Windows CALs for a large number of external users.
Client Access Licensing Requirements
Every user or device that accesses or uses the Windows Server 2008 or Windows Server 2008 R2 server software requires the purchase of a Windows Server 2008 Client Access License (Windows Server CAL) except under the following circumstances:
  • If access to the instances of server software is only through the Internet without being authenticated or otherwise individually identified by the server software or through any other means
  • If access is to Windows Web Server 2008 or Windows Web Server 2008 R2
  • If external users are accessing the instances of server software and you have acquired a Windows Server 2008 External Connector license for each server being accessed
  • For up to two devices or users to access your instances of the server software only to administer those instances
  • If you are using Windows Server 2008 R2 solely as a virtualization host (you will still require CALs for your appropriate WS edition running in the virtual machine(s) )
It pays to be educated about these lesser known Windows licensing details – you could save yourself a ton of money and aggravation.

Friday, March 05, 2010

Gartner Fellows interview with Kim Cameron

You might be interested in this interview that Neil MacDonald of Gartner had with Kim Cameron back in 2007. While it is an older interview it is very relevant for an understanding of what Kim is trying to achieve at Microsoft. Kim talks about the “Seven Laws of Identity" and his views on the future shape and role of identity in consumer and enterprise applications.

If you haven’t read anything about the identity metasystem or Kim’s work I’d suggest that this is a good starting point for you.
We sat down with Kim Cameron, chief identity architect for Microsoft and creator of the "Seven Laws of Identity" to get his views on the future shape and role of identity in consumer and enterprise applications.

Thursday, March 04, 2010

On the Internet, everybody knows your dog's name

Thank you to my friends at Vodafone in Germany for sending me a pointer to this article in Fortune Magazine. We have been having a lively email exchange regarding our Quest Password Manager product and how it uses questions and answers for password reset. Here’s the piece in the article which sparked the debate:
…the weak link isn't the passwords themselves but those security questions you have to answer in case you forget the passwords. You know the drill. You set up an online checking account and answer questions about your high school mascot, the street you grew up on, and the name of your dog, which supposedly only you can answer. It's all safe as long as crooks don't have the answers, which now - thanks to blogs, Facebook, Twitter, and every other public forum people use to put every last detail of their lives online - they do.
As a test I did a few Google searches on some of the questions that I know are part of my Q&A reset and I did find enough information "out there" that could lead to an easier compromise of my account.

At the RSA Conference there is a company that’s developed a technique to help thwart this using a different technique. RavenWhite was named one of the 10 finalists for the coveted "Most Innovative Company at RSA® Conference 2010” and I can understand why. Check out their stuff here:

What do you think?

Tuesday, March 02, 2010

Forefront Identity Manager 2010 finally ships!


The Microsoft team is very proud that they’ve finally shipped their baby. Congratulations guys! Evaluation bits of FIM 2010 are available here:

When I stopped by the Microsoft booth here at RSA I was told the product will be generally available in April (yes, this year).

Monday, March 01, 2010

See you at the RSA Conference!

I'm flying down to San Francisco for RSA Conference 2010. Will I see you there?

Quest Software will have a booth so please drop by and visit us. Expect some real-time blog posting from the show floor during the week.


ADAM or ADLDS now available for Windows 7

Active Directory Lightweight Directory Services (AD LDS) for Windows 7 is now available - again. It was released a while ago and then pulled from the download site. Obviously something slipped by the testers but you can get it now, here.
AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services (AD DS). AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. In environments where AD DS exists, AD LDS can use AD DS for the authentication of Windows security principals. You can run multiple instances of AD LDS concurrently on a single computer, and have an independently managed schema for each AD LDS instance.
Now I don't recommend running a production directory service based on Windows 7 but certainly for development and testing this gives you an easy way to achieve either without a server infrastructure.

I do wish that Microsoft would invest further in the management tools and GUI around ADAM. Right now, it's the red-headed step-child to Active Directory.