Update your Active Directory services to prepare for the cloud

Even if you don't have a cloud service yet, you should update your Active Directory services to centralize governance and prepare for cloud.

Cloud is coming, and it could take different forms. It could mean integrating a hybrid infrastructure for virtual machines, extending certain software into the cloud, or using cloud platforms to host new applications and services.

But there is one constant: Cloud will require proper identity management and authentication mechanisms for anything IT must support. Even if you haven't turned on a single cloud service, you'll want to update Active Directory services so you can keep governance centralized for when cloud arrives in your organization.

Time to deploy Federated Services

Federation for Active Directory (AD) extends your authentication system to external applications and resources. Many administrators get justifiable heartburn thinking about allowing their domain system outside the perimeter firewall, but it doesn't put your domain on the Internet. A claims-based token is different from the normal Windows token that end users receive from a domain controller (DC) when, for example, they access a file share. In that instance, a token generates for the file server and includes all information, including all group memberships.

Claims-based security tokens craft a specific response with information about the user that applies only to that single application and has the necessary details to complete authentication. The token is trusted because the issuer signs it. The issuer will work with your DCs to obtain the token information, but the token isn't a DC -- it is an Identity Provider running Security Token Service, or IP-STS. Your STS and a partner's STS establish a trust and a successful token validation.

Windows Azure Active Directory fills in the gaps

Windows Azure Active Directory (WAAD) is the latest story from Redmond. This is not your typical off-site AD replication; instead, it's a set of features that are still part of AD services. These are not the same features offered by an on-premises DC. An enterprise AD domain is as much about control through Group Policy as it is about logons. The WAAD implementation is specifically designed for identity management for a new class of applications to exist in a multi-tenant cloud and in-service Internet-centric applications.

This doesn't mean WAAD is isolated from traditional Active Directory services; you have the option to integrate so you can centrally manage needs in a hybrid fashion. DirSync does this in concert with Active Directory Federation Services (ADFS) to allow seamless single sign-on between on-premises applications and Internet-based cloud applications. There is also a management portal in Azure, which is better than supporting many interfaces for your on-premises ADFS. Instead, you can manage with the application programming interfaces (APIs) built for this use case in the Azure cloud.

Support third-party integration

What about all of those applications from the Office 365 online suite, or what about applications that exist on different platforms, like Google or Amazon? WAAD provides an integration point with several APIs that allow third-party apps to use your standard credentials.

You may be eyeing this feature with a healthy dose of skepticism, and you'd be right to do so if you envision usernames and passwords bouncing around Internet sites. But in reality, an Internet service using the WAAD APIs will never see a password; these APIs include WS-Federation, SAML, Oauth and the Graph API.

Admins designate Service Principle in WAAD to include the details of a consuming application; two important details are the App Principle ID and the Secret. With this information configured on the application side, the application will map itself to WAAD authentication services and pass the user to the WAAD authentication page during logon. A token is then passed back to the application with such details as a name identifier, but with no usernames or passwords exchanging hands. The application can't peruse the AD structure, either. It can only access data in the context of the user when lookup is necessary. This is how you can integrate everything from Box cloud storage to an application hosted in the Azure cloud.

New Active Directory services for new apps

Most companies using Windows authentication change only when they're forced to do so, which has a lot to do with the critical nature of Active Directory services. Hybrid and cloud services are a great reason to upgrade to a new version of AD and stand up Federated Services. Microsoft currently offers WAAD for free, so you have no reason to miss hooking into WAAD and testing the waters with familiar apps like Office 365 or Windows InTune.

About the author:
Eric Beehler has been working in the IT industry since the mid-1990s and has been playing with computer technology since well before that. His experience includes more than nine years' experience with Hewlett-Packard's Managed Services division; working with Fortune 500 companies to deliver network and server solutions; and most recently, IT experience in the insurance industry, working on highly available solutions and disaster recovery. He currently provides consulting and training through his co-ownership of Consortio Services LLC.

Dig Deeper on Windows systems and network management