Once heralded as the ultimate repository of information about users and applications, directories promised to let enterprises store all data in a central location and a standardized format. However, conflicting use of attributes, proprietary schema extensions, and the need for scalability, replication, and security often caused problems. Rather than building one central directory, organizations built and deployed a separate directory for each application or set of users. Inevitably, users and applications were represented in multiple directories, and applications needed to access data spread across multiple directories.
In an effort to resolve the problems associated with implementing multiple directories, companies have deployed metadirectory products, such as Microsoft Metadirectory Services (MMS), to present a unified view of directories to users and applications. However, not all applications can use metadirectories, and many enterprises have difficulty building metadirectories because of conflicts between attributes and schemas across individual directories.
The release of Microsoft Identity Integration Server 2003 (MIIS) has given organizations a powerful tool for deploying directory-enabled applications while ensuring that data across individual directories remains synchronized. Consider an organization that runs Web servers to host a Web-based application and deploys an Active Directory Application Mode (ADAM) directory hosted in a demilitarized zone (DMZ) to store user credentials and configuration information. The organization has two options. It can support access through the firewall to one directory hosted on the intranet, with all the security concerns that this option entails, or it can deploy two directories, in which case user accounts that exist in both directories can become unsynchronized.
By adding MIIS to this scenario, as Figure 1 shows, you can export objects that represent application users from Active Directory (AD) and import them into ADAM, where you can store them alongside objects that represent external users. (I discuss ADAM in "Getting to Know ADAM," June 2004, InstantDoc ID 42450.) MIIS doesn't need to export and import entire directories—you can configure it to replicate only pertinent attributes and only for selected objects. Through MIIS, AD and ADAM can synchronize the objects for users who access the Web-based application—a specific value or attribute can drive the decision about which objects to synchronize. Best of all, the Identity Integration Feature Pack for (IIFP) Microsoft Windows Server Active Directory, a version of MIIS that supports a subset of directories, is available free to Microsoft customers who have Windows Server 2003, Enterprise Edition licenses.
Installing and Configuring MIIS
MIIS is the successor to MMS but differs from it in many respects. MIIS lets you import objects from one or more directories, reconcile conflicting attributes, and export the objects to other directories. You can create rules to determine which objects and attributes are imported from each directory, how conflicts are resolved, which objects and attributes are exported, and where they're exported to. And you can extend MIIS's functionality by writing processing logic in Visual C# .NET or Visual Basic .NET.
Neither MIIS nor IIFP is a metadirectory in the truest sense of the term, but you can use either in conjunction with ADAM to build a metadirectory. The full version of MIIS supports several different directories, email systems, applications, databases, and file-based repositories. (For a complete list, see http://www.microsoft.com/windows serversystem/miis2003/evaluation/overview/default.mspx.) However, IIFP supports only ADAM, AD, and Microsoft Exchange Server 2003 and Exchange 2000 Server Global Address Lists (GALs). GALs list email-enabled users and groups and are created and used by Exchange and Messaging API (MAPI) applications, such as Microsoft Outlook and other Microsoft Office applications. In this article, I concentrate on IIFP, but everything I discuss also applies to the full version of MIIS.
Unlike ADAM, which runs on both Windows 2003 and Windows XP Service Pack 1 (SP1), IIFP runs only on Windows 2003, Enterprise Edition and requires Microsoft SQL Server 2000 Standard Edition or enterprise edition. (You can use the latest version of Microsoft SQL Server Desktop Engine—MSDE—for testing purposes, but IIFP isn't licensed for use with MSDE in production environments.) IIFP, which you can download at http://www.microsoft.com/windowsserver2003/technologies/directory/miis/default.mspx, is slightly less than 8MB in size and provides a wizard to help with installation and configuration.
To install IIFP, you need to be logged on to your server as an administrator and use an account that has administrative privileges on the database server and for the database that MIIS will use. After presenting the Welcome screen and the End User License Agreement (EULA), the wizard asks whether you want to install a complete or custom version of IIFP. If you elect a custom installation, you can choose which components to install from among the MIIS server; the UI; and the AD, ADAM, and AD GAL management agents. The wizard then asks for information about the SQL Server database instance that MIIS will use and prompts you to enter credentials for the service account that MIIS will use when it runs. You need to create this account before installing MIIS, and you need to grant the account the privilege to log on as a service.
Next, the wizard asks for names for four groups it will create. These groups (and their default names) are MIIS Administrators (MIISAdmins), Operators (MIISOperators), Joiners (MIISJoiners), and Container Browsers (MIISBrowse). Then, the wizard installs MIIS. The installation program checks your MIIS server configuration for potential security problems and prompts you to follow the best security practices documented in the online Help to remedy any problems it finds.
After installing MIIS, the wizard prompts you for a location at which to store a backup of the encryption key MIIS uses to protect credentials that it stores for accessing other directories. The encryption key is generated during installation. After installation, you manage encryption keys through the Key Management Utility. Finally, the wizard prompts you to log off, then log on again to ensure that you have access to MIIS.
Prev. page
[1]
2
3
next page 
