课程代号: SVR-312 基于活动目录建设企业身份认证基础架构

Slides:



Advertisements
Similar presentations
Web Role 的每台虚机运行有 IIS ,用于处理 Web 请求 Worker Role 用于运行后台进程 Cloud Service 是什么? 支持多层架构的应用容器 由多个 Windows 虚拟机集群构成 集群有两种类型: Web 和 Worker Cloud Service 做什么 进行应用的自动化部署.
Advertisements

应用技术 陕西华辉科技有限公司.
泛舆情管理平台 ——助力媒体业务创新 新模式 新格局 创新盈利增长点 2/26/2017 1:59 AM 屈伟: 创始人,总裁
中国银行业前置端操作系统移植研究.
3/3/ :01 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
NAP – 高可靠性,高安全性兼备的新一代网络安全接入解决方案
借助公有云实现游戏的弹性运营 Shaun Fang (方兴) Azure开发技术顾问
Notes (hidden) 檔案請存成 Power Point 2010 可讀之格式 字體規範:中文字型請用微軟正黑體,
Customer Service & Support
请点击以下链接下载WinHEC的演讲材料
1. 设定愿景,确定业务场景 Microsoft Corporation
广东省广州市花都区教育局教研室 汤少冰 优化评估方式, 促进中学英语的教与学 广东省广州市花都区教育局教研室 汤少冰
張書源 Microsoft MVP MCT 趨勢科技 技術經理 網酷科技 資深顧問 集英信誠 資深顧問
Office 2013 全新功能介紹 台灣微軟 Office 大使 楊承恩 Marcus Microsoft Office
講師姓名:黃信嘉、黃振宇 職稱:微軟技術支援副理 公司名稱:台灣微軟 課程代碼:WCL305
寻找适合您的工业4.0 Dell/曾峰.
四川省集体林权流转平台 中国西部林权交易网
全国信息技术标准化技术委员会 (SAC/TC28)工作交流
云实践引导产业升级 沈寓实 博士 教授 MBA 中国云体系产业创新战略联盟秘书长 微软云计算中国区总监 WinHEC 2015
Exchange 2013搶先預覽: 新功能快速導覽與解析
WCL304 體驗全新桌面虛擬化App-V 5.0 & UE-V 佐藤大輔 Daisuke Sato.
W371 如何使网络设备更好的和Windows Vista工作
WIN220 Identity and Access Management 微软统一身份管理和访问控制 解决方案(IAM)和产品路线介绍
資料檔案的安全性管理 羅英嘉 2007年4月.
什麼是電子軟體下載 Electronic Software Download (ESD).
OFC 302 InfoPath2007新特性及解决方案.
最新 Windows Server 徽标 要求和计划
Windows Mobile 轻松接轨GPS
从UNIX到Windows的 电信软件移植实践
Microsoft Office SharePoint Server 2007 事件追蹤與專案管理
SOLUTIONACCELERATORS Windows Vista Hardware Assessment 1
MSG 321 统一消息架构和PBX集成.
朝雲端專業DBA邁進: 深入剖析 Windows Azure SQL Database 完整資料庫管理、雲端報表建立、建置分散式雲端資料庫
利用最新Hyper-V Replica 功能達成Hyper-V 災難備援機制
Windows Server 2008 NAP整合802.1x網路安全控管
互聯網安全資訊 助您達至更安全的網上體驗.
服務啟用、導入流程、 郵件移轉步驟簡介 Microsoft Office 12/2/2018
MBL 325 开发跨平台的 Windows Mobile应用程序
IT基础设施运营管理服务 – 定义、实现、展示
Cameron Brodeur Program Manager US-Device & Storage PM
构建 Windows TV Tuner 产业 生态环境的重要观点
微软新一代云计算 面向企业的 Office 365 客户培训大纲
使徒行傳 21:17-23章「保羅的見證(一)」 引言 預言保羅為主的名受許多的苦難的實現
2/24/2019 5:40 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
教师课堂教学能力提升培训 ---“互联网+教育”考勤小测验 Plickers 洛阳理工学院
Microsoft SQL Server 2008 報表服務_設計
IBM SWG Overall Introduction
利用 ASP.NET MVC 提升您的 Web 應用程式


Step 1 每小组人数5~7人 每组按照图上形式围坐 请班级所有同学自动分成7个小组
橫跨電腦、手機與軟體的全方位端點管控解決方案
CON223 UDDI:服务的发现和搜索.
虚 拟 仪 器 virtual instrument
呂政周 精誠恆逸教育訓練處 資深講師 Windows PowerShell 呂政周 精誠恆逸教育訓練處 資深講師
使用WPF创建Windows应用和Web应用
4/30/2019 7:40 AM 約翰福音 15:9;17:20-23 加拉太書 6:1-2 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product.
DEV 343 VS2005超快速开发方案/EEP2006控件包.
5/4/2019 4:42 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
使徒行傳 24-26章 [ 保羅的見證(二)] 徒9:15 “  主 對 亞 拿 尼 亞 說 、 你 只 管 去 . 他 是 我 所 揀 選 的 器 皿 、 要 在 外 邦 人 和 君 王 並 以 色 列 人 面 前 、 宣 揚 我 的 名 。 ”]
TechEd /6/ :36 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Windows 徽标计划工具:综述与发展趋势
5/5/2019 7:06 PM 两跨框架梁截面配筋图的绘制 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may.
百万亿次超级计算机诞生记 姓名 Xiangyu Ye 职务 微软中国技术中心资深HPC顾问 公司 微软中国
5/15/2019 姓名: 公司名称: 云赛空间BP模板 Now let’s take a look at who we are, what we’re doing and why we’re doing it in China... This is an image of a technology.
DEV 343 VS2005超快速开发方案/EEP2006控件包.
蔺华 ISV开发合作经理 平台及开发技术部 微软(中国)有限公司
MGT 213 System Management Server的昨天,今天和明天
Bob Combs Lead Program Manager Microsoft Corporation
Windows Workflow Foundation CON 230
Presentation transcript:

课程代号: SVR-312 基于活动目录建设企业身份认证基础架构

课程内容概述 活动目录是Windows平台的一个核心的部件,活动目录服务提供了一种管理组成网络环境的各种对象的标志和关系的方法。 Microsoft 身份和访问管理解决方案使企业能够通过卓越的身份和访问管理更好地与客户、合作伙伴以及雇员进行交流。 本讲座将主要介绍活动如何基于活动目录建设企业身份认证基础架构,并概述在Windows Server 2003 R2中关于活动目录的ADFS新特性,最后介绍在下一代的Longhorn Server中活动目录的远景。

课程内容安排 概述 活动目录与组策略:应用访问控制 活动目录与组策略:演示 活动目录联合服务:企业间身份认证 活动目录联合服务:演示 活动目录的远景 其他关于活动目录的重要内容: 1) 活动目录与开发具有身份识别能力的应用程序 2) 活动目录和数据源的整合 - MIIS Q&A

11/16/2018 7:05 PM 活动目录架构概述 4 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Unified architecture, policy, and management 统一的身份认证和访问控制 Certificate Services ADFS IIFP RMS Authorization Manager Domain/Directory Services Today, Microsoft offers a range of identity and access products, many of which grew organically: Active Directory provides domain and directory services Windows Certificate Services provides strong credentials Active Directory Federation Services provides federated identity Identity Integration Feature Pack (a version of MIIS) provides metadirectory and provisioning services Authorization Manager provides role-based access control Rights Management Services provides information rights protection Since these products grew organically, they do not share a consistent deployment model, architecture, or administrative console. As such, the effort required to deploy, integrate, and manage these products is significant. We believe customers need a single unified identity and access infrastructure – a single installation for a broad set of capabilities, a unified policy model that spans across applications, and one place to administer it all. As we bring all of these technologies together, which starts in Windows Server “Longhorn,” we’ll make it much easier for customers to use these services and generate a great deal of synergy. For example, establishing trust in a federated identity relationship requires the use of certificates. By having both a certificate authority and federation services in the same unified platform, we can make it vastly simpler for customers to manage federated relationships. The certificate issuance, renew, and revocation process can be completely seamless and automated by the platform. Another example is the benefit of having information rights protection and federation in the same platform. Protecting documents and files that travel across organizational boundaries today requires the installation of software at all endpoints to enforce the information rights policy. With an ability to share and exchange identity information across organizational boundaries, through the use of federated identity, protecting documents or information that is shared with affiliates, customers, or partners is vastly simplified and achievable. In addition to these synergies, there’s also the benefit of skill re-use. Today, there’s a fair amount of expertise required to deploy each of these capabilities, and that expertise is typically locked up in a small group of individuals. By rationalizing these services and streamlining, you create re-usable skills across your IT organization that can more efficiently deploy and manage the infrastructure. Our customers stand to derive great business value as we unify these capabilities in Active Directory. Unified architecture, policy, and management

活动目录的逻辑元素

活动目录的物理元素

活动目录与组策略:应用访问控制 11/16/2018 7:05 PM 8 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

企业IT的基础结构 体系结构 描述 网络架构 设计提供网络服务基础架构,支持企业内部的沟通、交流 安全架构 安全策略,包括安全区域、策略、安全的管理流程 可管理的架构 基于ITIL,知道基础结构的管理及操作。 存储架构 在企业内部搭建安全的集中的存储设备 应用基础结构的架构 设计增强的基础架构体系,支持应用部署。

组策略介绍 组策略作用: 设置集中或分散的策略 确保用户有他们需要的环境 通过控制用户和计算机环境来降低TCO 强制全体策略 Site Domain OU Windows Server Applies Continually Users Computers Administrator Sets Group Policy Once Group Policy 组策略作用: 设置集中或分散的策略 确保用户有他们需要的环境 通过控制用户和计算机环境来降低TCO 强制全体策略

针对计算机和用户的组策略 基于计算机的组策略 基于用户帐户的组策略 Computers Users Specify operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned application options, and application settings Apply when the operating system initializes and during the periodic refresh cycle Specify operating system behavior, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and user logon and logoff scripts Apply when users log on to the computer and during the periodic refresh cycle

组策略对象和组策略容器 OU Site Domain OU GPO Site GPO Domain GPO GPO 设置应用于连接在一个Site、域、和OU中的用户和计算机 一个GPO可以连接在多个Site、域、和OU 上 一个Site、域、和OU 上可以连接多个GPO

活动目录与组策略

演示场景 公司网络中包含一个AD域,所有域控制器都运行Microsoft Windows Server 2003。客户端计算机运行Windows XP Professional或Windows 2000 Professional 。 要求使用软件限制策略禁止在客户端上运行特定程序。 相关演示脚本下载:http://www.qu114.com/bbs/ShowPost.aspx?PostID=1035

活动目录联合服务:企业间身份认证 11/16/2018 7:05 PM 15 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

组织需要扩展访问 供应商 客户 公司内网与雇员 合作伙伴 远程员工与临时员工 客户满意度/忠诚度 节省成本 协作 外包 更快的商业周期与流程 自动化 价值链 公司内网与雇员 合作伙伴 远程员工与临时员工 Key Idea: Inside the firewall doesn’t work anymore, because there’s too many outside-the-firewall constituencies that need access to your resources. This includes not just customers, but your own employees when not in the office, and notably/increasingly customers and partners who typically have their own IT systems to manage and IT staff that dealing with these same issues. 合并与收购 移动/全球 劳动力 灵活的/临时的 劳动力

扩展访问管理面临诸多挑战 IT与支持部门的效率 IT与开发架构人员 最终用户生产力 安全 符合法规 帐号服务请求 密码重设请求 服务级别 集中策略管理 冗余 应用更新 整合与异构 扩展性 遗忘密码 登陆频率 请求延迟 移动访问 遗留或错误帐号 密码泄漏 黑客 防火墙 最小限度访问 隐私保护 HIPAA (Health Insurance Portability and Accountability Act) 审计与报告 Non-repudiation Key Idea: It’s easy to see why extending access to external constituents might be desirable. But it’s not easy to do. In fact, all sorts of folks in a typical org will experience challenges with this sort of expanded access: IT folks will have lots more people to manage, and lots more passwords to reset Architects and developers will end up with outdated authorization models and a redundancy of technology in isolated perimeter networks End users will have a bunch more passwords to manage and write down  Security folks will have lots more to be afraid of, including access by external users that have already been fired/reassigned by their company and making sure information is shared only with those who should see it Those caring about regulatory compliance will want good auditing/logging (and not just the resource owners – companies whose users access 3rd party systems increasingly need audit data for their users for repudiation purposes), and concerns for privacy will require stringent data-sharing policies

ADFS 认证流程 A. Datum Account Forest Trey Research Resource Forest 11/16/2018 7:05 PM ADFS 认证流程 A. Datum Account Forest Trey Research Resource Forest 18 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Detect user’s home realm 11/16/2018 7:05 PM 认证消息流程 Browser Client Account STS Web Server Resource STS GET (to Web Server) 200 OK Response (from Web Server) 302 Redirect (to Resource STS) POST “Redirect” security token (to Web Server) Detect user’s home realm 302 Redirect (to Account STS) POST “Redirect” security token (to Resource STS) Authenticate User 19 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

扩展的身份和访问管理-ADFS ADFS允许合作伙伴/客户安全访问公司内部Web 应用 能与第三方安全解决方案和多种应用平台实现互操作 通过Web Service向对方组织提交身份验证请求 实现身份联盟 实现Web单点登陆 能与第三方安全解决方案和多种应用平台实现互操作 打破身份信息孤岛,消除“影子账户” 提高 IT 效率、保障应用安全 IIS AD 企业应用 合作伙伴 Key Message – ADFS helps customers do more with less by providing seamless access across organization and security boundaries. Our solution to this problem in R2 is Active Directory Federation Services. (note that this name is subject to change) Customers have been enjoying the benefits of intranet single sign-on using Active Directory, and ADFS will allow customers to extend this capability across security and organizational boundaries to partners and suppliers – a combined Web SSO and Federation solution that makes it easier to do business with each other. Customers will be able to reduce costs and effort when implementing Web SSO for internal systems or across security boundaries with multiple partners. With ADFS, userid & passwords will be managed by organizations that owns them and not the hosting company. This reduces the cost of IT management, by reducing the number of directories required, help desk calls for password reset, and also improves security as organizations can internally enforce strong authentication as well as automatically restrict access to partner sites upon disabling a user’s local AD account. Since ADFS is integrated with other Microsoft identity management technologies, it rounds out a complete set of tools for internal and external authentication and authorization management. In particular, ADFS is built to integrate with new technologies like ADAM (use Windows Server for extranet web apps without literally adding the users to the external domain), Authorization Manager (roles-based access control to operation-level app capabilities, with roles membership managed by the account partner) and Windows SharePoint Services (bring strong auth, SSO and federation to internet-facing SharePoint sites). Since this technology is based on industry standard, organizations will not have to dictate specific products on partner/suppliers in order to interoperate. This results in a faster time to market and greatly reduced deployment and development costs. IBM, Netegrity, Oblix, OpenNetwork, RSA, and Ping Identity have all shown interop with this product. Promotes IT efficiency, end user productivity, and better security IT efficiency: Centralized user administration, “native” delegated administration, lower password reset costs End-user productivity: SSO to internal & partner web applications, fewer passwords for users to forget Security: Automated de-provisioning, strong authentication, auditing/logging of access to partner applications

标准:WS-Federation HTTP messages Security Token Service SOAP messages Web Services Federation Language 定义用户身份信息交换的安全机制 基于WS-Security, WS-Trust 广泛的业界支持 发起者: BEA, IBM, Microsoft, RSA, VeriSign 3/04 Workshop: IBM, OpenNetwork, Oblix, Netegrity, RSA, PingID 提供两种模式的使用方法 被动 (web browser) 客户端 – HTTP/S 主动 (smart/rich) 客户端 – SOAP ADFS v1 ADFS v2 Key Idea: Federation sounds like a great concept, but if it only worked between Microsoft environments, it wouldn’e get very far. For federation to be a successful concept, it needs to be standards-based, and that’s what WS-Federation is for. Part of the WS-* set of web services specifications designed by Microsoft and other technology companies, WS-Federation enables distinct security solutions to share identity information in a common format. This means, for example, that if a company managing users in Active Directory wanted to federate its users with an application provider that enabled access control with Netegrity SiteMinder, that would be possible using WS-Federation. A number of leading identity management companies have either been involved in the writing of the specs or pledged their support for the specification in their products. Important to note there are two major components to WS-Federation – the Passive Requestor Profile and the Active Requestor Profile. The Passive profile supports federation between browser-based applications using HTTPS, and is supported in ADFS v1 in R2. Active Profile is a more advanced spec that supports rich client applications that speak SOAP instead of proprietary protocols like RPC – which is the future direction of Windows-based application development with technologies like Indigo. Active client support will be available in ADFS v2 in the Longhorn timeframe. Security Token Service HTTP Receiver HTTP messages SOAP messages SOAP Receiver

活动目录联合服务(ADFS)

演示场景 A. Datum公司是计算机整机制造商,Trey Research公司是内存条制造商.A. Datum公司从 Trey Research公司获取内存条的供货.Trey Research公司在公网上有个WEB应用程序可供客户下单. 本演示将说明ADFS如何帮助以上两家公司建立安全并信任的业务连接.使得A.Datum的员工可以不需要额外的登录认证就可访问A. Datum公司的内存下单系统 相关演示脚本下载:http://www.qu114.com/bbs/ShowPost.aspx?PostID=1035

11/16/2018 7:05 PM 活动目录的远景 24 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

活动目录远景 统一性 连接性 集成性 减缓部署 一致的策略和访问控制模型 集中统一的管理 用户和合作伙伴的无缝交互 更方便安全接入Internet 扩展到应用和信息工作者的互联 连接性 Microsoft helps organizations unleash The Power of Identity with Active Directory, the premier enterprise infrastructure for managing identity and access across internal and external applications. While many people know AD as a NOS directory today (as evidenced by AD’s leading market share numbers), the roadmap and vision for AD is far broader. Starting with Windows Server “Longhorn,” AD will evolve to include a much richer set of capabilities and will be the single brand for all of Microsoft’s identity and access assets in the platform. The future of Active Directory will be based on three strategies: Unified. Active Directory will align information rights, strong credentials, and metadirectory services with existing domain, directory, and federation services to deliver a broad set of integrated identity and access capabilities. By bring together the identity and access capabilities in Windows Server and aligning it around Active Directory, we will deliver simplicity for our customers through common deployment models and unified administration. The Unified Active Directory will also provide consistent policy enforcement across documents, files, web sites, and other resources. Connected. Active Directory will make it easy for organizations to plug into the Identity Metasystem, which is a vision and architecture for users to exchange and use their identities safely and privately in an interconnected world. The Connected Active Directory is the enterprise hub that allows organizations to participate in the Identity Metasystem, delivering improved partner collaboration, seamless access to cloud services, and simplified application integration. All of this will be based on industry standards to provide maximum interoperability across business partners, applications, and platforms. Integrated. The identity and access services that Active Directory provides will be available natively in Microsoft’s applications and servers, eliminating the need to deploy or configure additional infrastructure. The Integrated Active Directory delivers a seamless user experience, providing single sign-on and a common identity for users accessing any Windows-based application or service. In addition, developers that want to leverage the identity and access services that Active Directory provides will have easy access through a rich set of programming interfaces, accelerating the development of identity based applications. Let’s look at each of these strategies in a bit more detail… 跨应用程序的无缝应用体验 跨所有应用程序和服务的身份认证 简化开发与身份认证相关的应用程序 集成性

Unified architecture, policy, and management 统一的身份认证和访问控制 Certificate Services ADFS IIFP RMS Authorization Manager Domain/Directory Services Today, Microsoft offers a range of identity and access products, many of which grew organically: Active Directory provides domain and directory services Windows Certificate Services provides strong credentials Active Directory Federation Services provides federated identity Identity Integration Feature Pack (a version of MIIS) provides metadirectory and provisioning services Authorization Manager provides role-based access control Rights Management Services provides information rights protection Since these products grew organically, they do not share a consistent deployment model, architecture, or administrative console. As such, the effort required to deploy, integrate, and manage these products is significant. We believe customers need a single unified identity and access infrastructure – a single installation for a broad set of capabilities, a unified policy model that spans across applications, and one place to administer it all. As we bring all of these technologies together, which starts in Windows Server “Longhorn,” we’ll make it much easier for customers to use these services and generate a great deal of synergy. For example, establishing trust in a federated identity relationship requires the use of certificates. By having both a certificate authority and federation services in the same unified platform, we can make it vastly simpler for customers to manage federated relationships. The certificate issuance, renew, and revocation process can be completely seamless and automated by the platform. Another example is the benefit of having information rights protection and federation in the same platform. Protecting documents and files that travel across organizational boundaries today requires the installation of software at all endpoints to enforce the information rights policy. With an ability to share and exchange identity information across organizational boundaries, through the use of federated identity, protecting documents or information that is shared with affiliates, customers, or partners is vastly simplified and achievable. In addition to these synergies, there’s also the benefit of skill re-use. Today, there’s a fair amount of expertise required to deploy each of these capabilities, and that expertise is typically locked up in a small group of individuals. By rationalizing these services and streamlining, you create re-usable skills across your IT organization that can more efficiently deploy and manage the infrastructure. Our customers stand to derive great business value as we unify these capabilities in Active Directory. Unified architecture, policy, and management

关键术语对比 Active Directory Domain Controller Active Directory Domain Services Active Directory Application Mode Active Directory Lightweight Directory Services Windows Rights Management Services Active Directory Rights Management Services Windows Certificate Services Active Directory Certificate Services Identity Integration Feature Pack Active Directory Metadirectory Services

of Information Workers Connected 活动目录是身份认证的核心连接 Customers Partners Internet Services Identity Metasystem WS-* Web Services Architecture Next, let’s look at Connected Identity. As we talked about earlier, the Power of Identity is really about empowering and connecting people with devices, organizations, software, and services. In this interconnected world, people will have multiple digital identities, based on different underlying security technologies.  Digital identity will come from a wide range of providers such as governments, banks, employers, and private institutions. Due to these factors, the need for an easier, safer, and interoperable way of using digital identity is growing in importance.  Microsoft’s identity architect Kim Cameron has worked with the industry on the “Laws of Identity,” which define a set of principles that any system must adhere to for using digital identities in an interconnected world.  The “Laws of Identity” put users in control of who to trust and what information about themselves they are disclosing.  It embraces multiple identity providers, allows different security technologies to work together, and protects the privacy of individuals. Based on the “Laws of Identity”, the Identity Metasystem defines a way for users to safely and privately exchange identity information in an interconnected world.  The industry is working together on a standard set of protocols, services, and data formats to enable companies to build connected systems based on the Identity Metasystem principles. This is all based on the WS-* architecture. Microsoft is making significant investments to make the Identity Metasystem vision a reality. We’re delivering InfoCards for end users, WinFX for developers, and Active Directory for IT organizations. Active Directory will serve as the enterprise hub for connecting organizations into the Identity Metasystem, making it easy for users to interact with customers and business partners, access Internet services such as hosted collaboration sites, and work in more dynamic ways with others outside their organization. For example, let’s say you’re a medium-sized business and have decided you want Office Live to host a collaboration site for you, perhaps to share a legal document with an attorney. How would a user inside your organization access that site? Would they have another identity with a separate userID and password? That’s the typical experience today. But we can make that much easier. With the Connected Active Directory, when that user logs into Windows, he/she can seamlessly access that collaboration site, with proper restrictions placed on them based on policies, all based on their identity in AD. Let’s look at another example. If your organization develops an application that must be exposed to a partner, how would you do that in a secure manner today? You would have to create and manage an identity for them, issue a credential (password, certificate, etc.), place them in the proper security groups or access lists, and then manually retire that account when your relationship ends. This adds a great deal of cost, complexity, and risk to your application, not to mention the headache it creates for your business partner. A better approach would be to establish trust between your two organizations and leverage the identity that already exists within their organization. The Connected Active Directory is your gateway to securely exchange that identity information and deliver the seamless experience. All of this will greatly reduce the friction and cost in partnering, making your organization more agile and competitive. Today, customers can take the first steps of participating in the Identity Metasystem by using Active Directory Federation Services, a new feature that just shipped with Windows Server 2003 R2. This first version of ADFS supports browser-based federation of user identities, but in future versions will support new scenarios such as the federation of web services based applications, making it even more seamless for organizations to connect to the Identity Metasystem. Extending the Reach of Applications Extending the Reach of Information Workers

集成的身份认证架构 Windows Live WinFX Directory Single Sign-on Smartcard Logon Integrated 集成的身份认证架构 Windows Live WinFX Now, let’s take a look at the last component of our Active Directory strategy – Integrated Identity. Most people don’t realize that today when they log into Windows, connect to the VPN server, access a web application, or access a file share, in many cases they are actually using Active Directory. AD performs many identity and access services natively within Microsoft applications and systems, and it’s completely transparent to the end user. Active Directory will continue to provide this “out-of-the-box” integration such that minimal effort is required to secure users’ access to applications and servers, and protect the sensitive information contained within them. Future versions of Windows, such as Vista and Longhorn Server, and Windows Live services will increasingly leverage Active Directory for directory services, access control, information rights, strong credentials, identity federation, and single sign-on. In addition, Microsoft will expose these same capabilities thru rich interfaces for professional developers to leverage Active Directory within their applications. Directory Single Sign-on Smartcard Logon Information Rights Auditing Access Control Federation 相同的架构和访问体验…

11/16/2018 7:05 PM 其他关于活动目录的重要内容 30 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

更多关于活动目录的内容 开发具有身份识别能力的应用程序(ASP.NET) http://www.qu114.com/bbs/1035/ShowPost.aspx 活动目录和其他目录服务数据源或数据库数据源等的整合 -- MIIS资源汇总 http://www.qu114.com/bbs/947/ShowPost.aspx

微软TechED2006大会-Kelvin专题资料汇总 微软活动目录和服务器专题资料汇总 Microsoft学习和认证中心 http://www.qu114.com/bbs/1035/ShowPost.aspx 微软活动目录和服务器专题资料汇总 http://www.qu114.com/bbs/124/ShowForum.aspx Microsoft学习和认证中心 http://www.microsoft.com/learning/default.mspx MSDN & TechNet http://microsoft.com/msdn http://microsoft.com/technet Virtual Labs http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx Newsgroups http://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx Technical Community Sites http://www.microsoft.com/communities/default.mspx User Groups http://www.microsoft.com/communities/usergroups/default.mspx