课程代号: SVR-312 基于活动目录建设企业身份认证基础架构

Presentation on theme: "课程代号: SVR-312 基于活动目录建设企业身份认证基础架构"— Presentation transcript:

1 课程代号: SVR-312 基于活动目录建设企业身份认证基础架构

2 课程内容概述 活动目录是Windows平台的一个核心的部件，活动目录服务提供了一种管理组成网络环境的各种对象的标志和关系的方法。
Microsoft 身份和访问管理解决方案使企业能够通过卓越的身份和访问管理更好地与客户、合作伙伴以及雇员进行交流。 本讲座将主要介绍活动如何基于活动目录建设企业身份认证基础架构，并概述在Windows Server 2003 R2中关于活动目录的ADFS新特性,最后介绍在下一代的Longhorn Server中活动目录的远景。

3 课程内容安排 概述 活动目录与组策略：应用访问控制 活动目录与组策略：演示 活动目录联合服务：企业间身份认证 活动目录联合服务：演示
活动目录的远景 其他关于活动目录的重要内容： 1) 活动目录与开发具有身份识别能力的应用程序 2) 活动目录和数据源的整合 - MIIS Q&A

4 11/16/2018 7:05 PM 活动目录架构概述 4 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Unified architecture, policy, and management
统一的身份认证和访问控制 Certificate Services ADFS IIFP RMS Authorization Manager Domain/Directory Services Today, Microsoft offers a range of identity and access products, many of which grew organically: Active Directory provides domain and directory services Windows Certificate Services provides strong credentials Active Directory Federation Services provides federated identity Identity Integration Feature Pack (a version of MIIS) provides metadirectory and provisioning services Authorization Manager provides role-based access control Rights Management Services provides information rights protection Since these products grew organically, they do not share a consistent deployment model, architecture, or administrative console. As such, the effort required to deploy, integrate, and manage these products is significant. We believe customers need a single unified identity and access infrastructure – a single installation for a broad set of capabilities, a unified policy model that spans across applications, and one place to administer it all. As we bring all of these technologies together, which starts in Windows Server “Longhorn,” we’ll make it much easier for customers to use these services and generate a great deal of synergy. For example, establishing trust in a federated identity relationship requires the use of certificates. By having both a certificate authority and federation services in the same unified platform, we can make it vastly simpler for customers to manage federated relationships. The certificate issuance, renew, and revocation process can be completely seamless and automated by the platform. Another example is the benefit of having information rights protection and federation in the same platform. Protecting documents and files that travel across organizational boundaries today requires the installation of software at all endpoints to enforce the information rights policy. With an ability to share and exchange identity information across organizational boundaries, through the use of federated identity, protecting documents or information that is shared with affiliates, customers, or partners is vastly simplified and achievable. In addition to these synergies, there’s also the benefit of skill re-use. Today, there’s a fair amount of expertise required to deploy each of these capabilities, and that expertise is typically locked up in a small group of individuals. By rationalizing these services and streamlining, you create re-usable skills across your IT organization that can more efficiently deploy and manage the infrastructure. Our customers stand to derive great business value as we unify these capabilities in Active Directory. Unified architecture, policy, and management

6 活动目录的逻辑元素

7 活动目录的物理元素

8 活动目录与组策略：应用访问控制 11/16/2018 7:05 PM 8
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 企业IT的基础结构 体系结构 描述 网络架构 设计提供网络服务基础架构，支持企业内部的沟通、交流 安全架构
安全策略，包括安全区域、策略、安全的管理流程 可管理的架构 基于ITIL,知道基础结构的管理及操作。 存储架构 在企业内部搭建安全的集中的存储设备 应用基础结构的架构 设计增强的基础架构体系，支持应用部署。

10 组策略介绍 组策略作用: 设置集中或分散的策略 确保用户有他们需要的环境 通过控制用户和计算机环境来降低TCO 强制全体策略 Site
Domain OU Windows Server Applies Continually Users Computers Administrator Sets Group Policy Once Group Policy 组策略作用: 设置集中或分散的策略 确保用户有他们需要的环境 通过控制用户和计算机环境来降低TCO 强制全体策略

11 针对计算机和用户的组策略 基于计算机的组策略 基于用户帐户的组策略 Computers Users
Specify operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned application options, and application settings Apply when the operating system initializes and during the periodic refresh cycle Specify operating system behavior, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and user logon and logoff scripts Apply when users log on to the computer and during the periodic refresh cycle

12 组策略对象和组策略容器 OU Site Domain OU GPO Site GPO Domain GPO
GPO 设置应用于连接在一个Site、域、和OU中的用户和计算机 一个GPO可以连接在多个Site、域、和OU 上 一个Site、域、和OU 上可以连接多个GPO

13 活动目录与组策略

14 演示场景 公司网络中包含一个AD域，所有域控制器都运行Microsoft Windows Server 2003。客户端计算机运行Windows XP Professional或Windows 2000 Professional 。 要求使用软件限制策略禁止在客户端上运行特定程序。 相关演示脚本下载：

15 活动目录联合服务：企业间身份认证 11/16/2018 7:05 PM 15
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 组织需要扩展访问 供应商 客户 公司内网与雇员 合作伙伴 远程员工与临时员工 客户满意度/忠诚度 节省成本 协作 外包
更快的商业周期与流程 自动化 价值链 公司内网与雇员 合作伙伴 远程员工与临时员工 Key Idea: Inside the firewall doesn’t work anymore, because there’s too many outside-the-firewall constituencies that need access to your resources. This includes not just customers, but your own employees when not in the office, and notably/increasingly customers and partners who typically have their own IT systems to manage and IT staff that dealing with these same issues. 合并与收购 移动/全球 劳动力 灵活的/临时的 劳动力

17 扩展访问管理面临诸多挑战 IT与支持部门的效率 IT与开发架构人员 最终用户生产力 安全 符合法规 帐号服务请求 密码重设请求 服务级别
集中策略管理 冗余 应用更新 整合与异构 扩展性 遗忘密码 登陆频率 请求延迟 移动访问 遗留或错误帐号 密码泄漏 黑客 防火墙 最小限度访问 隐私保护 HIPAA (Health Insurance Portability and Accountability Act) 审计与报告 Non-repudiation Key Idea: It’s easy to see why extending access to external constituents might be desirable. But it’s not easy to do. In fact, all sorts of folks in a typical org will experience challenges with this sort of expanded access: IT folks will have lots more people to manage, and lots more passwords to reset Architects and developers will end up with outdated authorization models and a redundancy of technology in isolated perimeter networks End users will have a bunch more passwords to manage and write down  Security folks will have lots more to be afraid of, including access by external users that have already been fired/reassigned by their company and making sure information is shared only with those who should see it Those caring about regulatory compliance will want good auditing/logging (and not just the resource owners – companies whose users access 3rd party systems increasingly need audit data for their users for repudiation purposes), and concerns for privacy will require stringent data-sharing policies

18 ADFS 认证流程 A. Datum Account Forest Trey Research Resource Forest
11/16/2018 7:05 PM ADFS 认证流程 A. Datum Account Forest Trey Research Resource Forest 18 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Detect user’s home realm
11/16/2018 7:05 PM 认证消息流程 Browser Client Account STS Web Server Resource STS GET (to Web Server) 200 OK Response (from Web Server) 302 Redirect (to Resource STS) POST “Redirect” security token (to Web Server) Detect user’s home realm 302 Redirect (to Account STS) POST “Redirect” security token (to Resource STS) Authenticate User 19 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 扩展的身份和访问管理-ADFS ADFS允许合作伙伴/客户安全访问公司内部Web 应用 能与第三方安全解决方案和多种应用平台实现互操作
通过Web Service向对方组织提交身份验证请求 实现身份联盟 实现Web单点登陆 能与第三方安全解决方案和多种应用平台实现互操作 打破身份信息孤岛，消除“影子账户” 提高 IT 效率、保障应用安全 IIS AD 企业应用 合作伙伴 Key Message – ADFS helps customers do more with less by providing seamless access across organization and security boundaries. Our solution to this problem in R2 is Active Directory Federation Services. (note that this name is subject to change) Customers have been enjoying the benefits of intranet single sign-on using Active Directory, and ADFS will allow customers to extend this capability across security and organizational boundaries to partners and suppliers – a combined Web SSO and Federation solution that makes it easier to do business with each other. Customers will be able to reduce costs and effort when implementing Web SSO for internal systems or across security boundaries with multiple partners. With ADFS, userid & passwords will be managed by organizations that owns them and not the hosting company. This reduces the cost of IT management, by reducing the number of directories required, help desk calls for password reset, and also improves security as organizations can internally enforce strong authentication as well as automatically restrict access to partner sites upon disabling a user’s local AD account. Since ADFS is integrated with other Microsoft identity management technologies, it rounds out a complete set of tools for internal and external authentication and authorization management. In particular, ADFS is built to integrate with new technologies like ADAM (use Windows Server for extranet web apps without literally adding the users to the external domain), Authorization Manager (roles-based access control to operation-level app capabilities, with roles membership managed by the account partner) and Windows SharePoint Services (bring strong auth, SSO and federation to internet-facing SharePoint sites). Since this technology is based on industry standard, organizations will not have to dictate specific products on partner/suppliers in order to interoperate. This results in a faster time to market and greatly reduced deployment and development costs. IBM, Netegrity, Oblix, OpenNetwork, RSA, and Ping Identity have all shown interop with this product. Promotes IT efficiency, end user productivity, and better security IT efficiency: Centralized user administration, “native” delegated administration, lower password reset costs End-user productivity: SSO to internal & partner web applications, fewer passwords for users to forget Security: Automated de-provisioning, strong authentication, auditing/logging of access to partner applications

21 标准：WS-Federation HTTP messages Security Token Service SOAP messages
Web Services Federation Language 定义用户身份信息交换的安全机制 基于WS-Security, WS-Trust 广泛的业界支持 发起者: BEA, IBM, Microsoft, RSA, VeriSign 3/04 Workshop: IBM, OpenNetwork, Oblix, Netegrity, RSA, PingID 提供两种模式的使用方法 被动 (web browser) 客户端 – HTTP/S 主动 (smart/rich) 客户端 – SOAP ADFS v1 ADFS v2 Key Idea: Federation sounds like a great concept, but if it only worked between Microsoft environments, it wouldn’e get very far. For federation to be a successful concept, it needs to be standards-based, and that’s what WS-Federation is for. Part of the WS-* set of web services specifications designed by Microsoft and other technology companies, WS-Federation enables distinct security solutions to share identity information in a common format. This means, for example, that if a company managing users in Active Directory wanted to federate its users with an application provider that enabled access control with Netegrity SiteMinder, that would be possible using WS-Federation. A number of leading identity management companies have either been involved in the writing of the specs or pledged their support for the specification in their products. Important to note there are two major components to WS-Federation – the Passive Requestor Profile and the Active Requestor Profile. The Passive profile supports federation between browser-based applications using HTTPS, and is supported in ADFS v1 in R2. Active Profile is a more advanced spec that supports rich client applications that speak SOAP instead of proprietary protocols like RPC – which is the future direction of Windows-based application development with technologies like Indigo. Active client support will be available in ADFS v2 in the Longhorn timeframe. Security Token Service HTTP Receiver HTTP messages SOAP messages SOAP Receiver

22 活动目录联合服务(ADFS)

23 演示场景 A. Datum公司是计算机整机制造商，Trey Research公司是内存条制造商．A. Datum公司从 Trey Research公司获取内存条的供货．Trey Research公司在公网上有个WEB应用程序可供客户下单． 本演示将说明ADFS如何帮助以上两家公司建立安全并信任的业务连接．使得A.Datum的员工可以不需要额外的登录认证就可访问A. Datum公司的内存下单系统 相关演示脚本下载：

24 11/16/2018 7:05 PM 活动目录的远景 24 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 活动目录远景 统一性 连接性 集成性 减缓部署 一致的策略和访问控制模型 集中统一的管理 用户和合作伙伴的无缝交互
更方便安全接入Internet 扩展到应用和信息工作者的互联 连接性 Microsoft helps organizations unleash The Power of Identity with Active Directory, the premier enterprise infrastructure for managing identity and access across internal and external applications. While many people know AD as a NOS directory today (as evidenced by AD’s leading market share numbers), the roadmap and vision for AD is far broader. Starting with Windows Server “Longhorn,” AD will evolve to include a much richer set of capabilities and will be the single brand for all of Microsoft’s identity and access assets in the platform. The future of Active Directory will be based on three strategies: Unified. Active Directory will align information rights, strong credentials, and metadirectory services with existing domain, directory, and federation services to deliver a broad set of integrated identity and access capabilities. By bring together the identity and access capabilities in Windows Server and aligning it around Active Directory, we will deliver simplicity for our customers through common deployment models and unified administration. The Unified Active Directory will also provide consistent policy enforcement across documents, files, web sites, and other resources. Connected. Active Directory will make it easy for organizations to plug into the Identity Metasystem, which is a vision and architecture for users to exchange and use their identities safely and privately in an interconnected world. The Connected Active Directory is the enterprise hub that allows organizations to participate in the Identity Metasystem, delivering improved partner collaboration, seamless access to cloud services, and simplified application integration. All of this will be based on industry standards to provide maximum interoperability across business partners, applications, and platforms. Integrated. The identity and access services that Active Directory provides will be available natively in Microsoft’s applications and servers, eliminating the need to deploy or configure additional infrastructure. The Integrated Active Directory delivers a seamless user experience, providing single sign-on and a common identity for users accessing any Windows-based application or service. In addition, developers that want to leverage the identity and access services that Active Directory provides will have easy access through a rich set of programming interfaces, accelerating the development of identity based applications. Let’s look at each of these strategies in a bit more detail… 跨应用程序的无缝应用体验 跨所有应用程序和服务的身份认证 简化开发与身份认证相关的应用程序 集成性

26 Unified architecture, policy, and management
统一的身份认证和访问控制 Certificate Services ADFS IIFP RMS Authorization Manager Domain/Directory Services Today, Microsoft offers a range of identity and access products, many of which grew organically: Active Directory provides domain and directory services Windows Certificate Services provides strong credentials Active Directory Federation Services provides federated identity Identity Integration Feature Pack (a version of MIIS) provides metadirectory and provisioning services Authorization Manager provides role-based access control Rights Management Services provides information rights protection Since these products grew organically, they do not share a consistent deployment model, architecture, or administrative console. As such, the effort required to deploy, integrate, and manage these products is significant. We believe customers need a single unified identity and access infrastructure – a single installation for a broad set of capabilities, a unified policy model that spans across applications, and one place to administer it all. As we bring all of these technologies together, which starts in Windows Server “Longhorn,” we’ll make it much easier for customers to use these services and generate a great deal of synergy. For example, establishing trust in a federated identity relationship requires the use of certificates. By having both a certificate authority and federation services in the same unified platform, we can make it vastly simpler for customers to manage federated relationships. The certificate issuance, renew, and revocation process can be completely seamless and automated by the platform. Another example is the benefit of having information rights protection and federation in the same platform. Protecting documents and files that travel across organizational boundaries today requires the installation of software at all endpoints to enforce the information rights policy. With an ability to share and exchange identity information across organizational boundaries, through the use of federated identity, protecting documents or information that is shared with affiliates, customers, or partners is vastly simplified and achievable. In addition to these synergies, there’s also the benefit of skill re-use. Today, there’s a fair amount of expertise required to deploy each of these capabilities, and that expertise is typically locked up in a small group of individuals. By rationalizing these services and streamlining, you create re-usable skills across your IT organization that can more efficiently deploy and manage the infrastructure. Our customers stand to derive great business value as we unify these capabilities in Active Directory. Unified architecture, policy, and management

27 关键术语对比 Active Directory Domain Controller
Active Directory Domain Services Active Directory Application Mode Active Directory Lightweight Directory Services Windows Rights Management Services Active Directory Rights Management Services Windows Certificate Services Active Directory Certificate Services Identity Integration Feature Pack Active Directory Metadirectory Services

28 of Information Workers
Connected 活动目录是身份认证的核心连接 Customers Partners Internet Services Identity Metasystem WS-* Web Services Architecture Next, let’s look at Connected Identity. As we talked about earlier, the Power of Identity is really about empowering and connecting people with devices, organizations, software, and services. In this interconnected world, people will have multiple digital identities, based on different underlying security technologies.  Digital identity will come from a wide range of providers such as governments, banks, employers, and private institutions. Due to these factors, the need for an easier, safer, and interoperable way of using digital identity is growing in importance.  Microsoft’s identity architect Kim Cameron has worked with the industry on the “Laws of Identity,” which define a set of principles that any system must adhere to for using digital identities in an interconnected world.  The “Laws of Identity” put users in control of who to trust and what information about themselves they are disclosing.  It embraces multiple identity providers, allows different security technologies to work together, and protects the privacy of individuals. Based on the “Laws of Identity”, the Identity Metasystem defines a way for users to safely and privately exchange identity information in an interconnected world.  The industry is working together on a standard set of protocols, services, and data formats to enable companies to build connected systems based on the Identity Metasystem principles. This is all based on the WS-* architecture. Microsoft is making significant investments to make the Identity Metasystem vision a reality. We’re delivering InfoCards for end users, WinFX for developers, and Active Directory for IT organizations. Active Directory will serve as the enterprise hub for connecting organizations into the Identity Metasystem, making it easy for users to interact with customers and business partners, access Internet services such as hosted collaboration sites, and work in more dynamic ways with others outside their organization. For example, let’s say you’re a medium-sized business and have decided you want Office Live to host a collaboration site for you, perhaps to share a legal document with an attorney. How would a user inside your organization access that site? Would they have another identity with a separate userID and password? That’s the typical experience today. But we can make that much easier. With the Connected Active Directory, when that user logs into Windows, he/she can seamlessly access that collaboration site, with proper restrictions placed on them based on policies, all based on their identity in AD. Let’s look at another example. If your organization develops an application that must be exposed to a partner, how would you do that in a secure manner today? You would have to create and manage an identity for them, issue a credential (password, certificate, etc.), place them in the proper security groups or access lists, and then manually retire that account when your relationship ends. This adds a great deal of cost, complexity, and risk to your application, not to mention the headache it creates for your business partner. A better approach would be to establish trust between your two organizations and leverage the identity that already exists within their organization. The Connected Active Directory is your gateway to securely exchange that identity information and deliver the seamless experience. All of this will greatly reduce the friction and cost in partnering, making your organization more agile and competitive. Today, customers can take the first steps of participating in the Identity Metasystem by using Active Directory Federation Services, a new feature that just shipped with Windows Server 2003 R2. This first version of ADFS supports browser-based federation of user identities, but in future versions will support new scenarios such as the federation of web services based applications, making it even more seamless for organizations to connect to the Identity Metasystem. Extending the Reach of Applications Extending the Reach of Information Workers

29 集成的身份认证架构 Windows Live WinFX Directory Single Sign-on Smartcard Logon
Integrated 集成的身份认证架构 Windows Live WinFX Now, let’s take a look at the last component of our Active Directory strategy – Integrated Identity. Most people don’t realize that today when they log into Windows, connect to the VPN server, access a web application, or access a file share, in many cases they are actually using Active Directory. AD performs many identity and access services natively within Microsoft applications and systems, and it’s completely transparent to the end user. Active Directory will continue to provide this “out-of-the-box” integration such that minimal effort is required to secure users’ access to applications and servers, and protect the sensitive information contained within them. Future versions of Windows, such as Vista and Longhorn Server, and Windows Live services will increasingly leverage Active Directory for directory services, access control, information rights, strong credentials, identity federation, and single sign-on. In addition, Microsoft will expose these same capabilities thru rich interfaces for professional developers to leverage Active Directory within their applications. Directory Single Sign-on Smartcard Logon Information Rights Auditing Access Control Federation 相同的架构和访问体验…

30 11/16/2018 7:05 PM 其他关于活动目录的重要内容 30 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 更多关于活动目录的内容 开发具有身份识别能力的应用程序(ASP.NET)
活动目录和其他目录服务数据源或数据库数据源等的整合 -- MIIS资源汇总

32 微软TechED2006大会-Kelvin专题资料汇总 微软活动目录和服务器专题资料汇总 Microsoft学习和认证中心
微软活动目录和服务器专题资料汇总 Microsoft学习和认证中心 MSDN & TechNet Virtual Labs Newsgroups Technical Community Sites User Groups

33