Enterprise IT Identity & Access Management

A Buyer's & Integrator's Guide - WebLog Version 1.0

March, 2006

  • Microsoft Customer Solutions

    If no product is available (or satisfies your needs) in the marketplace, you may have to build something yourself. Currenlt, I am unable to post my own custom IT IAM solutions (such as group management, remote access management, smart card management...
  • Sample Code (VBScript) - Query CAPICOM

    This script queries capicom com object to get cert expiration date. Capicom.dll must be installed and registered in order to run this script. If you need additional cert info, you can just add more CAPICOM Cert object properties to my sample code. ...
  • Microsoft Identity Integration Server 2003 Enterprise Edition - InfoWorld Test Report

    Of all the contenders here, MIIS (Microsoft Identity Integration Server) 2003 stands out in two ways. First, it's by far the cheapest, at least at first glance (more on that later). Second, it's unique in leveraging several features of Windows, as well...
  • Physical Access Control Technology

    A typical physical access control system is made up of following components: - ID Credential - Door Reader - Door Lock - Control Panel - Access Control Server - Software - Database The access control process begins when a user...
  • User Authentication Mechanism (Method)

    User authentication mechanism can use one of above factors or combine multiple factors to form strong authentication. The following are major user authentication mechanisms (methods): · Badge and identity card: Identification badges are usually used...
  • Sample Code (VBScript) - Compare Two AD Groups and Get Membership Difference

    If you want two AD groups with the same membership but are afraid of mis-sync, I have a sample script to find the delta: On Error Resume Next Dim strGroup1, strGroup2, iArgs, oArgs iArgs = Wscript.arguments.count Set oArgs = Wscript.arguments ...
  • Sample Code (C#) - Provision User Accounts and Groups with MIIS

    Here is my sample code to provision AD use accounts and groups using MIIS MV Extension: // Use Visual Studio to build using System; using Microsoft.MetadirectoryServices; namespace Mms_Metaverse { public class MVExtensionObject : IMVSynchronization...
  • Sample Code (T-SQL) - Protecting Identity Data with SQL 2005 Data Encryption

    There are multiple ways to protect (encrypt) data with SQL 2005: either using certificate or password. Here is my code sample to use a password to encrypt identity data (assuming the identity table name as tblIdentity_SmartCard table, the identity...
  • Sample Code (C++) - Scan Certificate Expiration Date Remotely

    It is hard to find a tool to check certificate expiration date on a remote machine without logon locally. Here is my code to accomplish this job: // to build: cl scancert.cpp -link crypt32.lib //----------------------------------------------------...
  • Review - M-Tech ID-Sync

    M-Tech has a suite of Identity Management products. ID-Sync is a user provisioning tool. Pros: - Built in workflow engine - Integration with Microsoft MIIS - Provided SAP MA - Fast provisioning time - Provision of non-HR identity data...
  • Sample Code (Command) - Windows Vista Domain Join with smart card

    After you require smart card interactive logon in your environment, the traditional domain join will not work because you don't have a password. Windows Vista resolves this problem by allowing domain join with smart card. However, this new feature will...
  • Ways to Compromise Password

    Passwords are vulnerable by virtue of the following attacks : Password Cracking Tools - A variety of software tools, such as L0Phtcrack and NT Crack, automate the guessing of passwords through brute force and with extensive dictionaries of frequently...
  • User Authentication Factors

    There are four authentication factors: Something one knows: The concept here is that if the user knows a pre-determined secret, he or she must be the right person. The common type of secret is a password or a PIN, though other schemes like images...
  • Thor XellerateIM 8.0 - InfoWorld Test Report

    During the months we spent planning for this test, we had two five-minute phone calls with Thor Technologies. The first was to invite them to the test, and the second was to discuss the test scenarios. Their response after reading the test plan was simply...
  • Courion Enterprise Provisioning Suite 7.20 - InfoWorld Test Report

    Courion Enterprise Provisioning Suite 7.20 includes ProfileCourier, a user-profile store; PasswordCourier, a metapassword repository; and ComplianceCourier, a policy-control module aimed at tying the other modules together for managed security. Courion...
  • Novell Identity Manager 2 - InfoWorld Test Report

    Novell's identity management solution relies heavily on the company's directory server, eDirectory, which does a fine job as an identity vault. Building on eDirectory to incorporate directory information from across the enterprise, Identity Manager takes...
  • IBM Tivoli Identity Manager 4.6 - InfoWorld Test Report

    To reach into the various moving parts of our enterprise, ITIM (IBM Tivoli Identity Manager) 4.6 used custom agents that we installed on every managed resource, including our AD domain controllers, database servers, and so forth. The agents hold a reasonably...
  • Sun Java System Identity Manager 5.5 - InfoWorld Test Report

    We didn't see much whizbang innovation in Sun Java System Identity Manager 5.5, but we did find a level of reliability and maturity that's rare for this segment. Sun's entire identity management suite consists of Access Manager, Directory Server Enterprise...
  • Oracle Identity Provisioning - InfoWorld Test Result

    Failed test and no result. However, Oracle bought Thor recently so please see Thor Test Report.
  • Review - Microsoft CLM (Certificate Lifecycle Manager) Beta 1 (renamed from Alacris)

    Don't let the word "Beta" fool you. CLM Beta 1 is actually renamed from the latest Alacris RTM version. Pros: - Turn key system and no coding is required - Can manage both smart cards (including USB tokens) and certificates - Feature rich...
  • Generic IAM Architecture

    This is a basic end to end B2E IAM architecture diagram. Yellow areas form an IAM system and dependancies are in green. Identity & Access Management Architecture - B2E Generic
  • Review - Quest ActiveRoles Server

    Quest ActiveRoles Server enables automatic user/group provisioning and make entitlements management easier. Pros: - Rule based automatic provisioning - Role based administration - Easy to navigate UI - AD focused but also handle Unix/Linux...
  • Review - Axalto .NET Smart Card

    Axalto (Schlumberger) has developed the new .NET Card Technology to seamlessly integrate with current software such as Word, Exchange, Windows XP, Windows CE, and upcoming products based on the .Net technology. The technology contains a multi-application...
  • Systems Management Stategy

    Digital identities includes not only people but also devices, such as machine account and machine certificate, and applications (or software services). Therefore, there is a small overlapped area between systems management and IAM. Although systems management...
  • Review - RSA SecurID

    SecurID for Windows fully integrates with Microsoft's Active Directory and enables domain-level access management along with new offline capabilities. At backend, RSA ACE Sever is required. The client requires the RSA ACE/Agent installed. The SecurID...