Brian Puhl's Weblog : Random babblings and such...

Identity and Access Webcast Series

bpuhl — Tue, 31 Oct 2006 08:09:00 GMT

Here's some info on some upcoming webcasts... This first series is for the "Technical Decision Makers", but I'll post the "IT Pro" series when they get announced.

-Brian

--------------

Microsoft offers a broad range of technologies and products to enable a customer’s identity and access infrastructure. This web-cast and virtual lab series is designed to educate Technical Decision Makers (TDMs), and IT Professionals about Microsoft’s IDA solution areas centered around the following products:

Windows Rights Management Services (RMS)
Active Directory Federation Services (ADFS)
Microsoft Identity Integration Server MIIS)
Certificate Lifecycle Manger (CLM)
Active Directory (AD)

These webcasts are structured under different categories. The categories take attendees from Product/Solutions Overview, what the product is and how it can help the customer’s infrastructure, to Deployment, and through the different categories to, “What is New for the Future”.

Our kickoff webcast by Peter Houston, and Product/Solution Overview webcasts are for the Technical Decision Makers, while the following webcasts categories will be for IT Professionals.

Join our webcast series to help plan for the future, deploy new solutions, manage and optimize your existing IT infrastructure

As Technical Decisions Makers you should attend (a) our kickoff webcast IDA Vision and Strategy, and (b) Product Overview webcasts segment, to see how our IDA products can be improve cost, increase protection for your IT infrastructure Then encourage your IT Professionals to attend our following webcasts on deeper IT content.

We will be announcing more upcoming webcasts for IT Professionals very soon.

First IDA Webcasts:

(a) IDA Vision Webcast

Title: Microsoft Identity and Access (IDA) Vision and Strategy

Description: Identity and access in connected systems has gone beyond a technical concern and become a top business issue as organizations look to reduce security risk, decrease operational costs, satisfy regulatory requirements, and deepen their electronic relationships with customers and partners. In this session, learn about Microsoft's vision for identity and access technology, including the evolution of Active Directory (AD), Microsoft Identity Integration Server (MIIS), 'CardSpace', and Certificate Lifecycle Manager (CLM). You will also gain insight into Microsoft's vision for IDA in the future.

Presenter: Peter Houston

Date/Time: 11/10/2006, 10:00Am - 11:00PM Pacific Time

Click here to Register: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032315361&Culture=en-US

(b) Product Overview Webcasts:

Title: Information Protection with Windows Rights Management Services (RMS)

Description: Protecting confidential information and intellectual property, such as e-mail and documents, is critical to the success of many organizations…

Presenter: Tim Upton

Date/Time: 11/16/2006, 1:00 PM – 2:00PM Pacific Time

Click here to Register: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032313768&Culture=en-US

Title: Introduction to Microsoft Certificate Lifecycle Manager

Description: Join this webcast to learn about the new Microsoft Certificate Lifecycle Manager (CLM)…

Presenter: Amesh Mansukhani

Date/Time: 11/20/2006, 1:00 PM – 2:00PM Pacific Time

Click here to Register: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032313484&Culture=en-US

Title: Web Single Sign-On and Identity Federation with Active Directory Federation Services

Description: As organizations extend their information technology (IT) infrastructures to provide partners with access to Web-based applications, they face difficult administrative and security challenges…

Presenter: Howard Ting

Date/Time: 11/27/2006, 11:00 AM – 12:00PM Pacific Time

Click here to Register: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032313783&Culture=en-US

Title: Identity Life-Cycle Management with Microsoft Identity Integration Server 2003

Description: Join this webcast to see how Microsoft Identity Integration Server (MIIS) 2003 enables the automation of identity life-cycle management in the enterprise…

Presenter: Lori Craw

Date/Time: 11/29/2006, 11:00 AM – 12:00PM Pacific Time

Click here to Register: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032313486&Culture=en-US

Regards,

Who's on... huh?

bpuhl — Sun, 15 Oct 2006 22:45:32 GMT

If Bud Abbott and Lou Costello were alive today, their infamous sketch, "Who's on First?" might have turned out something like this:

COSTELLO CALLS TO BUY A COMPUTER FROM ABBOTT

ABBOTT: Super Duper computer store. Can I help you?
COSTELLO: Thanks. I'm setting up an office in my den, and I'm thinking about buying a computer.
ABBOTT: Mac?
COSTELLO: No, the name's Lou.
ABBOTT: Your computer?
COSTELLO: I don't own a computer. I want to buy one.
ABBOTT: Mac?
COSTELLO: I told you, my name's Lou.
ABBOTT: What about Windows?
COSTELLO: Why? Will it get stuffy in here?
ABBOTT: Do you want a computer with Windows?
COSTELLO: I don't know. What will I see when I look in the windows?
ABBOTT: Wallpaper.
COSTELLO: Never mind the windows. I need a computer and software.
ABBOTT: Software for Windows?
COSTELLO: No. On the computer! I need something I can use to write proposals and track expenses and run my business. What do you have?
ABBOTT: Office.
COSTELLO: Yeah, for my office. Can you recommend anything?
ABBOTT: I just did.
COSTELLO: You just did what?
ABBOTT: Recommend something.
COSTELLO: You recommended something?
ABBOTT: Yes.
COSTELLO: For my office?
ABBOTT: Yes.
COSTELLO: OK, what did you recommend for my office?
ABBOTT: Office.
COSTELLO: Yes, for my office!
ABBOTT: I recommend Office with Windows.
COSTELLO: I already have an office with windows! OK, let's just say I'm sitting at my computer and I want to type a proposal. What do I need?
ABBOTT: Word.
COSTELLO: What word?
ABBOTT: Word in Office.
COSTELLO: The only word in office is office.
ABBOTT: The Word in Office for Windows.
COSTELLO: Which word in office for windows?
ABBOTT: The Word you get when you click the blue "W".
COSTELLO: I'm going to click your blue "w" if you don't start with some straight answers. What about financial bookkeeping? You have anything I can track my money with? ABBOTT: Money.
COSTELLO: That's right. What do you have?
ABBOTT: Money.
COSTELLO: I need money to track my money?
ABBOTT: It comes bundled with your computer.
COSTELLO: What's bundled with my computer?
ABBOTT: Money.
COSTELLO: Money comes with my computer?
ABBOTT: Yes. No extra charge.
COSTELLO: I get a bundle of money with my computer? How much?
ABBOTT: One copy.
COSTELLO: Isn't it illegal to copy money?
ABBOTT: Microsoft gave us a license to copy Money.
COSTELLO: They can give you a license to copy money?
ABBOTT: Why not? THEY OWN IT!

(A few days later)

ABBOTT: Super Duper computer store. Can I help you?
COSTELLO: How do I turn my computer off?
ABBOTT: Click on "START."

First Post with Live Writer

bpuhl — Tue, 10 Oct 2006 02:55:21 GMT

Don't expect a whole lot here - I just installed Live Writer and wanted to see what it was going to be like.

Feels vaguely similar to Onenote, which is good, since I like Onenote - I think I'll keep it... maybe it will help me blog more often.

This post will self destruct in 5

...

pfft

ADFS and Liability Continued...

bpuhl — Tue, 03 Oct 2006 08:41:00 GMT

hmm...let's see...I wrote a blog, Pam left a comment, I replied to her comment with another blog, and so (if you haven't seen it yet) Pam posted her own blog entry here... This is actually kind of fun!

You should read (all of) her posts anyways, but to save some screen flipping here's the meat of it:

...When I read this, I felt like jumping up and down like the goody-two-shoes in the second row, me me me me oh I know the answer pick me!!!

If they were to use an Information Card for the active confirmation prior to a user making changes, users wouldn’t need to remember a password at all. You would get the impediment of requiring credentials, without the support burden attached to maintenance of a rarely-used password. Alternatively, if you felt the need to have a password, you could require a managed information card. In that case, the user would be authenticating to the home IdP instead of to the outside application, taking the password management burden off of your partner and consolidating password use to a single centralized source that would theoretically be much more commonly used, and therefore less likely to require frequent recovery. Not to mention that the Enterprise could audit use of the managed infocard in this context.

This seems to me to be a perfect scenario to envision a hybrid passive/active federation combination instead of passive federation for 85% of user activity, and partner-managed password authentication for the remaining 15%. Yes? If so, it just goes to show that the scenarios are out there, and for more than just the eBusiness world.

Brian, what do you think?

So...let's see...What do I think?

I don't think the problem is in the way that the credentials are stored. Let's suppose it's an InfoCard from some Identity Provider, then the liability would then fall on that Identity Provider if/when a users account gets compromised. Why would someone sign up for that? In the case that we're dealing with internally, Microsoft is the Identity Provider, and our lawyers don't want to sign up for the risk - why would anyone else?

Thinking about this slightly differently – Our lawyers have the problem, because if someone hijacks my corporate user account, and goes into my 401k and wipes out my retirement savings – who is ultimately responsible? If Microsoft did the authentication, Microsoft is, if the partner did it, they are, and if some 3rd party identity provider did the authentication – then THEY are responsible (would we even consider a 3rd party - umm...let's hope not)

So let’s say we use an infocard. And not only that, but we use a Managed infocard. Ok, so now I’ve got a managed card on my machine – So when someone hacks my account, selects the highlighted infocard, and THEN wipes out my 401k… Now who’s responsible?

I can absolutely see where an InfoCard can help the end user - but I'm the IT Geek who's trying to deploy the infrastructure. How do I sell being an Identity Provider to my CIO?

AD Training

bpuhl — Sat, 22 Jul 2006 10:06:00 GMT

hmmm....ok, so here's an interesting problem: I'm a Microsoft employee. My blog is hosted on Technet.com. And I'm pretty sure that there is a policy somewhere, which I'm unaware of, that addresses blog posts about 3rd party companies... But I've never really been one for following too many rules anyways, so here you go:

I wrote a post back in May about changes to our organizational structure for supporting AD internally at Microsoft. While I still think the re-org was a great thing to happen within IT, and we're making big progress on many things that had been stalled in the past (ADFS, smartcards, selective auth forest, etc...) - one thing that I noticed were all of the new faces who were going to be managing the DC's. Now, most people in the org have AD experience, but let's face it, there's a big difference between reviewing schema extensions and doing delegations; versus troubleshooting replication or a server on which lsass.exe is taking 90% of the CPU. Both can be difficult, but they are seperate skills. So, to make a long story short, (too late), I fired off an e-mail to Dean at MSETechnology to see if he could help us out with some training. Many people who have been around AD for a while know Dean (or at least "of" him), whether it's the random references in Joe's blog, his answers on ActiveDir.org, or from NetPro's Directory Experts Conference.

Anyways, after a bit of back-and-forth figuring out the logistical details, Dean came on-site here in Redmond and has spent the last week giving what can only be described as the most entertaining, in-depth training on AD that I've ever seen. Topics ranging from replication and topology, to sid history/filtering, to the most...ummm...."descriptive"...segment on the FILE replication service which I've ever sat through, I would have to say that if you're looking for some 300-400 level AD information (as opposed to someone standing up reading a book to you), then this was the class you want to be in.

There's no comparison to the quality of the content, but two things stood out most...and note, that I didn't even sit through the entire week, but was coming and going at random:

While there was definitely structure and order to the content, there was never hesitation to go off on wild tangents which would ultimately enhance the topic being discussed. Most impressive are the impromptu labs, which went something like: "That's a great question...why don't we log into the VPC and try running xyz command and see what happens...ok, well since that didn't work, let's figure out why and then see what we should do." Having taught classes before, I can say that it takes an ENORMOUS amount of confidence in your knowledge to make up labs on the fly.
Professionalism - Yes, a couple of you just looked and said "what? that's not the Dean I know!" Well, actually it is and you know it, but it's fun to play. Most mornings and some afternoons we sat down to go over the class progress and to make sure we were hitting the right topics. There wasn't ever any hesitation to change things "on the fly" (again, very difficult for 'structured' instructors) and the open dialog was exactly what we needed to make sure that everyone was getting the most out of the class. He truly cared about making sure we got the most of the time spent.

So if you're looking to bring in some custom (in-depth, not MOC based) training, and wondering what other people have done, then MSE Technology is worth a look.

Interesting SSID and Reusing Attributes

bpuhl — Sat, 03 Jun 2006 07:19:00 GMT

I bought a new truck a few months ago, and right on schedule (as the salesman promised), as I was coming due for my first oil change, I got a card for my first one free at the dealership. Never being one to turn down a free deal, I dropped in the other day, handed over my keys, and directed to the lobby where the offered, "Free cofee, pastries, and wireless internet." This is Redmond after all.

So sitting down with my laptop, coffee cup, and a donut, I fired up my laptop to synch my e-mail. Viewing the available wireless networks, I almost laughed out loud when I read the SSID:

LJ Chev Cust Net - Ask Cashier for Key

99% of you probably just looked at that and went, "Umm, yeah...DUH!" But both of the people in the office that I mentioned this to said, "Whoa, neat..." which by my statistical methodology made this blog-worthy.

So what does this have to do with AD? It reminds me of a common question that goes through the AD discussion alias at work. The details change, but the gist of it is always something akin to:

"I've got a customer/application/user that is asking whether there are any applications (MS or 3rd party) that use the drink attribute, they are creating a custom password reset portal, and need someplace to store the answer to the secret-question."

Three people just fell out of their chairs laughing, two of you did one of those "I can't believe it" head smacks, and there's one guy who just made a note to himself that he needs to update his portal application to use a different attribute. THAT'S the guy that I want to talk to.

Reusing attributes is bad, each and every one has an intended purpose...well...ok, there are those pesky extensionAttributes, but let's not get picky... If you're creating an application that needs to store data in AD, then go ahead and get an OID branch, and create one... there's a ton of documentation out there on how to do this.

Someone is going to say something about being so cavalier with the schema. Yes, I understand that it's a one-way operation, and I always advocate doing appropriate testing before mucking with your production schema, but I've always been mildly disappointed at the level of FUD that Microsoft created surrounding schema extensions. Caution and due diligence should be taken with everything you do in Active Directory.

Orgs...and Re-Orgs...

bpuhl — Thu, 25 May 2006 01:36:00 GMT

(Especially) If you work in a large company, then organization changes aren't really anything new. Microsoft certainly isn't an exception, but for the 5 or so years that I've worked here, the primary function of the team I'm on has rarely changed. Our team name changed, managers changed, people come and go, but for the most part the one thing that remained consistent was that our "org chart bubble" was moved as a whole and the teams remained intact.

For a bit of background, AD support in MS IT was divided between 2 teams. I was part of the core infrastructure team which owns AD, DNS, ADFS, DHCP, WINS, IPSec, IPv6, and several other "smaller" services that we would keep track of. Specifically for AD, we owned the domain controller configuration, replication, topology, performance, capacity planning, as well as being responsible for a large amount of the dogfooding work that comes around. Because AD is so widely deployed with high availability and redundancy, we've always tested new OS's, fixes, etc.. on the DC's first. In short, we were the "service owners".

The other half of the AD support was the Identity Management Team. IDMT owned the account provisioning systems, MIIS, Schema, GPO's, Trusts, etc... Basically, they were the "data owners" for the directory. For the past year or more, IDMT has been part of our corporate security organization.

Like Bob Dylan says, "These time they are a-changin'"

This most recent re-org has really shaken things up a bit. Rather than maintaining 2 separate groups for different functions, Microsoft IT now has a single Identity and Access Management team, which owns both IDMT and infrastructure functions for AD, as well as PKI, ADFS, and some other services. Whether DNS gets org'd with AD or remains with the core team is still up in the air.

Personally, I'm pretty excited about this change. For one thing, the director of the group is someone that I've worked for before, and am happy to work for him again. The combination of duties will help us align better with the way the AD product group is organized. But mostly, because I've always worked closely with the IDM Team and have a great working relationship, but when it comes down to it, they had their priorities and we had ours, and sometimes the two didn't quite meet. Hopefully being in the same org, with the opportunity to influence (and be influenced) by each other will be good for everybody.

One thing that did occur to me through all this, is that I have talked to very few customers about the way that "they" are organized for AD support. I'm sure this varies from company to company, and can only imagine the enterprise type customers having an "AD team", but I've started to wonder whether they split these duties or keep them together. If you see me at TechEd, or talk to me on one of our regular conference calls, and I'll probably ask you about what YOUR org chart looks like. I've always felt that even though in several ways we're not, that Microsoft IT should be representative of the customers. So in this case, I suppose it would be good to know what that means.

Gil Kirkpatrick is now blogging...

bpuhl — Thu, 08 Dec 2005 04:16:00 GMT

Got mail from Gil Kirkpatrick that he's started blogging at http://www.gilsblog.com recently which I'm sure will hold A TON of useful Active Directory (and other) related information. For those that don't know him, Gil is the CTO of Netpro, frequent contributor to http://activedir.org (a mailing list which anyone interested in AD should check out) and one of those experts that the experts go to when they are stumped...

Thanks for sending me mail, RSS reader is ready to go...happy blogging!

Too high tech, have to go re-learn...

bpuhl — Fri, 04 Nov 2005 01:43:00 GMT

I was in Office Depot a few weeks ago, and saw that they had fountain pens on display, so I picked up a Waterman Phileas. A few weeks have passed with it sitting on my desk, but this afternoon I decided to open it up and put it together. Thus, pen in hand, surrounded by 3 computers, 2 monitors, and countless other high tech gadgets, I pulled out a peice of paper and started to write a letter to my wife (wouldn't she be surprised)...

...Yeah...can you believe that I can't remember how to write cursive? I don't know how long it's been since I actually HAD to write cursive, at least other than signing my name...and for the life of me I've been trying to do it for the past half hour...

I'm still going to surprise my wife with a nice hand written letter...but it's going to take a day or two.

How Does Microsoft IT Do...

bpuhl — Wed, 02 Nov 2005 07:21:00 GMT

Engineers in Microsoft IT spend an unusually large amount of time talking to customers answering questions which start with:

How Does Microsoft IT Do...<fill in the blank here>?

I'm going to try to start to post some of the more common questions and answers in this blog to "share the wealth", but before I get to the first of these HDMSITD posts, I wanted to put in my "default disclaimer" and a little background information to help ease some confusion...so here it goes:

Default Disclaimer:

Odds are extremely high, that your environment does not look like Microsoft's. In fact, I could guarantee it. We do a lot to our internal deployments that most people would consider reckless, all for the sake of "dogfooding" (testing things on ourselves first). So while I'm babbling on and on about how we do things internally, you should look for the "golden nuggets" that you find interesting. Please don't take what we do wholesale and try it out against your production environment.

Ok, that much being said...I'm going to ramble on a bit about our environment so everyone will have some context of where I'm coming from, again to help find the nuggets that may be useful:

We have multiple production, pre-production, and test forests for various business purposes, most of them are 1 or 2 domain forests but our largest contains an empty root and 8 children geographically dispersed...But wait...doesn't MS say not to use an empty root now? Yes...we do...and given the chance to start all over again, we'd probably have one big happy domain...but I digress...

Our main forest has about 100K user accounts, and 300K machine accounts, which represent MS employees in 400+ sites worldwide...our AD database is ~10GB on Windows Server 2003 (~18GB in Windows 2000) and about half of our ~200 DC's are 64-bit, with plans to be fully 64-bit by next summer.

One of the nicer things about our environment is that we generally don't have problems with bandwidth, and this is one of the places where we diverge from many of our customers.

So now you've got some background on where I'm coming from and what our internal environment looks like, which should help put some of our HDMSITD... questions in context.

When your data is dirty, just start over...

bpuhl — Fri, 21 Oct 2005 09:04:00 GMT

I was in a meeting this afternoon, where someone proposed a security solution which could basically be summed up as: "Let's build a new forest, and move all the users and resources into it." Most everyone around the table started shaking their heads in agreement...after all, the forest is the Active Directory security boundary and if the one you've got isn't working then get a new one right? Well, unfortunately...being the guy who would have to design, implement it, and work with the operations teams to support it...I had to ask the question... Why do we need a new forest?

The answer really surprised me, not because of the bold technical genius behind it, but because of it's stark simplicity. I was told that our existing production forest was "too dirty, and couldn't be cleaned." Heck, who can argue with THAT! If your forest is dirty, then that makes even more sense that you would toss it out, run down to the local "Active Directory SuperStore" and pick up a new one. I was thinking we should get a six-pack, just so we had some spares.

In all seriousness though, I think the dumbfounded look on my face actually offended some people. After all, I knew what he intended. The idea was that it was going to take a lot of work to understand the existing settings and how they would need to be changed to accomodate the new business requirements, workflows, etc... The problem was that they didn't want to see whether the cost required for the new forest solution was more or less than "cleaning" out our existing forest, or for that matter even figuring out what the new configuration should be...therefore..."dirty"

So the moral of this story is, if you want to promote an idea or solution, claiming that the "data is dirty" may just be your ticket to success... At least if you can walk out before someone asks you what that means. :)

First blog...

bpuhl — Sun, 09 Oct 2005 08:19:00 GMT

First post, so here's a brief intro.

My name is Brian Puhl, and I'm a Sr. Systems Engineer in Microsoft IT responsible for our internal deployment of Active Directory. Lately I've also been spending quite a bit of time deploying our instance of ADFS (Active Directory Federation Services) which will be released with Server 2003 R2 in a few months. I've worked in MSIT for 4 years, the entire time on the core infrastructure team focused mainly on supporting our AD, DNS, DHCP, and WINS deployments through the upgrades from Windows 2000 to Server 2003, and am now working on the R2 and Longhorn releases.

In addition to being an engineer responsible for our internal environment, I also spend quite a bit of time talking to customers about "How Microsoft IT does...(fill in the blank)". Some of this is done through presentations at conferences, and other times it's during a monthly customer conference call that I host with some of the other engineers on my team. Because many of the questions are often repeated from multiple customers, I'm hoping to answer some of them in this blog, as well as throw out some hints/tips/tricks that we've learned along the way.

~Brian