April 30, 2001, 1:20 PM — The next version of Microsoft's Active Directory will include new features that begin to position the directory for use on the Web, but observers say the additions are only the first steps on a difficult path.
Microsoft bills the move as a major advancement for Active Directory, which today is geared for use within organizations as an internal network operating system directory. Microsoft wants to extend the directory's role to include managing users who are outside of an organization's firewall, such as, e-commerce customers and other Web site visitors.
First Microsoft must break down barriers that include Active Directory's proprietary interfaces, which hamper effective integration with the open environment of the Internet.
"On the Web, you want an independent directory server that isn't bound to NOS file and print or security. You want it more generic," says Jamie Lewis, president of The Burton Group. "Now Active Directory assumes users are [Windows 2000] NOS users, and in theory you could grant NOS privileges to users who are only Internet users."
Microsoft will head in that direction by adding two Lightweight Directory Access Protocol (LDAP) enhancements in Windows 2002 Server, formerly code-named Whistler. Microsoft has worked with Netegrity, Oblix, OpenNetwork Technologies and Securant Technologies, vendors of Web-based provisioning and access control software, on integrating Active Directory. The Windows 2002 enhancements include a performance boost in handling LDAP authentication requests and support for inetOrgPerson, a standard way to represent a user in the directory.
Microsoft wants to create the option to face the directory outward toward the Internet so it becomes a pivotal point in supporting access from outside the firewall to Web applications such as those for e-commerce and .Net, Microsoft's vision of software on the Internet.
The benefit for IT executives committed to Active Directory is the ability to create a consistent layer of directory-based user management across the internal and external portions of their networks. The directory can also support a virtual single sign-on and centralized management point to Web applications running on any platform.
Competitors have already moved their directories to the Web.
IPlanet's Directory Server, an open, general-purpose LDAP directory, now dominates that market. Novell also has moved its eDirectory onto the Web. The hallmarks of those directories are performance, scalability, standard interfaces and operating system independence.
But Microsoft isn't committing to a stand-alone directory.
"I don't think that a stand-alone directory is a firm customer requirement," says Peter Houston, group program manager for Active Directory. "But that doesn't mean we won't make it increasingly easier to deploy [Active Directory] in this [outward-facing] role."
Microsoft is hungry
Observers say for Active Directory to be in that class it needs more LDAP interfaces so applications are not tied to Microsoft's proprietary Active Directory Service Interfaces (ADSI).
"Microsoft is hungry for this extranet market," says John Enck, an analyst with Gartner Group. "They are not getting the application support iPlanet is getting. These Whistler additions are good, but Microsoft still has some more concessions to make to attract applications to the [Active Directory] environment. They can't go after the Web while still mandating the use of proprietary ADSI."
Microsoft's focus now is to use LDAP to more closely integrate Active Directory with Web-based provisioning and access control software. Those products provide an HTTP interface to Web clients into a security layer for internal Web applications using policies and access controls that are stored in a directory. The products also support iPlanet and Novell directories, and some ship with iPlanet Directory Server.
Microsoft is responding to competition, but also to customers who want to simplify their directory infrastructure.
"For our business-to-business relationships we use iPlanet, but our hope is to move Active Directory out there, get off iPlanet, and get a consistent structure both internal and external," says a systems analyst for a large multinational oil and gas company who asked not to be identified.
"It would be nice to get [Active Directory] mature enough to handle that, but we don't think these new features will be all that we need," he says.
Key enhancements
