Strategic CIO // IT Strategy
Commentary
5/13/2014
12:56 PM
Dan Tesch
Dan Tesch
Commentary
50%
50%

Centralized Authentication: A Double-Edged Sword

Active Directory is a great centralized authentication service for security and compliance, but Macs, mobile devices, and remote access cause headaches.

When I arrived at my current employer about seven years ago, I was surprised to find no Active Directory. There was an attempt at an LDAP infrastructure, but the only thing authenticating to it was a single Samba server.

The replication to a secondary LDAP server was broken, email was off on its own, wireless was a collection of consumer-grade access points using static WAP keys, and every application -- whether commercial or internally developed -- had its own authentication scheme. I don't want to say it was a mess, but there was little evidence of a consistent authentication strategy or direction.

["Threat intelligence" is the latest must-have thing. Read Why Threat Intelligence Is Like Teenage Sex.]

One of my first projects was to migrate from a legacy email system to Exchange. Since Exchange requires Active Directory, I saw an opportunity to begin to centralize authentication. Over time, new Windows servers were all put into Active Directory, a new multi-site distributed file server system was installed, and I talked with our developers about pointing applications requiring authentication to Active Directory. Next came a new wireless system and updated VPN endpoints; these, too, via Microsoft's version of a Radius server, tied into Active Directory.

My goal wasn't to have absolutely everything authenticate to Active Directory, but in my view, more is better. In theory, it should be easier for end users, because they have to remember only one set of credentials, and changing a password once takes care of many services. From an administrative perspective, Active Directory gives you one place to deactivate an account that covers multiple points of entry; I even configured our entire router, switch, and firewall infrastructure to authenticate administrative access against Active Directory.

As our IT operations evolved and security policies and compliance needs grew, we began to implement password change and account lockout policies. These policies help us protect critical infrastructure and information.

Mac, mobile, remote access headaches
All in all, I consider this implementation a success. However, it doesn't mean there aren't difficulties. First on the list is Macintosh users, who make up about a third of our computing population. Macs can be joined to Active Directory, but they aren't fully fledged members, so you can forget about simple group policies such as locking screen savers.

In addition, Macs on their own don't have a mechanism to inform users about expiring passwords, and changing an Active Directory password from within the Mac OS isn't a reliable solution. I haven't been able to get it to work at all, even with add-on products such as Centrify. Also, logins from Macs to wireless networks and file servers are not unified like they are in Windows.

Macs are a hassle, but the majority of problems came from mobile devices. As more people configured phones and tablets to access their email and connect to our wireless network, account lockouts increased exponentially. Why? When people change their password, they forget about all of the places

Next Page

Dan Tesch is an IT Director at a Chicago-area marketing firm. He's also a member of the Interop Advisory Board. Dan's technology experience began in the late 1980s in the publishing industry, and now includes networking, virtualization, storage and security. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.