Centralized Authentication: A Double-Edged Sword - InformationWeek
IT Leadership // IT Strategy
12:56 PM
Dan Tesch
Dan Tesch

Centralized Authentication: A Double-Edged Sword

Active Directory is a great centralized authentication service for security and compliance, but Macs, mobile devices, and remote access cause headaches.

When I arrived at my current employer about seven years ago, I was surprised to find no Active Directory. There was an attempt at an LDAP infrastructure, but the only thing authenticating to it was a single Samba server.

The replication to a secondary LDAP server was broken, email was off on its own, wireless was a collection of consumer-grade access points using static WAP keys, and every application -- whether commercial or internally developed -- had its own authentication scheme. I don't want to say it was a mess, but there was little evidence of a consistent authentication strategy or direction.

["Threat intelligence" is the latest must-have thing. Read Why Threat Intelligence Is Like Teenage Sex.]

One of my first projects was to migrate from a legacy email system to Exchange. Since Exchange requires Active Directory, I saw an opportunity to begin to centralize authentication. Over time, new Windows servers were all put into Active Directory, a new multi-site distributed file server system was installed, and I talked with our developers about pointing applications requiring authentication to Active Directory. Next came a new wireless system and updated VPN endpoints; these, too, via Microsoft's version of a Radius server, tied into Active Directory.

My goal wasn't to have absolutely everything authenticate to Active Directory, but in my view, more is better. In theory, it should be easier for end users, because they have to remember only one set of credentials, and changing a password once takes care of many services. From an administrative perspective, Active Directory gives you one place to deactivate an account that covers multiple points of entry; I even configured our entire router, switch, and firewall infrastructure to authenticate administrative access against Active Directory.

As our IT operations evolved and security policies and compliance needs grew, we began to implement password change and account lockout policies. These policies help us protect critical infrastructure and information.

Mac, mobile, remote access headaches
All in all, I consider this implementation a success. However, it doesn't mean there aren't difficulties. First on the list is Macintosh users, who make up about a third of our computing population. Macs can be joined to Active Directory, but they aren't fully fledged members, so you can forget about simple group policies such as locking screen savers.

In addition, Macs on their own don't have a mechanism to inform users about expiring passwords, and changing an Active Directory password from within the Mac OS isn't a reliable solution. I haven't been able to get it to work at all, even with add-on products such as Centrify. Also, logins from Macs to wireless networks and file servers are not unified like they are in Windows.

Macs are a hassle, but the majority of problems came from mobile devices. As more people configured phones and tablets to access their email and connect to our wireless network, account lockouts increased exponentially. Why? When people change their password, they forget about all of the places

Next Page

Dan Tesch is an IT Director at a Chicago-area marketing firm. He's also a member of the Interop Advisory Board. Dan's technology experience began in the late 1980s in the publishing industry, and now includes networking, virtualization, storage and security. View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll