Centralized Authentication: A Double-Edged Sword - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // IT Strategy
12:56 PM
Dan Tesch
Dan Tesch

Centralized Authentication: A Double-Edged Sword

Active Directory is a great centralized authentication service for security and compliance, but Macs, mobile devices, and remote access cause headaches.

When I arrived at my current employer about seven years ago, I was surprised to find no Active Directory. There was an attempt at an LDAP infrastructure, but the only thing authenticating to it was a single Samba server.

The replication to a secondary LDAP server was broken, email was off on its own, wireless was a collection of consumer-grade access points using static WAP keys, and every application -- whether commercial or internally developed -- had its own authentication scheme. I don't want to say it was a mess, but there was little evidence of a consistent authentication strategy or direction.

["Threat intelligence" is the latest must-have thing. Read Why Threat Intelligence Is Like Teenage Sex.]

One of my first projects was to migrate from a legacy email system to Exchange. Since Exchange requires Active Directory, I saw an opportunity to begin to centralize authentication. Over time, new Windows servers were all put into Active Directory, a new multi-site distributed file server system was installed, and I talked with our developers about pointing applications requiring authentication to Active Directory. Next came a new wireless system and updated VPN endpoints; these, too, via Microsoft's version of a Radius server, tied into Active Directory.

My goal wasn't to have absolutely everything authenticate to Active Directory, but in my view, more is better. In theory, it should be easier for end users, because they have to remember only one set of credentials, and changing a password once takes care of many services. From an administrative perspective, Active Directory gives you one place to deactivate an account that covers multiple points of entry; I even configured our entire router, switch, and firewall infrastructure to authenticate administrative access against Active Directory.

As our IT operations evolved and security policies and compliance needs grew, we began to implement password change and account lockout policies. These policies help us protect critical infrastructure and information.

Mac, mobile, remote access headaches
All in all, I consider this implementation a success. However, it doesn't mean there aren't difficulties. First on the list is Macintosh users, who make up about a third of our computing population. Macs can be joined to Active Directory, but they aren't fully fledged members, so you can forget about simple group policies such as locking screen savers.

In addition, Macs on their own don't have a mechanism to inform users about expiring passwords, and changing an Active Directory password from within the Mac OS isn't a reliable solution. I haven't been able to get it to work at all, even with add-on products such as Centrify. Also, logins from Macs to wireless networks and file servers are not unified like they are in Windows.

Macs are a hassle, but the majority of problems came from mobile devices. As more people configured phones and tablets to access their email and connect to our wireless network, account lockouts increased exponentially. Why? When people change their password, they forget about all of the places

Next Page

Dan Tesch is an IT Director at a Chicago-area marketing firm. He's also a member of the Interop Advisory Board. Dan's technology experience began in the late 1980s in the publishing industry, and now includes networking, virtualization, storage and security. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll