Just as I pointed out that GPOs aren’t AD in this post – http://blog.joeware.net/2007/04/20/852/
This also goes for DFS, NTFRS, DFSR, Terminal Server Licensing, MSMQ Queues, Exchange, SharePoint, MIIS, ADFS, PKI/CA, any of the techs, really, that MSFT marketing decided to slap “Active Directory” into the name of, and many other technologies that *use* AD but aren’t AD.
Of all of those the technology the closest I could see getting integrated directly into AD would be PKI/CA functionality followed by ADFS. How would you feel if every DC that came up could give out PKI certs for domain/forest/federation functions and those functions only. Say like the ability to sign/seal things within the forest was just there and worked, EFS or whatever follows it just worked, LDAPS just worked, wireless or other network filtering stuff based on certs just worked, etc. It all got configured as soon as you typed DCPromo and worked perfectly such that you had to think very little if at all about it. If you needed some special capability out of your PKI environment that wasn’t built in say like for special web certs, etc, you set up an official CA/PKI infrastructure based on any vendor you wanted specifically for that. But in the meanwhile, the majority of folks out there that just do it for some basic OS Level functionality like LDAPS, EFS, wireless, or other Windows system level stuff only don’t have to be bothered. Just think of the cool benefits to the OS guys and things they could move forward with in the realm of security because they know the infrastructure would absolutely exist for it and be set up properly and would work.
Can’t happen? Too difficult? MSFT doesn’t have the horsepower and brain power to pull it off??? Think about kerberos. How many of you were setting up kerberos realms prior to being able to do it as easy as falling off of a log by typing dcpromo? How many Windows admins have the slightest clue what is happening in Kerberos now? Can they tell you about pre-authentication and the TGT and TGS phases? If you know a lot of Admins that can talk to that stuff, you have some bright friends, I don’t know many at all that can speak to it. And the beauty is…. in almost all cases they don’t need to be able to. I’ve seen first hand how difficult kerberos can be on non-Windows platforms, it reminds me in a lot of ways of the complexity and fear around PKI/CAs.
ADFS… yeah I have spoken with several folks who have played with it, haven’t done it myself, as I like to say, until it does something other than the web, it just holds no interest for me. If I can access your SMB shares or query our LDAP server (with LDAP not any DSML crap) with ADFS, then we are talking about something I want to get involved with and understand. I thought about setting it up once… But then I saw the manual and said, “ah yeah, not today. And tomorrow isn’t looking so good either…”.
Let’s face it, if there is a complicated set of instructions for deployment of something, it isn’t going to penetrate very well in the Microsoft world despite any goals or dreams or aspirations of the folks at MSFT. This is a world where “experienced” admins even have trouble with AdPrep… If it doesn’t happen automatically and near magically but especially perfectly, it isn’t likely to spread to many places. For anyone at DEC, you know how strongly MSFT is pushing in the direction of ADFS. To go very far in that direction, what underpin technologies also have to be nailed down? PKI maybe?
In the chalk talk session at DEC, one of the Softies asked the question, “How many people here have deployed PKI/CAs?”. A good portion of the crowd raised their hand. I wanted the follow up question to be “How many people here who have deployed PKI/CAs are 100% sure they did it properly and there are no issues?” I expect the number of hands would have gone down, probably considerably. Another question “How many aren’t fully sure they did the right thing with PKI/CAs with design or implementation?” Wow I am on a role, here is another “How many people have had to redeploy PKI/CAs because it was done improperly?” A good wrap up question “How many have not deployed PKI/CAs due to fear or confusion or lack of understanding of the needs, requirements, concerns or even the understanding of the technology?”.
I’ve set up CAs in labs, I am no where near close to stating that I understand it all 100% though or even enough to properly set up a CA / PKI infrastructure for a company. But then I am an honest bloke, there are a lot of consultants out there that know how to click on install and figure that is more than enough to install Cert Services…. You guys know who you are, you don’t need to lie.
joe
