Secure Directory Access with MIIS

Keep multiple directories synchronized


Once heralded as the ultimate repository of information about users and applications, directories promised to let enterprises store all data in a central location and a standardized format. However, conflicting use of attributes, proprietary schema extensions, and the need for scalability, replication, and security often caused problems. Rather than building one central directory, organizations built and deployed a separate directory for each application or set of users. Inevitably, users and applications were represented in multiple directories, and applications needed to access data spread across multiple directories.

In an effort to resolve the problems associated with implementing multiple directories, companies have deployed metadirectory products, such as Microsoft Metadirectory Services (MMS), to present a unified view of directories to users and applications. However, not all applications can use metadirectories, and many enterprises have difficulty building metadirectories because of conflicts between attributes and schemas across individual directories.

The release of Microsoft Identity Integration Server 2003 (MIIS) has given organizations a powerful tool for deploying directory-enabled applications while ensuring that data across individual directories remains synchronized. Consider an organization that runs Web servers to host a Web-based application and deploys an Active Directory Application Mode (ADAM) directory hosted in a demilitarized zone (DMZ) to store user credentials and configuration information. The organization has two options. It can support access through the firewall to one directory hosted on the intranet, with all the security concerns that this option entails, or it can deploy two directories, in which case user accounts that exist in both directories can become unsynchronized.

By adding MIIS to this scenario, as Figure 1 shows, you can export objects that represent application users from Active Directory (AD) and import them into ADAM, where you can store them alongside objects that represent external users. (I discuss ADAM in "Getting to Know ADAM," June 2004, InstantDoc ID 42450.) MIIS doesn't need to export and import entire directories—you can configure it to replicate only pertinent attributes and only for selected objects. Through MIIS, AD and ADAM can synchronize the objects for users who access the Web-based application—a specific value or attribute can drive the decision about which objects to synchronize. Best of all, the Identity Integration Feature Pack for (IIFP) Microsoft Windows Server Active Directory, a version of MIIS that supports a subset of directories, is available free to Microsoft customers who have Windows Server 2003, Enterprise Edition licenses.

Installing and Configuring MIIS
MIIS is the successor to MMS but differs from it in many respects. MIIS lets you import objects from one or more directories, reconcile conflicting attributes, and export the objects to other directories. You can create rules to determine which objects and attributes are imported from each directory, how conflicts are resolved, which objects and attributes are exported, and where they're exported to. And you can extend MIIS's functionality by writing processing logic in Visual C# .NET or Visual Basic .NET.

Neither MIIS nor IIFP is a metadirectory in the truest sense of the term, but you can use either in conjunction with ADAM to build a metadirectory. The full version of MIIS supports several different directories, email systems, applications, databases, and file-based repositories. (For a complete list, see serversystem/miis2003/evaluation/overview/default.mspx.) However, IIFP supports only ADAM, AD, and Microsoft Exchange Server 2003 and Exchange 2000 Server Global Address Lists (GALs). GALs list email-enabled users and groups and are created and used by Exchange and Messaging API (MAPI) applications, such as Microsoft Outlook and other Microsoft Office applications. In this article, I concentrate on IIFP, but everything I discuss also applies to the full version of MIIS.

Unlike ADAM, which runs on both Windows 2003 and Windows XP Service Pack 1 (SP1), IIFP runs only on Windows 2003, Enterprise Edition and requires Microsoft SQL Server 2000 Standard Edition or enterprise edition. (You can use the latest version of Microsoft SQL Server Desktop Engine—MSDE—for testing purposes, but IIFP isn't licensed for use with MSDE in production environments.) IIFP, which you can download at, is slightly less than 8MB in size and provides a wizard to help with installation and configuration.

To install IIFP, you need to be logged on to your server as an administrator and use an account that has administrative privileges on the database server and for the database that MIIS will use. After presenting the Welcome screen and the End User License Agreement (EULA), the wizard asks whether you want to install a complete or custom version of IIFP. If you elect a custom installation, you can choose which components to install from among the MIIS server; the UI; and the AD, ADAM, and AD GAL management agents. The wizard then asks for information about the SQL Server database instance that MIIS will use and prompts you to enter credentials for the service account that MIIS will use when it runs. You need to create this account before installing MIIS, and you need to grant the account the privilege to log on as a service.

Next, the wizard asks for names for four groups it will create. These groups (and their default names) are MIIS Administrators (MIISAdmins), Operators (MIISOperators), Joiners (MIISJoiners), and Container Browsers (MIISBrowse). Then, the wizard installs MIIS. The installation program checks your MIIS server configuration for potential security problems and prompts you to follow the best security practices documented in the online Help to remedy any problems it finds.

After installing MIIS, the wizard prompts you for a location at which to store a backup of the encryption key MIIS uses to protect credentials that it stores for accessing other directories. The encryption key is generated during installation. After installation, you manage encryption keys through the Key Management Utility. Finally, the wizard prompts you to log off, then log on again to ensure that you have access to MIIS.

Configuring Data Imports
With MIIS installed and running, you can create and configure management agents, which are responsible for connecting directories to MIIS. Although the power and flexibility of the management agents might make them appear daunting, the underlying theory is fairly simple. MIIS maintains a metaverse—a consolidated, synchronized view of all objects and attributes that management agents have imported. Each agent stores information about a particular connected directory, including its location and the credentials necessary to access it, in tables separate from the metaverse.

You can run management agents manually or invoke them through a script. The agents import data from a connected directory to the agent's connector space, which you can think of as a staging area for import and export operations. MIIS must synchronize objects and attributes in the connector space with objects and attributes in the metaverse. During the synchronization process, MIIS checks join rules to determine whether an object in the connector space can be uniquely linked, or joined, to one object in the metaverse. When the object in the connector space can be joined to an object in the metaverse, MIIS synchronizes it. If MIIS can't join an object because no corresponding object exists in the metaverse, MIIS searches for a projection rule that governs whether the object should be created in the metaverse.

Figure 2 shows join and projection rules for the inetOrgPerson object type in a management agent that imports objects from AD. Metaverse objects aren't necessarily the same as the objects in the connector space or the connected directory. Directories often contain many types of objects that can be used interchangeably. For example, AD can use user, person, and inetOrgPerson object types to store information about an individual, but the metaverse can store information about an individual only in a person object type. If the metaverse has no suitable object type to represent an object type from a directory or you need to customize an existing object type, you can use Metaverse Designer to extend the metaverse schema.

To configure a management agent, you must be logged on to the system as a member of the MIISAdmins group. To add a new agent, click Management Agents on the MIIS main window's toolbar and select Create from the list of actions in the right-hand pane. A wizard guides you through the agent-creation process.

The process can vary slightly depending on the directory you want to import from. When configuring an agent to import data from a connected directory, you can select which object classes (aka object types) to import (e.g., user, inetOrgPerson). For AD and ADAM, three object types are mandatory: container, domainDNS, and organizationalUnit.

After you specify all the object types you want to import, you can select the attributes to import for those objects. MIIS lists the most commonly used objects and attributes for you to select from. If the object or attribute you want doesn't appear in the list, you can select the Show All check box. To control which objects to import from the directory, you can use filters based on the attributes you want to import. Comparison operators for filters depend on the attribute type and include Equals, Does not equal, Starts with, Is present, and Contains.

You need to configure how attributes that belong to objects in the connector space flow to object types and attributes in the metaverse during synchronization. You configure attribute flow in the Create Management Agent window. Web Figure 1 shows attribute flow configured for a management agent that imports inetOrgPerson and user objects from AD to the metaverse.

You also need to configure deprovisioning to control how objects that are no longer joined are processed. Joins are broken when an object is removed from the metaverse—for example, when it's removed from a connector space as the result of its deletion from the connected directory. The final step in configuring a management agent lets you configure rules extensions and password-protection operations on directory partitions.

Running Management Agents
After you configure a management agent, you create run profiles for it. Run profiles control how the agent is run, whether it performs a full or delta import from a directory to the connector space, and whether the connector space is synchronized with the metaverse and, if so, whether a full or delta synchronization takes place. You can also configure exportation of data from the metaverse through the connector space to a connected directory.

You can run a management agent by selecting Run from the list of Actions in the right-hand pane of the Management Agents window, as Figure 3 shows. When you run an agent, MIIS shows a summary of results, including the metaverse objects that were added, modified, or deleted. You can double-click a Synchronization Statistics item, such as Adds or Deletes, to drill down into the results and get detailed information about the objects to which the statistic applies. You can also search the connector space and the metaverse for objects to see the results of import, synchronization, and export operations on those objects in an attempt to identify where problems might exist. Figure 4 shows the results of a metaverse search.

Because requiring administrators to log on to MIIS and manually run management agents isn't feasible in many production environments, MIIS provides a means to script operations using Windows Management Instrumentation (WMI). MIIS will even generate scripts for you. Web Listing 1 shows a sample script for running MIIS management agents on a specific server. You generate a script by choosing Configure Run Profiles from the list of Actions, selecting the name of a run profile to script (e.g., Full Import, Synchronize), and clicking the Script button. MIIS prompts you for a location at which to save the script. You can modify scripts to combine code from other scripting operations and to specify credentials to use when controlling MIIS remotely.

Configuring Data Exports
Using MIIS to build a metaverse isn't very useful in itself. What you really want MIIS to be able to do is to export data through connector spaces to connected directories, where applications can access the data. The process of configuring a management agent to export objects and attributes is almost identical to creating an agent to import data. The main differences are that an export management agent doesn't have join or protection rules for exported attributes, the attribute flow is from metaverse to connector space instead of in the reverse direction, and you need to implement a rules extension.

Working with rules extensions can be the most off-putting part of implementing MIIS. Rules extensions are DLLs written in Visual Basic .NET or Visual C# .NET, compiled, and stored in the Extensions folder under MIIS's installation root folder. A rules extension is required to create an anchor attribute, which uniquely identifies an object in the management agent's connector space. For Lightweight Directory Access Protocol (LDAP)-compliant directories such as AD and ADAM, the anchor attribute is the object's distinguished name (DN) attribute. For a SQL Server or plaintext file, both of which the full version of MIIS supports, the anchor attribute might be an employee ID or any one of several combinations of attributes defined by the MIIS administrator. You don't need to code a rules extension manually. To create a Visual Studio (VS) project that contains a template rules extension source code file in your preferred language, click Tools in the main MIIS window, select Configure Extensions, then click Create Rules Extension Project.

Compiling a rules extension project creates a DLL and a debugging (.pdb) file. You must copy both to the Extensions folder for them to become visible to MIIS. Rules extension DLLs are disabled by default, and only one can be enabled at any time. To enable a rules extension, click Tools, select Configure Extensions, then select the Enable metaverse rules extension check box and the Enable Provisioning Rules Extension check box. Whenever you run an export or import management agent, MIIS loads and processes the DLL. Depending on the implementation, you might find that management agents that aren't designed to use the extension will fail or report errors when run, so you might need to enable and disable the failing agent manually or programmatically.

Listing 1 shows the code for a rules extension that creates a DN attribute for objects that will be written to an ADAM directory. Note that certain values are hard-coded, specifically the name of the management agent (DMZ ADAM, in this case) and a component of the DN that's unique to the ADAM directory, the partition common name (CN=DMZUsers,DC=CONTOSO,DC=COM).

After you configure the management agent and put the rules extension in place, you can use an Export step to create a Run Profile for the agent. This step exports the objects in the metaverse to the connected directory. After the agent runs, MIIS displays the results of the operation. Web Figure 2 shows the results of an export operation. After you perform an export operation, it's a good idea to run an import operation to check that the export was successful.

Management agents don't need to be dedicated as import or export agents—they can both import and export attributes. Management agents that both import and export are typical for environments that require multiple directories to synchronize with each other. MIIS ships with a developer's guide and Help file, both of which contain details about how to implement rules extensions.

Now you know how to use IIFP to synchronize AD and an ADAM directory by creating import and export agents. To successfully export to a directory such as ADAM, you need to write a rules extension in Visual Basic .NET or Visual C# .NET. The full version of MIIS supports databases such as SQL Server as well as many third-party LDAP directory products, and rules extensions can easily accommodate these sources of identity. For more information about MIIS and IIFP, visit the Microsoft Web site at default.mspx.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.