28th september 2011 maddox project nigel brown / adrian parks oucs 1
TRANSCRIPT
![Page 1: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/1.jpg)
28th September 2011
MADDOX Project
Nigel Brown / Adrian Parks
OUCS
1
![Page 2: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/2.jpg)
Breakout Session 1: How do you use AD?
Authentication and authorisation?
Domain-based workstations and services?
Third-party applications?
Network appliances?
Does it use a cross-realm trust?
Does it have schema extensions?
How are accounts provisioned?
Any other usage?
![Page 3: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/3.jpg)
Background
1999:
• Initial AD design work
2000-2007:
•Increased use of AD
•Direct cross-realm trust
2008 :
•Initial work on Nexus
1999 Initial AD design work
2000-2007 Increased use of AD
Direct cross realm trust
2008 Initial work on Nexus AD
2011 Project MADDOX
![Page 4: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/4.jpg)
Background
In 2008, we considered offering the Nexus AD for wider use
Four scenarios considered
https://talkshop.itss.ox.ac.uk/talkshop/viewtopic.php?t=69
![Page 5: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/5.jpg)
Scenarios 1 & 2: Central AD Forest
![Page 6: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/6.jpg)
Project MADDOX
• To offer an enhanced level of support for integration of Microsoft Active Directory based domains with central identity and access management services
![Page 7: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/7.jpg)
Project MADDOX
- Investigate/examine feasible scenarios
- Test the scenarios
- Pick the most sensible scenario
- Implement it
![Page 8: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/8.jpg)
Project MADDOX Scenarios
• Native AD trust
• Indirect cross-realm trust
• Direct cross-realm trust
![Page 9: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/9.jpg)
Scenario A: Native AD trust
![Page 10: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/10.jpg)
Scenario B: Indirect cross-realm trust
![Page 11: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/11.jpg)
Scenario C: Direct cross-realm trust
![Page 12: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/12.jpg)
What we tested
• Domain authentication (and Group Policy)
• File & Print access
• IIS authentication (from browser)
• SharePoint
• SQL Server
…but only from Windows clients
![Page 13: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/13.jpg)
Results & Conclusions
* Microsoft support call raised.
NOTE: For all tests the workstation must be a member of the local AD.
Native AD Indirect Trust* Direct Trust
Domain Authentication
File and Print Access
IIS Authentication
Sharepoint
SQL Server
![Page 14: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/14.jpg)
Breakout Session 2:How does a central AD help you?
• Processes/Procedures?
• Applications?
• Appliances?
…what else?
![Page 15: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/15.jpg)
Every Service has Benefits and Costs
• How do you place a value on a service?
• Would the service save you time?
• Would the service save you money?
• Could it be chargeable?
• What is its worth?
![Page 16: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/16.jpg)
Breakout Session 3:Costs and Benefits
Value Cost
![Page 17: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/17.jpg)
Next Steps
• Incorporate Feedback
• Assess the Options
• Consider cost-effectiveness
• Pick a solution
• Implement the selected solution
![Page 19: 28th September 2011 MADDOX Project Nigel Brown / Adrian Parks OUCS 1](https://reader035.vdocuments.site/reader035/viewer/2022062805/5697bfc91a28abf838ca8d6d/html5/thumbnails/19.jpg)
19