Friday, May 12, 2006

What Exactly Does "AD Integration" Mean?

A year or so ago, we bought an application for managing help desk requests. One of our requirements was Active Directory integration. The product we selected said they integrated with AD. The project was a bit rushed so we didn't conduct due diligence like we should have and we just bought the application.

For this application, AD integration actually meant that periodically (every 24 hours by default), the application would query AD and get the current user base and then replicate the same information in its own database. This means the application didn't authenticate through AD; it maintained its own permissions database.

Perhaps there are good reasons for designing the application this way but to me, it just seems unnecessary. The whole point to AD is to manage user access to network resources. Why does it make sense to create a redundant permissions database? This creates more overhead for system administrators and it adds a level of complexity to troubleshooting because the application's home-brewed authentication is another layer that needs to be troubleshot. Whenever I see solutions like this, my inital reaction is: These guys don't know how to query AD in code.

Yet, in direct contradiction to my theory is Microsoft's ISA Server 2004. Internet Security & Acceleration Server is used to manage user access to network and internet protocols. ISA uses various kinds of object definitions to accomplish this: protocols, applications, ports, users, domains, URLs, etc. You'd think the User object would be AD objects because it's a Microsoft application.

But no. You can't write access rules directly to AD objects like users or security groups. You have to create an ISA group, populate the group with AD users or security groups and then use the ISA User object to define who is affected by a rule. This is not AD integration.

SQL Server has a similarly schizophrenic authentication model. You can run SQL in mixed mode, which allows you to use Windows authentication or with SQL auithentication. With SQL 2005 and later releases of some of their applications (e.g. CRM 3.0) it seems that Microsoft is moving away from SQL authentication toward Windows credentials. This is as it should be.

My point in this post is to be aware of what various technical terms mean because there are often two definitions to important tech terms: the marketing meaning and the technical meaning. My mantra is to always distrust the brochure and the sales guy. Don't assume that important technical terms mean what you think they ought to mean. Always clarify the definition because sales people tend to be oriented around seelling to marketing definitions not technical ones.