Microsoft Wednesday began a new offensive in its efforts to convince network executives that its Active Directory is ready to break the bounds of the firewall and become a viable platform for supporting security services on corporate extranets.
The effort comes despite the fact Active Directory is missing features Microsoft previously touted as important to making such a transition. Those features are caught up in the delay of Windows.Net Server, the successor to Windows 2000.
Although critics have repeatedly questioned Active Directory's qualifications as an extranet directory to manage, authenticate and authorize use of network resources by users outside an organization, Microsoft says its directory is now proving those critics wrong.
The company Wednesday announced at NetWorld+Interop 2002 Las Vegas that Blue Cross/Blue Shield of South Carolina and Sallie Mae Corp. are enterprise customers using Active Directory to support up to millions of user authentications in an extranet.
The company also cited recent benchmark tests from test lab Mindcraft that show Web access management software supported by Active Directory can support up to 20 million users on systems using up to 20 processors.
"I think the original criticism that Active Directory was not an extranet directory was unfounded," says Jackson Shaw, product manager for Active Directory. "A lot of people said, 'show us,' and we've done it through the Mindcraft benchmarks and the customer deployments. What you are seeing today is the start of the big push for extranet deployments."
But the customers and benchmarks are overshadowed by the fact that Microsoft does not have any new directory features to offer that specifically support extranet deployments.
For the past year, Microsoft has been trying to persuade corporate customers that its directory can be used on their extranets as a way to manage users and control access to Web-based applications, but the software it has put behind that effort has not shipped.
The extranet capability in Active Directory is expected to help IT executives create a consistent layer of directory-based user management across both the internal and external portions of their networks.
The extranet is becoming a strategic security boundary as companies push more and more e-commerce over their firewalls and out to business partners and customers.
The extranet also takes on an increasing level of importance in Microsoft's .Net initiative and Web service strategy, as the company tries to deliver software as a set of services made available over the Internet.
Microsoft needs to convince companies that Active Directory is equal to Sun's SunONE Directory Server and Novell's eDirectory, leaders in the extranet directory market.
"Microsoft has to show momentum, but really they are frozen in place," says John Enck, research director with Gartner. "The issue is that big Microsoft shops want the extranet solution so Microsoft is trying to show growth in that area."
Enck, however, says decisions on extranet directories boil down to platform choice between Windows and Solaris and are not a choice between Active Directory and other directories. "I have not seen anyone choose Active Directory as a new product to support an extranet," he says.
Microsoft is frozen because Windows.Net Server, which includes two extranet directory features the company played up last year, has been delayed twice and is not expected to be generally available until early next year.
"If you are putting up a 10 million-user extranet I'd say Active Directory would be hard pressed to handle that," Enck says. "But a smaller installation, say of 5,000 users - you can do that and then grow into a larger deployment as Active Directory evolves."
Microsoft, however, says Sallie Mae is using Active Directory to support authentications for 1.5 million extranet users.
Despite that, experts say Microsoft needs to add more Lightweight Directory Access Protocol (LDAP) interfaces to reduce reliance on Microsoft's proprietary Active Directory Service Interfaces. And, Microsoft has to somehow separate Active Directory from the overhead created in the NOS environment, such as the reliance on Microsoft's proprietary Security Accounts Manager and inclusion of DNS features.
Also, the company needs to add more flexibility for adding, modifying and deleting schema, which defines the structure of the directory.
SunOne's Directory Server is a general-purpose LDAP-enabled directory that now dominates the extranet market. Novell's eDirectory also is a strong competitor. The hallmarks of those directories are performance, scalability, standard interfaces and operating system independence.
Active Directory is best known as a Windows network operating system directory, or NOS directory. A NOS directory is coupled with an operating system to support management of users and resources inside a corporation.
In April of last year, Microsoft challenged that reputation, saying its Windows.Net Server would support two LDAP extensions that would start to move Active Directory onto the extranet playing field.
Those extensions are inetOrgPerson, a standard way to represent a user in a directory, and Concurrent Bind, a mechanism for boosting LDAP performance. Both are supported by SunOne and Novell.
Microsoft's Shaw says those two extensions will be nice additions but are not holding up extranet deployments.
Some observers say Microsoft needs to create two versions of its directory, one that is a pure LDAP-enabled engine for extranet deployments and one with a NOS focus.
A year ago Microsoft said it would not do that, but insiders say that option is now on the table. Microsoft officials did not offer comment.
"We have people deploying in an extranet role right now," Shaw says. "We were not a player here a year ago, but we are becoming one now. We have the scalability and supporting evidence now. The technical aspects are there."