Thursday, April 28, 2005

Install AD\AM !

Install AD\AM, the Secure Windows LDAP ServiceMicrosoft introduced a portable, scalable, and secure Lightweight Directory Access Protocol (LDAP) database based on their Network Operating System (NOS) Active Directory (AD). This service is called Active Directory [surprise, surprise] Application Mode, or AD\AM for short. AD\AM is a very simple, yet powerful, LDAP service you can use to handle authentication for your online applications, without requiring a full-blown NOS directory.

Why Use AD\AM?
AD\AM is a LDAP database that is primarily used to store users, groups, and other objects that represent organizations or other associations. It allows you to easily implement security within your applications, without having to write a huge amount of validation or user management code.

AD\AM provides the following capabilities, which separate it from AD:

  • Simple backup and recovery – AD\AM uses a single .dit file, which contains all the database information.
  • Easy installation and clean uninstall – It doesn't require you to have DNS working nor to install additional components on a server.
  • Extended support for X.500 directory naming rather than just DNS directory-style naming.
  • Effortless schema extensions without impacting on production Active Directory environments.
  • Free download from Microsoft – AD\AM itself does not have a license cost associated with it.
  • Can run multiple instances on the same machine (similar in concept to multiple instances of SQL Server 2000).

AD\AM has a number of great features that make it perfect for an online authentication system:

  • Password Policies – AD\AM provides the ability to ensure that a user's password meets certain complexity requirements (e.g., number of characters, case, alpha-numeric, etc.). Have you ever tried to write that code? What a pain!
  • Encrypted password store – AD\AM uses the same password encryption store as Active Directory, and as such, passwords cannot be reverse-engineered (unless you store them in reversible encryption).
  • Ability to use Active Directory authentication for internal users – AD\AM can pass off the authentication to Active Directory, allowing AD to authorize internal users to use the online application.

AD\AM has the ability to scale out in proportions similar to Active Directory. So given all the great things about AD\AM, what are its limitations?

  • AD\AM installs only on Windows XP (SP1 or above), Windows Server 2003 Standard, Enterprise, and Data Center Editions, but not on Windows 2000 (any edition) or Windows Server 2003 Web Edition.
  • For Windows XP, the AD\AM install is a limited release. You are limited to 10,000 objects within the AD\AM instance.
  • AD\AM currently does not have complete integration with Microsoft's Authentication Manager (nick-named AZMan). However, this is reportedly cleaned up in SP1 for Windows 2003 (no promises though!).
  • AD\AM has no capabilities for Kerberos. If you wish to use Kerberos, you need to implement Active Directory (and probably not over the Web!).
  • Pass-through (or user-proxy) authentication requires domain membership.

 AD\AM comes in six different flavors. When you download AD\AM, be sure to select the correct version for your requirements.

File NamePlatformDownload LinkFile Size (Bytes)

You can review the information about the individual downloads from the Microsoft AD\AM download site.

No comments: