Microsoft touts groundbreaking 'clip-on' for Active Directory

Next Generation Active Directory is designed to add querying capabilities and performance never before possible in a directory

LOS ANGELES -- Microsoft will pass out beta code Wednesday it hopes will define the next evolution of directories. It's a modular add-on that is built on a database and designed to add querying capabilities and performance never before possible in a directory.

The code is so early-stage it does not have an official name, although internally Microsoft calls it Next Generation Active Directory (NGAD). Microsoft introduced NGAD, which it calls a directory federation technology, on the second day of its annual Professional Developers Conference going on this week.

[ Follow all the news at the Professional Developers Conference 2009. | Discover what's new in business applications with InfoWorld's Technology: Applications newsletter and Killer Apps blog. ]

Microsoft sets Windows Azure production date

NGAD, however, is not a replacement for Active Directory but a "clip-on" that provides developers a single programming API for building access controls into applications that can run either internally, on devices, or on Microsoft's Azure cloud operating system. Users will not have to alter their existing directories but will have to option to replicate data to NGAD instances.

NGAD stores directory data in an SQL-based database and utilizes its table structure and query capabilities to express claims about users such as "I am over 21" or "Henry is my manager." To ensure security, each claim is signed by an issuing source, such as a company, and the signatures stay with the claim no matter where it is stored.

"You can answer questions in your directory that are currently impossible to even ask," says Kim Cameron, identity architect at Microsoft. "You can find out who had access to a file last September." He says NGAD is a reshaping of the programming model for Active Directory.

In addition, the directory design means multitudes of new cloud or other applications won't be hammering the central Active Directory architecture with lookup requests and administrators don't have to perform often tricky updates to directory schema to support those new applications.

"I don't want to do anything to let anybody think that I am going to diddle with Active Directory infrastructure, yet I want to leverage the infrastructure," Cameron says.

The intent is to create a "logical directory" that shares architecture elements such as schema and APIs but is not one monolithic identity store. Instead, users have multiple NGADs deployed to support specific cloud, internal or device-based applications.

"From the point of view of AD these would look like domain controllers, but you could do these magic queries," Cameron says. "I could say who are all the people who report up to Microsoft CEO Steve Ballmer; in AD that query would take hours."

The most unique characteristic of NGAD is its SQL database foundation. It includes an SQL-based "Repository", a central management database for application metadata that includes an identity deployment model. NGAD also introduces a schema called System.Identity and a System.Identity API. The API exposes the schema to developers through LINQ.

The directory also incorporates the "M" modeling language. The System.Identity schema has been available in Microsoft's Oslo CTP but the API is new.

As an add-on NGAD is similar in concept to Active Directory Federation Services, a module for sharing authentication, and Active Directory Application Mode (ADAM), which will eventually give way to NGAD.

NGAD lets users create complex relationships among the data it stores such as friends, colleagues, roles, management chains, service assignments and machine sets. Those relationships can be used to create detailed claims that govern access control

Currently, AD's only relationship construct is "group."

"In a directory there isn't the ability to do the kinds of relationships that you can do even in the world's worst database,"Cameron says.

Another evolutionary element is support for the newest Web technologies such as RSS and REST to create a connection between instances of NGAD and an application or service. For example, an application could subscribe to an NGAD instance via RSS and receive updates to the claims data it stores.

"We are taking what we learned with LDAP generation directories and adding a kind of self-knowledge. The system knows how to update the data," Cameron says.

He says NGAD is in the very early stages and "there are still some really hard problems to solve." Microsoft's goal at PDC is to talk directly to developers, get them to look at the API, let them figure out how the new schema works and then listen to their feedback.

"We want to be open with what we are doing and have a relationship with the industry and lay it all out there," says Cameron, who over the past years has championed an industry-wide effort to create a standard framework around identity. He says this new effort won't be Microsoft centric and that his hope is for another standards-based industry push to define the technology.

NGAD is the next step in Microsoft's claims-based Identity MetaSystem strategy, which began in 2005 and defines a distributed identity architecture for multi-vendor platforms.

As Microsoft builds out its story around the cloud-based Azure platform, NGAD is one of the foundational elements developers can take advantage of for access control.

Microsoft did not lay out a timeframe for the NGAD directory add-on, but if it follows previous directory innovations by the company it could be released as a stand-alone product or baked into the next version of Windows.

Follow John Fontana on Twitter:

This story, "Microsoft touts groundbreaking 'clip-on' for Active Directory" was originally published by Network World.

Copyright © 2009 IDG Communications, Inc.