| Author | Messages | |
fitzstewart
Posts:13
 | | 02/12/2010 5:02 PM |
| The BPOS-D offering IS a cloud offering - just not a public cloud. A
private cloud is still a cloud, at least by current definitions. That's
where its getting confusing, and its not just Microsoft -
public/private/hybrid is what I've been using. And some people use even
more definitions. Still a cloud though, just a slightly different
implementation.
-fitz
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: Thursday, February 11, 2010 5:42 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [Sauntering Vaguely OT - Passwords in the Cloud,
Was: Re: [ActiveDir] Powershell and AD password hashes]
No, that's entirely different. BPOS-D is not really a cloud-based service;
it's a hosted solution. Yeah, I know the line is pretty grey.
BPOS-D leverages your existing AD infrastructure, introducing a "resource
forest" that MS owns where your *dedicated* Exchange, Sharepoint, OCS, etc.
servers live. Each of your on-premise AD domains is trusted by this
"resource forest" and their special "Mississippi" tool (which is just a
special canned version of ILM) handles the merging, directory sync, etc. So
at the end of the day, your users still login with their on-premise user
account. And you are still in control of your identity management and
provisioning. Collaboration is limited to those domain and federation trusts
you already have in place on-premise.
This is completely different that the BPOS model, which you might think of
as BPOS "shared". BPOS shared is cloud-based, leveraging the Windows Live ID
system. Your user's mailboxes are strewn across shared servers with others.
That Windows Live ID is linked to yet another Windows domain/forest where
the Exchange servers for BPOS live. You can create and initially provision
some of the attributes on a Windows Live ID for them. You can send password
updates for them. You can send attribute updates on the linked Exchange
account for them. You can *not* send attribute updates on the Windows Live
ID for them. There is a completely different directory sync tool used here
than with BPOS-D. Microsoft has some plans for federation with Windows Live
IDs (and I'm privy to some of the details under NDA so I'm trying not to say
much), which you can discover based on public statements (e.g. look for
references to the MS Federation Gateway), but it is publicly unclear what
functionality is enabled in that scenario. So with this model, your users
login with a Windows Live ID which you have very little control over, and
they consume commodity Microsoft services. Collaboration here can be with
anyone in the Windows Live space, and potentially with anyone that Microsoft
federates with.
It's really unfortunate that Microsoft has given a hosted offering a similar
name as a cloud offering, because there are many points of confusion that it
creates.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Jim Katoe
Sent: Thursday, February 11, 2010 2:07 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] [Sauntering Vaguely OT - Passwords in the Cloud,
Was: Re: [ActiveDir] Powershell and AD password hashes]
Copying password hashes into the cloud is not how it is supposed to work
with MS's Exchange Online.
If you look below this link has several whitepapers regarding BPOS-D. Check
out the identity & provisioning paper.
http://www.microsoft.com/downloads/details.aspx?FamilyID=cf7d4db8-4e7c-4077-
87ea-b64c57e4c98c
<http://www.microsoft.com/downloads/details.aspx?FamilyID=cf7d4db8-4e7c-4077
-87ea-b64c57e4c98c&DisplayLang=en> &DisplayLang=en
MS wants you to colocate domain controllers on their site, which is a
security concern, but a different kind.
On Thu, Feb 4, 2010 at 4:01 AM, Lee Flight <lef@leicester.ac.uk> wrote:
Exchange 2010 is making is nodding towards federation in terms of
Calendar/free-busy Ώ] but then given the positioning of the product
as the first on-premise/cloud I guess it must. I think it will be
interesting to see how experience with this could be mapped to inside
an enterprise so e.g. where one might have used an Exchange resource
forest. Equally when some of the System.Identity stuff is available it
might start to build experience on how look at this inside an enterprise
treading where some of the SAML (and web client SSO) efforts have trod
before. I think there a big hill to climb with existing AD security
mechanisms and natively mapping those to roles in the way that some 3rd
party products do using AD groups etc. and having those roles meaningful
usable for GRC audit.
On the *Microsoft* client side again maybe lessons from the cloud will lead
to thinner more web-like clients (current OWA, future office).
But the gradient of the learning curve for federation will need lowering
somewhat like out of the box Kerberos that came with Windows 2000 maybe?
Lee Flight
Ώ] http://technet.microsoft.com/en-us/library/dd335047.aspx
On Wed, 3 Feb 2010, Joe Kaplan wrote:
This is definitely the direction. Unfortunately with the current crop of
dependent products (Exchange/OWA/Outlook), none of them are very
"fed-friendly" yet. Exchange itself is very directory dependent which adds a
ton of additional complexity but at the raw auth level, the clients aren't
there yet in terms of supporting the existing fed protocols MS is advancing.
The Fed story is much better for pure web apps but the fat clients are going
take a longer time to get there.
Any bets on how long we'll remain in the current muddled state of "dark and
gloomy" cloud computing? 
Joe K.
----- Original Message ----- From: "Fitz Stewart" <fitz_stewart@hotmail.com>
To: <activedir@mail.activedir.org>
Sent: Wednesday, February 03, 2010 9:57 AM
Subject: RE: [Sauntering Vaguely OT - Passwords in the Cloud, Was: Re:
[ActiveDir] Powershell and AD password hashes]
I think the direction of the industry is more toward federation in the cloud
rather than synchronization - to avoid these kinds of potential issues. We
need more widely adopted standards however (SAML vs WS-Federation) for
interop. The situation kind of reminds me of the early days of
client/server networking when there was your Token-Ring camp and your
Ethernet camp, and your IPX/SPX camp and your TCP/IP camp. Until those
things shook out, thinks didn't really explode.
-fitz
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Laura E. Hunter
Sent: Wednesday, February 03, 2010 9:50 AM
To: activedir@mail.activedir.org
Subject: [Sauntering Vaguely OT - Passwords in the Cloud, Was: Re:
[ActiveDir] Powershell and AD password hashes]
The notion of syncing corporate AD passwords out to the cloud, scares
the right bejesus out of some very smart Identity people.
http://eternallyoptimistic.com/2009/12/14/kick-me-for-cloud/
--
Jim Katoe
m:917 520 0119
Loganville, GA
| | | |
|
|