Password Synchronization

Using HIS
Host Integration Server 2006 (HIS 2006; http://www.microsoft.com/hiserver) is the most recent version of Microsoft's mainframe gateway server software. Earlier Microsoft HIS versions were referred to as SNA Server. HIS 2006 helps enterprises integrate their missioncritical host-based applications, data sources, messaging, and security systems within a Microsoft .NET-oriented architecture, enabling the reuse of IBM mainframe and midrange (IBM AS/400) data and applications across distributed environments.

HIS comes with an optional component called Enterprise Single Sign-On (ENTSSO) that can provide single sign-on (SSO) services between Windows and mainframe or midrange system environments. ENTSSO is a good example of a server-side credential caching-based SSO solution. In addition to server-side credential caching-based SSO, ENTSSO can also be used for bidirectional password synchronization between Windows and nonWindows environments. ENTSSO includes password synchronization interfaces and the PCNS. This is the same PCNS as for ILM and IIFP, which I explained previously. The PCNS can also send password change notifications to an HIS ENTSSO server.

Finally, HIS includes an agent that can make ENTSSO password synchronization bidirectional when synchronizing with AS/400 systems. For mainframes, a third-party software agent is required to achieve complete bidirectional synchronization with the security systems of IBM's Resource Access Control Facility (RACF) and ACF2, and CA's Top Secret. An example of a software vendor that provides an additional HIS ENTSSO password synchronization agent is Proginet (http://eps.proginet.com).

Using Services for NetWare
Services for NetWare is a software package that Microsoft provides at no additional cost and that simplifies the integration of AD and Novell Directory Services (NDS), eDirectory, or bindery-based environments. Services for NetWare can also provide one-way password synchronization from AD to a bindery, NDS, or eDirectory. The latest version is Services for NetWare 5.03; for more information, go to the Microsoft Windows Services for NetWare 5.03 Overview Web site (http://www.microsoft.com/windowsserver2003/techinfo/overview/sfncd.mspx).

Services for NetWare lets you use one of the following methods for password synchronization:

• After users are copied from a bindery, NDS, or eDirectory to AD, the users are prompted to change their passwords when first logging on to AD. The new AD passwords are then synchronized with the corresponding password attributes in a bindery, NDS, or eDirectory. This method is called initial reverse synchronization.

• When user accounts are created in NDS or eDirectory, the new user objects are copied to AD. When the new users successfully log on to AD, they're prompted to change their passwords. The new passwords are then copied to NDS or eDirectory.

• When users change their passwords or when an administrator resets user passwords in AD, the new passwords overwrite the existing bindery, NDS, or eDirectory passwords.

Or Using Third-Party Solutions?
The password synchronization solutions I discuss in this article each have unique characteristics and target specific synchronization scenarios. Obviously many other password synchronization solutions exist. Password synchronization logic is included in all of today's identity provisioning software (e.g., IBM Tivoli Identity Manager, HP OpenView Select Identity). In addition, specialized password synchronization products are available (e.g., M-Tech's P-Synch, Courion's PasswordCourier). Comparing the non-Microsoft provisioning solutions with ILM is difficult; the products have equivalent features and their differences are minor. However, the specialized password synchronization products stand out because they support a much wider range of connected repositories. These solutions also include a self-service password reset Web site (where end users can reset their passwords or unlock their accounts if they get locked out), a Help desk password reset portal (where Help desk personnel can reset passwords and unlock accounts), and several other key features such as a phone interface for password resets, automated password expiration emails, and logon script password expiration notifications. Of course, these extra features aren't free—so you need to decide whether your needs justify their cost. Microsoft's password synchronization solutions might well be your best bet.