Contact Us

Microsoft Active Directory Encryption

Download PDF
Challenge
Microsoft Active DirectoryIt’s rare for any organization to be without at least one Microsoft Active Directory® (AD) server, and for many it is a fundamental part of their identity infrastructure. While it has many advantages, Microsoft Active Directory also has limitations and complexities that make an infrastructure difficult to manage and administer.

Encryption is one area that can create problems for Microsoft Active Directory administrators. While an Active Directory instance may perform well without encryption, enabling TLS/SSL often brings a major hit, potentially impacting the entire infrastructure. TLS/SSL encryption is necessary for authentication across an insecure channel such as the Internet, so administrators who provision access for “external” parties are often forced to consider upgrading the Active Directory domain’s hardware. And, although it uses LDAP for communications, Microsoft Active Directory demands a unique format and encoding for user password change requests, so a “standard” LDAP modify operation cannot be used. While not a problem for Windows-based tools, any user management applications designed for a normal LDAP environment may be incapable of sending password requests in the required format and therefore cannot be integrated into the infrastructure.

Solution
Microsoft Active Directory Encryption SolutionSymlabs Virtual Directory Server is a powerful middleware application that can behave as an LDAP proxy, creating a highly efficient TLS/SSL termination point to securely provision Active Directory access for external clients. This allows independently configured front-end and back-end connectivity, so TLS/SSL can be offered to external applications without enabling it in Active Directory, thus avoiding the performance penalty. Symlabs Virtual Directory Server can also manipulate data within the network packets it routes between client applications and back-end servers, so any request or response can be modified on-the-fly so it conforms to expectations. Simple scriplets can be created to intercept password change requests and establish compatibility between AD and LDAP user management tools. Also included is an ACL plug-in that can further improve overall security by adding data access controls specifically for external users without impacting the existing AD access rules.

About Microsoft Active Directory
Active Directory is a registered trademark of Microsoft, Inc. An LDAP-based directory services product developed by Microsoft, Active Directory is a central component of the Windows platform that provides a means to manage identities and relationships that make up network environments. Active Directory Service is commonly used to manage the Windows® domain infrastructure.

Benefits
  • Protect LDAP connections with TLS/SSL while improving performance
  • Safely offer external queries without affecting existing AD infrastructure
  • Create access rules specifically for external users for added security
  • Integrate LDAP user management applications with an AD environment

Symlabs is now part of Quest Software. A leader in simplifying and reducing the cost of IT management, Quest’s innovative solutions make solving the toughest IT management problems easier, enabling more than 100,000 customers worldwide to save time and money across physical, virtual and cloud environments. The addition of Symlabs virtual directory and federation technology will enhance the overall architecture of the Quest® One Identity Solution and Quest migration products. Learn more at www.quest.com/symlabs.