The first thing that struck me was how many good resources are available for learning Microsoft’s PKI. Back in 2000 when I first installed a Microsoft CA (Certificate Authority) there didn’t seem to be enough detailed information and over the past eleven years I have only had infrequent occasions to use the software. At this point I want to recommend Brian Komar’s book Windows Server 2008 PKI and Certificate Security (I got the Kindle version for about $39). I also wanted to mention Vadim Podans’ white paper on PKI and using the Quest AD Commandlets to managed. You can download the white paper here and you can get the latest version of the AD CMDLETS here.

I also wanted to give a special thanks to Chen and John from SafeNet for hooking me up with SafeNet middle-ware tools (above) and smart cards that I used for to prep for the session. The software was both intuitive and easy to deploy.

Just-in-Time manufacturing is a simple concept – rather than keep all the unassembled car parts in expensive warehouses, have them delivered to the factory at the time they are needed to assemble a car.  This idea stuck with me and has been rattling around in the back of my mind for the past twenty years. Dell later used a similar concept steal market share away from IBM and Gateway who were building huge numbers of PCs and storing them until they were sold – while Dell built PCs that were already sold.

A project I have been working on for the past year or so was applying Just-in-Time concept to the process of granting users access to applications or data. The idea is that when a user attempts to access a resource for which they have not been granted access – the access attempt kicks of a self-service process or an automatic grant of access.

While I have seen other applications perform similar activities, many people have seen Microsoft SharePoint’s basic request access feature. The challenge I see with SharePoint is that it only allows generic requests that don’t allow the user to select the level of access they wish nor does it tell the user the state of their access request. Both are needed and both must be components of any more complete solution. A more complete solution must also provide access to more than just SharePoint; files, folders and applications access are also desperately needed.

Today, we posted a technical preview of Just-in-Time Access Provisioning called the ActiveRoles AuthX Provider The provider not only integrates authentication using SAML between AD users and Google Apps, it also can trigger a self-service access request through ActiveRoles if the user does not yet have an account. Once the request is approved a Google account is created. The next time the user points his/her browser to Google Apps URL the Provider seamlessly authenticates the user by doing an account mapping of AD user to the Google account and creates a SAML token that automatically signs the user into their Google Apps account. We created a 2 minute video showing the process so you can see how this works. The video was a little long and choppy at some points so I cut it down to about 2 minutes.

 Video:ActiveRoles Access Provider

• Access Accountability
• Authorizing groups today using roles and attribute access control (ABAC) to resources
• Authorizing groups in the future with emerging technologies
• Moving from Group Management to Access Governance and the keys to success

Presented by:
Robert Bobel, Platform Director of Product Management, Quest Software
Jason Barnett, Partner and Information Security Practice Manager, Ingenuity Associates,

View Archived Webcast

http://www.quest.com/Quest_Site_Assets/SuccessStories/CSW_CMH-ARSPM-US-MJ.pdf

So I finally gave up trying to remember my long lost password and with great shame and discrase I sheepishly clicked the “I forgot my password” link. The next screen told me to check my email for a temporary password then enter that on temporary password line of the web page now presented to me, which I did.

Then all hell broke loose. When I entered a new password using some basic complexity rules this is what I saw:

How the heck would anyone in their right mind be able to construct a password with those rules and then actually remember that password more than a day or two later? After looking at this screen I realized that my bank, credit card company, my on-line action company all have similar horrible password policies that defy anyone to work over the internet un-impeded. This really pointed out to me the need for new technologies like Microsoft’s Geneva claims server or the existing MyOpenID where athentication becomes a service that many different applications can use to simplify the lives of us dumb users.