Microsoft Unveils TrustBridge
Single Sign-On Across the Enterprise
- By Scott Bekker
Microsoft fleshed out its roadmap for federated Web services on Thursday by detailing a new Windows technology for cross-company user authentication that goes by the code-name "TrustBridge."
The new technology reinforces Microsoft's step away from initial .NET-related plans to provide its own megaservices for hosting everything from consumer data to corporate authentication data at Microsoft. While Microsoft is continuing its drive to host consumer data through Passport and other consumer services, with corporate customers Microsoft is moving toward its more familiar role of selling straightforward software infrastructure pieces that allow companies to retain control of their own data.
Steven VanRoekel, director of Microsoft Web services technical marketing, says TrustBridge is designed to allow more accessible, manageable and secure networks between business partners.
"Say I'm a corporation and you're an HR outsourcing company. If we want to entrust each other today, what you would do as an HR outsourcer is create a separate username and password for every single user. Users have to remember both usernames and passwords," VanRoekel says.
Using the newly released WS-Security specification and Kerberos, TrustBridge would be a Windows technology sitting at the edge of a network that would handle authentication of users transparently. In VanRoekel's example, a user would be able to open up My Network Places, go to the HR outsourcer's network and open an address form or W-2 form that she is entitled to edit without having to enter any passwords after authenticating within her internal network.
For the HR company, the approach means simply trusting the client company and granting group rights to certain documents and folders. For the client company, the approach means a laid off employee, whose internal account is shut down is then automatically barred from causing trouble in business partners' networks.
Technically, TrustBridge solves the business problem by building on the Cross-forest Trust capabilities being built into the Active Directory in the forthcoming Windows .NET Server operating systems.
Cross-forest Trusts were created to allow companies with mature Active Directory infrastructures to merge, a thorny issue in the original release of Active Directory. Under the Active Directory to ship with Windows .NET Server, such merged companies can simply have each existing Active Directory infrastructure trust all users from the Active Directory infrastructure of the other company.
The approach works within the firewall of a merged company, but is far too loose from a security standpoint for companies entering temporary or limited business arrangements across the Internet.
"To do that, both companies, would have to go to their firewall and open up a ton of ports. It's unacceptable to customers because it leaves them susceptible to all kinds of security problems," VanRoekel says.
TrustBridge uses WS-Security, a Web services specification built atop the Standard Object Access Protocol (SOAP) and announced in April by Microsoft, IBM and VeriSign. The WS-Security specification creates new attributes for SOAP messages to enhance security through message encryption, digital signatures, etc.
The fact that TrustBridge will use WS-Security-enhanced SOAP messages means companies can transfer all necessary authentication data over Port 80, leaving closed the host of other ports normally involved in authentication transactions.
Microsoft says the initial version of TrustBridge technology will be available in 2003, but the company has not decided how it will be delivered.
Because it depends on the Cross-forest Trust feature of Active Directory, it will work with Windows .NET Server versions but not with Windows 2000 Servers.
The Windows .NET Server family is expected to be released to manufacturing late this year with general availability in early 2003.
VanRoekel says the TrustBridge technology definitely won't ship in time for inclusion in Windows .NET Server, and Microsoft has a number of choices about where to place the technology.
"The software will need to sit at the edge of a network. We have a lot of servers at the edge of a network: servers, firewall products, Internet servers," VanRoekel says. The key question for delivery that Microsoft is still wrestling with, VanRoekel says, is which piece of Microsoft's server portfolio should include the TrustBridge technology.
While Microsoft notes that the heterogeneous authentication will be interoperable with any Kerberos version 5.0 compliant network, including Unix networks, a Windows-based server running the TrustBridge technology would need to sit at the edge of each network involved in the cross-forest authentication.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.