Microsoft beta to shake up directory services

Microsoft will pass out beta code that it hopes will define the next evolution of directories. It's a modular addon that is built on a database and designed to add querying capabilities and performance never before possible in a directory.

The code is so early stage it does not have an official name, although internally Microsoft calls it Next Generation Active Directory (NGAD). Microsoft introduced NGAD, which it calls a directory federation technology, on the second day of its annual Professional Developers Conference going on this week.

NGAD, however, is not a replacement for Active Directory but a "clip-on" that provides developers a single programming API for building access controls into applications that can run either internally, on devices or on Microsoft's Azure cloud operating system. Users will not have to alter their existing directories but will have to option to replicate data to NGAD instances.

NGAD stores directory data in an SQL-based database and utilises its table structure and query capabilities to express claims about users such as "I am over 21" or "Henry is my manager." To ensure security, each claim is signed by an issuing source, such as a company, and the signatures stay with the claim no matter where it is stored.

"You can answer questions in your directory that are currently impossible to even ask," says Kim Cameron, identity architect at Microsoft. "You can find out who had access to a file last September." He says NGAD is a reshaping of the programming model for Active Directory.

In addition, the directory design means multitudes of new cloud or other applications won't be hammering the central Active Directory architecture with lookup requests and administrators don't have to perform often tricky updates to directory schema to support those new applications.

"I don't want to do anything to let anybody think that I am going to diddle with Active Directory infrastructure, yet I want to leverage the infrastructure," Cameron says.

The intent is to create a "logical directory" that shares architecture elements such as schema and APIs but is not one monolithic identity store. Instead, users have multiple NGADs deployed to support specific cloud, internal or device-based applications.

"From the point of view of AD these would look like domain controllers, but you could do these magic queries," Cameron says. "I could say who are all the people who report up to Microsoft CEO Steve Ballmer; in AD that query would take hours."

The most unique characteristic of NGAD is its SQL database foundation. It includes an SQL-based "Repository", a central management database for application metadata that includes an identity deployment model. NGAD also introduces a schema called System.Identity and a System.Identity API. The API exposes the schema to developers through LINQ.

NGAD lets users create complex relationships among the data it stores such as friends, colleagues, roles, management chains, service assignments and machine sets. Those relationships can be used to create detailed claims that govern access control

Currently, AD's only relationship construct is "group."

"In a directory there isn't the ability to do the kinds of relationships that you can do even in the world's worst database,"Cameron says.

Another evolutionary element is support for the newest Web technologies such as RSS and REST to create a connection between instances of NGAD and an application or service. For example, an application could subscribe to an NGAD instance via RSS and receive updates to the claims data it stores.

"We are taking what we learned with LDAP generation directories and adding a kind of self knowledge. The system knows how to update the data," Cameron says.

NGAD is the next step in Microsoft's claims-based Identity MetaSystem strategy, which began in 2005 and defines a distributed identity architecture for multi-vendor platforms.

Microsoft did not lay out a timeframe for the NGAD directory addon, but if it follows previous directory innovations by the company it could be released as a stand-alone product or baked into the next version of Windows.