Active Directory Bridging

Don’t Be Fooled by Bridges to Nowhere

Let’s go back to basics for a moment. What is an Active Directory bridge? Active Directory bridge is a mechanism by which you can log on to non-Windows systems using your Active Directory credentials (i.e. username and password). Simple enough, but we should also make sure everyone understands what an Active Directory bridge isn’t.

Get the 2016 Gartner Privileged Access Management Market Guide and compare PowerBroker Identity Services "AD Bridge" to other AD Bridge solutions.

An AD Bridge is not User Provisioning and Not a Synchronization Tool

In days gone by, having tools that would keep your passwords synchronized and create accounts on all your target systems with a complex array of agents, connectors and policies gave users the impression that they were logging in with a single account. But that approach was fraught with problems which I could write an entire blog about in and of itself.

Some of the obvious problems with a synchronization approach include: network connectivity issues, failed or stalled agent issues, coping with application, platform and operating systems changes, account cleanup (de-provisioning of accounts) and replication delays/problems such as just waiting for a simple password reset to reach a target host.

How an AD Bridge Should Work

An Active Directory bridge should allow you to use your Active Directory credentials to authenticate against Active Directory in much the same way a Windows client (i.e. Windows 8, Windows 10, etc.) behaves. That is, you don’t make a copy of all your Active Directory users on each workstation. Instead, that workstation uses something called Kerberos to validate the user’s credentials against the directory.

Why AD?

Active Directory may not be the only directory service platform out there, but there is no doubt it has dominated the space and exists in almost every business network today. Although typically not the authoritative record of source for users (this is normally the HR system), almost every user will end up getting AD credentials. Therefore AD is normally treated as the most comprehensive database for account logon information on most networks. Furthermore, with such reliance on Active Directory, this directory will likely be the most robust in terms of availability and accurate in terms of account details. This makes it an ideal choice as an authentication service provider for ‘other systems’.

Good Candidates to Bridge to AD

Any system or application that either maintains its own list of usernames and passwords, or that can use other platforms for authentication, are good candidates to bridge to Active Directory.

Why a true AD Bridge?

Why use an AD bridge? The answer is that an AD bridge provides Directory Consolidation as opposed to Account Propagation and/or Synchronization. This reduces administrative time and cost by reducing administrative effort, reducing the time spent performing and answering audits, and increasing user/admin productivity by removing potential account issues. Some of the key benefits of a true AD bridge include:

  • One place to provision users
  • One place to define a password policy
  • One place to reset users’ passwords
  • One place to assign access rights
  • One place to configure access control lists
  • One place to de-provision users
  • Reduced Sign-on (Kerberized Auth/Automated Authentication)

As you may have guessed by now, this is an area where BeyondTrust can help on some of the most widely used non-Windows platforms in the enterprise today – Unix, Linux and Mac hosts. As opposed to competitive alternatives that aren’t really AD bridges, BeyondTrust provides all of the capabilities necessary to simplify the management of Unix, Linux, Mac and Windows systems.

Get the 2016 Gartner Privileged Access Management Market Guide and compare PowerBroker Identity Services "AD Bridge" to other AD Bridge solutions.

For more information on our approach to AD bridge, and its importance to your integrated privileged access management strategy, request a free trial today.