Active Directory Bridging (AD Bridging) is a mechanism that allows users to log on to non-Windows systems using Active Directory (AD) login credentials.
Active Directory is a Windows directory service that lets IT administrators easily manage the users, applications, data, and other aspects of their IT network. AD is used to authenticate users and authorize access, allow for the management and storage of information, and allow IT staff to deploy various services. Active Directory is a key enabler of identity management.
AD Bridging simplifies user access management by letting a user authenticate themselves using AD. AD Bridging then uses a technology, Kerberos, an authentication protocol that uses tickets, to validate that user with other applications and systems.
AD Bridging enables the centralization of verified and secure authentication details from multiple systems (Windows, Linux, Unix, etc.) in AD. This practice boosts overall security, while delivering a more seamless user experience in comparison to the disjointed practice of managing separate logins and passwords across multiple systems, for several reasons:
Separately synchronizing accounts across multiple systems can collide with issues such as failed APIs and connectors, delayed networks, and slow updates—which all stir up user frustration
Application, hardware, network, and OS changes can all impact the ability to synchronize passwords and can complicate the patching of vulnerabilities
Transmitting login details and passwords across the network can compromise security
AD Bridging makes identity consolidation and access management much easier.
AD Bridging confers numerous benefits for system administrators, IT security teams, and end users, including:
Anyone with a Windows logon (which is likely to be every employee in your organization) will have AD credentials. This makes AD the most authoritative source of user accounts
You can apply principles of least privilege and role-based access to each centralized user account, and this will be reflected across any linked applications
AD provides a centralized service that IT administrators can use to create, provision, update, and deactivate accounts. Any changes will propagate across all linked applications
Identity and access management, and identity consolidation becomes much easier and more secure
You can introduce more robust authentication procedures for the Windows login (like multifactor authentication and biometrics) as each user will only need to log on once
You can define and implement robust password policies, like mandating the use of different types of characters and password rotation, in one central place
Your service desk can reset a user’s passwords across all linked applications from one centralized system
AD Bridges are especially useful for Linux, Unix, and other non-Windows system administrators, as bridging technology allows users to access applications regardless of the OS on which they run
Once your IT team has set up AD Bridging (typically using a specialized AD Bridging application), it generally works as follows:
A user logs on to their standard Windows session as normal, typically at the start of their shift. This initial logon can have robust authentication procedures
Any time that user tries to access a linked application (in Windows or another environment), the AD Bridge queries the centralized AD for user credentials
Providing those credentials are found, and the user is authorized, the AD Bridge informs the target application to allow access
The user can then access the target application
Steps 2 and 3 above are completely invisible to the end user. This process can vastly reduce the need to remember lots of different passwords, thereby increasing productivity and security.
It’s vital to have proper security and administration in any AD Bridging process. There are several software applications your business can use to make AD Bridging secure and easy to use, both for administrators and end users. Good AD Bridging software should:
Allow you to easily link applications to the centralized AD in a secure, encrypted way
Centrally control access to non-Windows systems by defining which users are permitted to log on to which systems via AD
Provide robust identity access management functions
Integrate with single sign-on (SSO) solutions, multifactor authentication, and other authorization protocols
Allow employees to use their credentials to access Unix, Linux, and/or Mac systems
Attain consistent configuration by extending native group policy management tools to include settings for Unix, Linux, and Mac
Audit multiple Active Directory events in real time, report on exceptions, and provide easy access to results
Integrate with other security management processes and applications
Transition users from desktops to remote machines or between systems, without requiring them to re-enter credentials
Consolidate directories to simplify management of complex environments
Provide strong identity and access management, and identity consolidation functions.