Sunday, June 29, 2008


The Evils of Active Directory

Another blogger gets it twisted and doesn't understand the the value proposition of Active Directory. Luckily I exist for the sole purpose of providing alternative perspectives...

Let's analyze his posting in order to understand where he went wrong...

    The problem is that Active Directory basically requires organisations to own all their own infrastructure if they want to achieve single sign-on across all of these products.
I am not sure how this is a fault of Active Directory. For example, if you think that Exchange Server should support single-signon and have the capability of being a relying party then bash the exchange team for not making this happen.

If you are thinking about cost savings then sticking with one provider tends to be better from a total cost of ownership perspective than interacting with multiple. Costs aren't just the amount you write out in checks but needs to account for time spent by employees administering user credentials multiple times.

Lockin occurs at all levels even in the open source community. For example, think about how difficult it would be to replace Xalan/Xerces support from Java applications that process XML. The key isn't about tight-coupling as much as it about potential economics down the road and vendors exploiting it. Honestly, I bet if you were to talk to folks in large enterprises and ask them about which IT vendors they feel from a pricing perspective haven't exploited them, Microsoft would almost always come out on top.

There is nothing preventing any software as a service vendor from consuming Information Cards (e.g. CardSpace) or OpenID. The real question is whether this is on their radar and the proverbial whether other customers are asking for it. Picture a scenario where keeps all credentials in Active Directory. They could eliminate their proprietary SSO mechanism and embrace standards such as SAML. They could even figure out a way to allow small businesses who run internet resolvable domains to SSO from their desktop by leveraging ADFS. Of course, the value proposition here says that maybe the right architecture is for you to keep Active Directory in-house where you are always the identity provider and your SaaS vendors are relying parties.

How is the multi-tenancy characteristics of SaaS vendors solely a problem of Microsoft? Isn't this a problem with the Java community, the Ruby community and the PHP community also has? If you were to talk with a software developer at large, do you think they understand what the best practices of multi-tenancy software development are? Do you think the Core J2EE Blueprints or anyone from Sun Microsystems is talking about this problem space? Has Martin Fowler, Kent Beck, Gregor Hohpe, James Robertson or even Robert McIlree ever talked about ways to improve this space? The problem most certainly is not Microsoft but one of their customers not having the right conversations amongst each other...

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?