I am attempting to clone an environment on a separate network, ie Lab1 and Lab2. Lab1 and Lab2 have the same CIDER. The idea is to clone VMs and have them use the same AD accounts in Lab2. We have lots of difficult to configure software and we want to avoid reconfiguring these VMs for AD and IP.
I am first attempting to Copy AD resources from one AD to another AD in a separate network.
I was directed to: Active Directory Migration Tool (ADMT) Guide: Migrating and Restructuring Active Directory Domains https://www.microsoft.com/en-us/download/details.aspx?id=19188
I downloaded this tool and expected to be able to export the objects to a file. Then I can transfer the file and import the objects. Instead, the UI expects me to specify the target AD Domain and IP address. AD1 Domain Name will be the same as AD2 Domain name. AD2 is on a separate network form AD1.
Am I using this tool correctly or am I missing something?
Related
Pub/Sub is really easy to use from my local work station. I set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path to my .json authentication object.
But what if you need to interact with multiple different Pub/Sub projects? This seems like an odd way to do authentication. Shouldn't there be a way to pass the .json object in from the Java code?
How can I use the client libraries without setting the system's environment variable?
Thanks
You can grant access for PubSub in different project using single Service Account and set it as env variable. See PubSub Access Control for more details.
A service account JSON key file allows to identify a service account on GCP. This service account is the equivalent of a user account but for the app (without user, only machine).
Thereby, if your app need to interact with several topic from different projects, you simply have to grant the service account email with the correct role on each topics/projects.
Another important thing. The service account key file are useful for app outside GCP. Else it's bad. Let me explain this. The service account key file is a secret file that you have to keep and store securely. And a file, it's easy to copy it, to send it by email and even to commit it into public git repository... In addition, it's recommended to rotate this key at least every 90 days for security reasons.
So, for all these reasons and the difficulty in security that represent the service account key files, I don't recommend you to use them.
With your local environment, use your user account (simply use the gcloud SDK and perform a gcloud auth application-default auth). Your aren't a machine (I hope!!)
With GCP component, use the component "identity" (load a service account when you deploy a service, create a VM,..., and grant the correct role on this service account without generating JSON key
With external app (other cloud provider, on premise, Apigee, CI/CD pipeline,...), generate a JSON file on your service account, you can't avoid them in this case.
Cloudera Altus provides a web-based console that can be used to manage and monitor jobs. In the Altus documentation, its mentioned that one needs to have Cloudera account to access that.
Can the user access to that console be integrated with one's own Identity Management System like Active Directory to provide more control w.r.t user governance?
Yes - configuring the web based console can have standard LDAP or Active Directory integration, a shown here (currently at 6.2):
https://www.cloudera.com/documentation/director/latest/topics/director_configure_ldap.html
You can also configure clusters built by Director to use your Kerberos / Active Directory infrastructure:
https://www.cloudera.com/documentation/director/latest/topics/director_create_kerberized_cluster.html
We have an Azure function with html UI right inside the function. The Azure function app has VNET access to servers inside our firewall. Possible to build an Azure Function that authenticates into the server/file share and allows a browser user to download a secure network file?
If so, Possible without creating new files?
If your Azure Function is configured to be on a VNET that gets you the network access you need to the servers behind your firewall then it's possible, but the question is what protocol are you expecting to use to access those files? Azure Functions run inside the App Service "Sandbox" which has restricted outbound network port access which would prevent the standard file sharing protocols from working. If you exposed the on-prem files over HTTP in some way, then you'd be in business.
One dirt simple way might be to mount the file share as an IIS virtual directory. You do still have to consider security though. You won't be able to use Windows Authentication, but you could change the IIS virtual directory to use something like Basic Authentication and then your function would be configured with the necessary credentials to access it. Then you get into transport level security and realize you'll want to use HTTPS which implies setting up some certificates as well.
Another solution would actually be to look into using Azure Files to actually synchronize the on-prem files into the cloud as a completely separate integration and then systems like your functions app here actually only worry about accessing the files via Azure Files and don't even have to necessarily be bound to the VNET at all at that point.
I'm not sure what you mean by "possible without creating new files" though. Can you elaborate on your scenario a little more? You would probably need other functions in your app to perform the individual responsibilities of file transfers (e.g. handle POSTs, GETs, etc) if that's what you mean.
We store user email addresses, phones, physical addresses and other info in our corporate Windows Active Directory. Active Directory users need to access this information from all kind e-mail clients, such as Mozilla Thunderbird, Outlook, iOS Contacts, MacOS X, Android addressbook, etc. both from corporate network and outside if it, from Internet. We do not use Microsoft Exchange server.
I have found that this could be done via LDAP and CardDAV (through in-house app installed).
Which one to be better approach for accessing contacts in all kinds of email and mobile clients LDAP or CardDAV?
Think about this way - Active Directory is Microsoft's own implementation of LDAP, in addition to being their version of a database driven directory server. I wouldn't use anything else.
Also, Active Directory primarily supports LDAP based user authorization, so if you're going to be serving applications or individual requests outside of your local network and domain (especially from the various sources you named), this is a feature you'll need to consider for security purposes.
I'm not quite sure what your tech stack looks like, but many languages support LDAP based querying and authorization. I've cut my teeth in C# working with the System.DirectoryServices.Protocols namespace, and I've come to appreciate the adaptability and performance.
And, here is great link on the Protocols and Interfaces to Active Directory.
Yesterday I got a call from a Microsoft representative asking if we supply "hosted solutions", presumably as part of the big Windows Azure push. As soon as I got off that call, our marketing director came into my office and said the majority of our customers are demanding Active Directory integration in the next version. Then it occurred to me: how does one use Active Directory in a "hosted solution" if the application does not live on the customer's network?
As a more general question about Active Directory integration, what kind of functional changes does that usually imply for an app? Does it mean a user is signed into the app just by authenticating to Active Directory or does it mean the app gets its list of users from Active Directory or does the creation of new users or groups in the app create new users or groups in Active Directory?
Am I just caught in the crossfire of a war of buzzwords?
You're not. Active Directory can be run across the public Internet, though this complicates the security and setup of the network rather considerably.
Generally, authenticating an app against Active Directory means that your membership provider (for example) would call into Active Directory to do the authentication and, after that, the user is simply logged in; you don't keep active credentials, etc, in your own database. However I would consider it smart to cache that information as well, and be prepared to authenticate against that cache in addition to the directory, in case the domain controller is unavailable for authentication (an especially large risk if you're running the directory across the Internet).
You can use Active Directory Federated Services to enable authentication using AD over the internet between two organizations. See: http://technet.microsoft.com/en-us/library/cc786469.aspx
I've never used it only read about it. Hope it helps.
The accepted answer explains the role of Active Directory and I agree that caching basic user information may be useful in many instances.
Active Directory can be expanded outside of a corporate network, to the internet and connected web services. As another user mentioned, this is achieved through ADFS (Active Directory Federation Services) which allows "trusted" connections to be set up between separate authentication services. There were a number of scenarios explained as part of the "Office 365 Jump Start" webinars:
http://technet.microsoft.com/en-us/edge/office-365-jump-start-04-microsoft-office-365-identity-and-access-solutions
After viewing these, I immediately thought that a "hosted" AD and ADFS service would be useful, where a customer doesn't want to maintain the AD servers internally (Microsoft don't recommend running less than 5 seperate servers if you're doing this!) Recently, Microsoft have also launched their Azure cloud platform. One of the services they provide is labelled "Identity" which you can see here:
http://www.windowsazure.com/en-us/services/identity/
This is Microsoft's own solution to hosted AD services. In fact, they even mention using their "Identity" hosted service as a solution for SSO (Single Sign-On) for Office 356 and even Google web apps.
I am still learning about AD and Microsoft's cloud offerings, but I hope this points you in the right direction.
There's an article here: http://www.developerfusion.com/article/121561/integrating-active-directory-into-azure/ which describes in-depth how to integrate Active Directory with Azure - hope that helps.
Active Directory can be run across the public internet but you will experience lag times which may cause your app to time out or crash depending on your bandwidth. In the past, I have setup accounts with another company called ultradns.com who specializes in these types of scenarios. hope that helps.
You'd be best off going with a true hosting framework if you would like any support from MS.
I'm sure you'd like some links so:
HMC (Hosted Messaging and Collaboration)
The ONLY true blog I know about on the framework is from Kip Ng
The ASP.NET forums are a good resource for questions on the Framework as well.
An example of the work that goes into configuring AD for Exchange multitenancy is here, though it is based on an older version of the framework a lot of the same principles apply.
Also, try searching on the keyword multitenancy for some articles.