Feeds

Why Microsoft's Open HailStorm promises flatter to deceive

Embrace and extend Pidgin Squadrons flap home to roost

  • alert
  • submit to reddit

High performance access to file storage

Today's Hailstorm announcement was cultivated to gain maximum favourable publicity for Microsoft, but Redmond's concessions amount to nothing it hasn't already conceded, in one form or another.

In fact, seasoned watchers including Jeremy Allison - co-lead of the SAMBA project - interpret the "concessions" as extending the requirement for Microsoft's partners to include proprietary technology in their .NET compliant web services.

So what was new, today?

Microsoft promised to include the 'industry standard' Kerberos 5 protocol in Hailstorm, and HailStorm is now officially monikered ".Net My Services", if you .please. Microsoft also said it would open authentication to third party brokers.

A pre-briefed David Coursey at ZDNet was beside himself with joy. It was a "stunning" announcement, he opined. The news that "Passport and other 'federated' services would accept Kerberos 'tickets' supplied by the others," he said, was "good news for Microsoft, the industry, and consumers".

Alas, there's a world of difference between authentication and authorization, and that's at the nub of understanding today's announcement.

An authentication server takes a user name and password, and raises a simple yes/no flag whether the combination fits or not. Authorization actually gives the user rights to the services on offer.

Authorization allows you to use printer Y, or access files from X, or not, and if you're beginning to think that web services without authorization rights are essentially meaningless, then collect $50 and pass go, because you're right on the button.

Not only has this distinction - between authentication and authorization - plagued the tech community for years, but it's one that's already been exploited by The Beast, which has leapt into the open wound with its own proprietary implementation of Kerberos, which is the years-old open standard for authentication.

Here's how.

The Kerberos protocol specifies authentication clearly and simply: you go to a Kerberos server, and get a ticket. The ticket is then presented to an authorization server, which returns it with various access rights allowed. But the Kerberos protocol doesn't cover authorization itself.

This isn't an open standard, and in fact no one can agree on a single way to do it, although everyone agrees not to bugger up the Kerberos ticket with machine-specific details. And so authorization evolved as a DCE (Distributed Computing Environment) standard. When we say that no one has buggered up the ticket, there is, as you might guess, one exception...

"There's no common represenation of a 'user' across all systems, sure, but the idea was that you don't pollute the Kerberos ticket with that local system's idea of what a user is," explains Allison.

"Microsoft's implementation of Kerberos actually wraps the authorization in the ticket," he says.

"They subverted it and put inside a standard ticket. The result was that only tickets issued on Windows 2000 machines could be useful on other Windows 2000 machines, without a lot of a manual mapping, which is a massive pain and is so tedious that no one is ever going to do it."

Readers with long memories will remember the furore when Microsoft documented its Kerberos implementation, and then sent its legal attack dogs round to our friends at Slashdot who hosted postings containing the details of this 'open' implementation.

In short, it's hard to do authorization between a Windows server and a non-Windows server, and that seems to be the way Redmond likes it. Nothing in today's announcements changes this in any way, in fact it confirms the Redmond-centric way of doing business on .NET.

Allison summarizes the politics like this:-

"They're very clever. They know the smallest amount of control they need to leverage monopoly. If you have a server that does authentication and authorization, then you have the equivalent of a Windows Primary Domain Controller, and that's their terror," he says.

"Once someone usurps the PDC they can provide the equivalent of an Active Directory service on Linux," he says, at a fraction of the cost.

And so it returns to the commodity protocols argument, as revealed in the Halloween memos and repeated ad infinitum. Mind you, given the positive spin that the wires have already put on this move, it's halfway to success.

We put a call into Sun, and got this response:-

"Sun believes that many companies should be authenticators, therefore providing open competition for businesses and consumers."

"In the coming weeks, Sun, along with partners such as banks and insurance companies, will offer their own authentication services. It is not, however, our policy to disclose these discussions until there are appropriate and mutually agreed upon details to announce. We have no formal statement at this time."

Hmm. That suggests they're still fixed on the authentication distraction, not the authorization end-run. Hopefully some one can lend them a clue.

Microsoft had not returned our calls at press time.

From the we-told-you-so-Dept:-

"Microsoft's holier-than-thou standards pitch for .Net could be undermined by its insistence on using its own, non-standard version of Kerberos"
- The Register, 27 March 2001.

That's not us, by the way - think of us as straw-sucking hayseeds who don't have a clue, and definitely don't get pre-briefed by the corporate PR machinery - but instead cock a hat to the prescient Mat Hanrahan at analysts Bloor Research. We were just dumb enough to be standing around at the time. Honest. ®

Related Stories
MS proprietary tech undermines Hailstorm
Sun, AOL take MS Hailstorm to the Feds
All your data (and biz plans) belong to Microsoft
Pay-to-Play: Microsoft erects .NET tollgate

Combat fraud and increase customer satisfaction

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.