By Greg Keller Posted September 29, 2015
For IT admins who run Windows® devices without leveraging Microsoft® Active Directory®, there’s an important question that needs answering: how do you control Windows authentication? Of course, IT admins can let devices be managed by their users and not centrally control authentication, but that approach defeats the purpose of a central user management strategy. IT organizations need to, even in some small scale, centrally control who has access to devices. But if there is no Active Directory server in the network, then how can you control authentication of Windows devices?
Why on-premises software isn’t the solution
First of all, connecting Windows devices to LDAP isn’t really an option, because Windows is set up to leverage Kerberos and not LDAP. An IT admin could decide to leverage pGina to connect to an OpenLDAP server, but then you’re still managing OpenLDAP. Another option is to run a Samba server. This also involves having an IT admin manage and run the Samba server. As the world moves to the cloud and companies use as-a-Service solutions, the use of more on-premises software goes against market trends. In other word, on-premise infrastructure is not the answer to enabling Windows authentication without AD.
What cloud-based directories offer
With the advent of Directory-as-a-Service® solutions, Windows devices can be authenticated to a cloud-based directory. Simply put, an IT admin places a lightweight agent on each Windows device. The agent will natively create user accounts on the Windows device. As credentials are entered, the credentials are checked against the local ones created. Since the credentials are created from a cloud-based directory, the directory communicates with the device through the agent to update passwords, terminate accounts, or even add new accounts. The communication between the device and the cloud directory service is secured through a mutual TLS connection.
Choosing a non-Active Directory solution allows Macs® and Linux® devices to be treated similarly to Windows machines. Another benefit: a cloud-based directory service connects more easily to remote employees who use Windows. For the remote employee use case, a Directory-as-a-Service solution eliminates the need for VPNs. Plus, as an organization moves to G Suite™ (a.k.a. Google® Apps) or Office 365™, the company reduces its on-premises infrastructure. As a result, the company is more adequately set up to transition from an on-premises Active Directory solution to a cloud-based directory. SaaS-based directory services solutions are also more cost effective, because organizations only pay for what they use.
If you’re interested in leveraging Windows in your environment but don’t want to be locked using Active Directory, there are a number of solutions to check out, including open source solutions and SaaS-based services like JumpCloud®’s Directory-as-a-Service. Drop us a note if you have any question, or give JumpCloud a try. It’s simple to connect a Windows devices to JumpCloud’s Directory-as-a-Service. Your first 10 users are free forever.