First published on TechNet on Aug 21, 2014
Hi all, Jason here. Long time reader, first time blogger. AzMan is Microsoft's tool to manage authorization to applications based on a user's role. AzMan has been around since 2003 and has had a good run. Now it's time to send it out to pasture. If you haven't seen
article, AzMan has been added to list of technologies that will be eventually removed from the OS. As of Server 2012 and 2012 R2 AzMan has been marked as deprecated, which is a term we use to let our customers know that the specific technology in question will be removed in subsequent release of the OS. It has recently been announced that AzMan will no longer be in future releases of the Windows Server OS (after 2012 R2).
What does this mean to you? If you are on a newer OS and use Azman, not much (right now). If you use AzMan on say for example Server 2003, you need to either get AzMan prepped and ready on a newer OS or find a suitable replacement for role based authorization. Keep in mind each OS has its own life cycle so AzMan isn't immediately going away. We have well into 2023 before we see the last of AzMan. AzMan will continue to work on whichever OS you are currently using it on just be aware of the OS life cycle to make sure that your OS is supported and as such your implementation of AzMan. The obvious question here is, where do we go?
The best answer would be moving your application to be claims aware. Claims allow you to make decisions on authorization based on data sent within the claim token. Want access based on user group in AD? Sounds like you want claims. Want authorization to a specific site based on whom your manager is? Claims can do that. I don't want to make it sound like this is an immediate “click here and it fixes everything for you”, you will have to do recoding on your application to be able to consume claims sent by a claim provider and that isn't going to be flowers and unicorns. There will be some hard work to move it over, however the gains will be huge as there has been a large surge in claims based applications and services in the last few years (O365 included). Windows already has a claims provider you can use to build claims tokens and send to your application (this is ADFS if you haven't heard, I'd be surprised if you haven't) and it's either already in the OS or a download away (depending on which OS you are running). If you're are using AzMan and looking for the push to get you into the claims game, this is the nudge you've been looking for.
A few things to keep in mind if you are intending to use ADFS for your claims provider:
· ADFS is provided in 2003 R2, however this is 1.x and does not have some of the features that 2.x + has. Also, some of the terminology is different and could be confusing to start your claims experience with, not to mention 2003 is close to end of life
· ADFS is a separate download for 2008 and 2008 R2. It is provided in the OS as a role, but this is 1.1. You definitely want the downloaded version. (Make sure to get rollup 3 KB2790338 , update KB2843638 and update KB2896713)
· ADFS is provided in the OS on 2012 (ADFS 2.1) and 2012 R2 (ADFS 3.0)
A few helpful links to get you started with using claims based authentication/authorization:
Building My First Claims-Aware ASP.NET Web Application
Hopefully these can give you enough of a starter to build a proof of concept and get your team ready to dive into the claims game.