ADmitMac 1.1.1, by Thursby Software
Posted: 21-Apr-2004

4 1/2 out of 5 Mice

Vendor: Thursby Software Type: COMMERCIAL

Reviewer: Alex Levinson Class: PRODUCTIVITY

Overview
Apple has traditionally focused on the education, visual design, and production marketplaces. Its attention to the enterprise world that is largely dominated by WINTEL has always been lackluster at best. However, over the past two years, with the release of OS X, and especially the release of the Xserve in 2002, Apple is showing a renewed focus on enterprise computing.

Although the initial release of OS X lacked support for networking to Windows, Apple is making slow but steady progress towards interoperability. Starting with OS X v10.1, it included SMB (Server Message Block), a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers. Better known as Samba, it is the open-source equivalent of Windows networking. Theoretically speaking, connecting to a Windows machine required typing the Windows server name or IP address in the Connect to Server option of the Finder pull-down menu. The Mac would then gain access to the shared Windows resources. Practically, however, it did not really work - not enough to make it really usable by the average end-user, anyway. There was no real support for server name to IP address translation, browsing the Windows space beyond the local subnet was not supported, and the whole experience really required the level of enterprise-level system configuration knowledge that is generally not available to the non gear-heads.

This gaping hole in Apple's internetworking capability presented an opportunity for third party network integration vendors such as
Thursby Software. Its premiere product DAVE addressed both file and print capability. While Jaguar (OS X v10.2) and Panther (OS X v10.3) made further progress toward simplified OS X to Windows internetworking, the gap is still not closed. Thursby's latest addition, ADmitMac, allows Macintosh users running Mac OS X (Jaguar and Panther) to participate in Microsoft networks by taking advantage of the directory services provided by both Active Directory and NT Directory Services.

Installation
ADmitMac is a commercial product with a single license priced at $119.00. Multi-pack licenses are available with a 25 pack priced at $2,299.00 ($92.00 per seat.) A special Volume License Agreement (VLA) is also available allowing one to install the product without having to enter separate keys for each machine. The price per seat comes down to as low as $38.00 for a 2,000 license installation. An annual upgrade agreement is required for volume licenses, though.

ADmitMac requires Mac OS X 10.2 or later to execute, and requires Domain Services provided by at least one of the following:

  • Microsoft Server 2003 with Active Directory
  • Microsoft Windows 2000 with Active Directory or operating an NT domain
  • Microsoft NT service pack 6 or later operating an NT domain

It comes in English localization (no other localizations are mentioned as available at the time of this review). ADmitMac conforms to the following RFCs:

  • 1001, 1002 - Protocol standard for a NetBIOS service on a TCP/UDP transport
  • 1510 - The Kerberos Network Authentication Service (V5)
  • 1777 - Lightweight Directory Access Protocol (LDAP)
  • 2743 - Generic Security Service Application Program Interface Version 2
  • 1964 - The Kerberos Version 5 GSS-API Mechanism
  • 2222 - Simple Authentication and Security Layer
  • 3244 - Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols

It also claims conformance with Microsoft SMB/CIFS standards, including use of TCP port 445, NetBIOSless communication.

ADmitMac is at version 1.1.1 at the time of the review.

The evaluation license was downloaded from the vendor's web site and the supplied license keys were applied to unlock the product. The review was performed on a 400Mhz Blue and White G3 (Model 82.2) with 256 MB running OS X 10.2.8 connected to the Lockheed Martin corporate intranet (thank you Craig Wright). Installation was straightforward, and configuration instructions are included. The installer created an ADmitMac folder in the Library/Application Support path containing the following tools: Setup Assistant, Training, and Uninstall.


ADmitMac Utilities

The installer runs the Setup Assistant immediately following installation. It queries the network by searching for WINS servers and asks you to configure either the Active Directory or NT Domain controller information (depending on what the enterprise is controlled by - my company is NT Domain Services based). The only information one needed to provide was the name of the domain (in my case ACCT04) as well as the NT Domain user name and password. The installer also installed an ADmitMac Network Utility in the Applications/Utilities path, and My Network Account control panel in Systems Preferences.


My Network Account preferences panel

The "My Network Account" preference panel allows one to change the NT Domain password and the local Address Book Card. One does not need to be a network guru to configure the product, although some basic awareness of the enterprise system configuration was required. For instance, I had to know that our enterprise is NT Domain based and my account belongs to the ACCT04 domain (the WINS IP addresses were resolved automatically).

How It Works
ADmitMac allows Macintosh users running Mac OS X v10.2x Jaguar and up to participate in Microsoft networks by taking advantage of the directory services provided by both Active Directory and NT Directory Services. It allows administrators to manage their domain users in a consistent way without regard to what kind of computer they use (presumably it does not include Unix/Linux derivatives, though.) ADmitMac lets users log into a Macintosh with their domain credentials and then have access to files in their home directory.

To accomplish this, ADmitMac uses industry standard protocols to access Active Directory servers. Kerberos is used to provide secure directory access that reduces the risk of disclosure, spoofing and man-in-the-middle attacks. ADmitMac automatically configures the Macintosh to use Kerberos, and obtains the necessary security keys from the domain. ADmitMac works with older NT directory services as well. All communication with NT domain controllers is performed using SMB/CIFS protocols.

ADmitMac will cache successful user login information for later use. This allows notebook or mobile users to continue using their domain account to log in when their Macintosh is not connected to the domain.

Key Features include:

  • Computer labs or corporate networks where security is a major concern
  • Caches user credentials for mobile user access when not connected to the network
  • Administrators can manage Macs in the Microsoft Windows domain - no special training needed
  • Installs on the Mac with no Active Directory schema changes required
  • Preserves user's custom desktop and documents no matter which computer they log into
  • Users can mount any shared folder they are allowed to access via Connect to Server.
  • Allows for user login with home directories located on the Macintosh client's local hard disk
  • Supports browsing for published shares
  • Provides secure access using Kerberos
  • Automatically configures Macintosh for use with Kerberos
  • Fully signed and sealed (encrypted) LDAP connections prevent disclosure of user's personal information and prevent man-in-the-middle attacks
  • Supports both DES and RC4 encryption
  • Supports Windows login security restrictions
  • Allows users to easily change passwords
  • Expired and reset passwords are handled correctly when users log in to the Macintosh desktop
  • Support for DFS - home directories can be mounted using DFS
  • Print Client can access shared printers - printers may be configured by browsing the list of printers published in a domain or manually
  • Provides print client for connecting to Windows printers
  • Supports NTFS file format - does not create double files
  • Works with older NT directory services
  • Offers complete interoperability with Services for Macintosh
  • Home directories may be located at a path where the user does not have access to the parent folders

ADmitMac is tailored for multi-user, multi-computer scenarios where the administrator defines the network configuration and security.

In Use
ADmitMac works in conjunction with OS X, thereby complimenting OS X's built-in networking features. ADmitMac uses the Network Browser, as there is no separate ADmitMac application.

Login into the Domain with NT Domain credentials
ADmitMac allows the user to type in the Domain user name and password in the OS X login window. ADmitMac authenticates the credentials with the NT Domain controller and the user is logged into the network. Depending on the way the use account is setup, it will then mount the user home directory (your NT Domain H: drive) from the domain server or logs you into the local Macintosh with the home directory administered locally. The home directory is accessible via the Finder Go->Home pull-down. ADmitMac allows users to change their passwords if the password has expired or the administrator forces a change. The interaction between the client machine and the NT Domain controller is completely transparent to the user. The outward appearance is that of a usual login. At the conclusion of the login, a normal looking desktop appears on the display.

One the user is logged into the Domain for the first time, a folder Domain/Users/ is created at the root level of the local drive. It contains an alias to the user's home folder on the server. However, one needs to be aware that since you are logged into the Domain, all your desktop machine local resources, such as the Desktop, Documents, Movies, Music, and Pictures folders, are not accessible since they are actually owned by a different user. Depending on how your specific application permissions are setup, you may need to authorize the Domain account to use the local applications. It is also interesting to note that ADmitMac will create the standard OS X directory tree in the server Home Directory.

Home Directory
Upon user login, ADmitMac will automatically mount your home directory (your H: drive). It allows one to specify that the SMB
Home Directory is also to function as Mac's home directory allowing one to log in to from any Mac or PC on the network and have complete access to all of your files. This is a subtle but very important distinction between ADmitMac and OS X in this regard. Although Apple supports "SMB Home Directories," OS X merely mounts the Home Directory as any other network folder on the desktop at log on. The difference between mounting your H: drive on the desktop (this is what Apple does) and treating it as Mac's home directory is that changes in the desktop settings (views, defaults, etc.) are saved in the home directory. The home directory has a defined folder structure which ADmitMac will create on the first login and allow access to it from the Go -> Home pull-down. OS X simply treats it as any other server mounted share.

Browsing
Most fundamentally, ADmitMac enables network browsing outside the local subnet. The Apple browser only works within a subnet and fails to browse larger networks. ADmitMac enhances OS X to allow browsing throughout the corporate network while supporting the latest security implementations. Browsing can be done either by launching the ADmitMac Network Utility (in the Utilities folder) or from the Finder Go->Connect to Server (Cmd-K) pull-down menu.

After hitting Cmd-K, the left hand panel is rather rapidly filled with a list of available servers. The performance was surprisingly good considering it ran on a rather pokey 400Mhz G3.

ADmitMac works largely behind the scene offering a number of significant value added services. However, in order to take advantage of all these services, the enterprise needs to migrate to Windows Server 2003 Active Directory. Since our corporate network is still based on NT Domain Services, I was not able to verify some of the ADmitMac claims or to test them in action. Nevertheless, the following features are offered:

Distributed File System (DFS)
DFS is a method for transparently distributing the storage of files across several servers while making it appear to the user that they are all on the same server. This method is used to provide redundancy of data and to allow for load balancing. ADmitMac supports this advanced feature of Windows Server 2003 in a way that is completely transparent to the end user.

File Storage
ADmitMac takes full advantage of Microsoft's NTFS file system and stores both forks of a traditional Mac file under a single file name. This is identical to how Microsoft's Services for Mac (SFM) stores these files and ensures compatibility between products. OS X, based on its Unix roots, does not understand this file storage technique and creates two files on the Windows machine for each Mac file transferred. This OS X technique is proprietary to Apple and is not supported by any other third party.

Security
ADmitMac supports NTLMv2 and SMB signing. This allows ADmitMac to safely work with Windows Server 2003 "out of the box". Since OS X does not implement this higher level of security, the Windows Server 2003 administrator would be required to lower the server's security level and thus not take advantage of greater security offered by Windows Server 2003.

Summary
ADmitMac is a great networking product that allows Macintosh users running Mac OS 10.2 and later to participate in Microsoft networks seamlessly and transparently. ADmitMac narrows the interoperability gap still present in OS X with Windows-based enterprise system, it is relatively easy to install and configure, and it works as advertised. However, some of the advanced value added services offered by ADmitMac are subtle and tend to be germane only in larger networks. These features also work to the full extent only when paired with advanced features offered by Windows Server 2003 and Active Directory.

The most significant value added feature of ADmitMac is the ability to login into the Domain with your network credentials, mount server-located Home Directory, and browse the network. However, in normal day-to-day operations, the ability to browse the servers in an ad-hoc fashion may not be that important to everyone. Also, since you are logging into the network and not your local user account, access to the client local resources and Applications may need to be modified using Thursby's provided instructions. The bottom line is that ADmitMac delivers on providing a much better integration between your Mac and a Windows network, and I strongly recommend it for every Mac user that wants to coexist with their WINTEL-based brethrens in harmony.

Pros

  • Ease of configuration
  • Ability to do network login and access user's custom desktop and documents no matter which computer they log into
  • Access to shared printers - printers may be configured by browsing the list of printers published in a domain
  • Network browser
  • Good vendor support

Cons

  • Cost of a single ADmitMac license is high (comparable to the cost of OS X)
  • Some features do not work with NT Domain servers
  • Some features may be more than the average user needs


Overall Rating

4 1/2 out of 5 Mice