Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 46 Next »

Wiki Audience: UW Identity and Access Management (IAM) services customers and development partners.
Wiki Purpose: Collaboration and publishing of IAM information; supplements Identity and Access Management Services customer documentation.
Wiki Status: As of June 2009, limited use; pages and navigation under development.

Identity and Access Management Services

Planning and Background Materials

Miscellaneous Resources to Share

UWWI News - January 2013

Here's an update on recent happenings with the UW Windows Infrastructure.

New Capabilities and Improvements

  • Work to replace aging NETID domain controllers has resulted in 3 new DCs. This work included applying the WS2012 schema and also partially addressed some geo-redundant disaster recovery goals by locating a domain controller out of the Puget Sound region. Work to refresh existing WS2008R2 DCs to WS2012 continues.

  • Windows 8, Windows Server 2012, and Office 2013 license activation capabilities were added by replacing the campus KMS server.
  • The mail attribute value for all UWWI user accounts was changed to <uwnetid> to facilitate Office 365 integration, eliminate user errors, and prevent multiple users from having the same email value.
  • Work to refactor the UWWI Group Sync Agent to provide near real-time sync for all UW group changes has been completed and deployed. Notable improvements include:
    • Group Service latency to UWWI is significantly reduced
    • UWWI groups are reconciled with the Groups Service now, which self-corrects any errors on UWWI groups that might creep in
    • Course group changes are provisioned to UWWI in near-real time


  • A majority of delegated OU customers have misconfigured their computers primary DNS suffix--with greater than 90% of all computers misconfigured. This problem subtly affects functionality, most notably reducing negotiated security levels. A separate announcement will include more details on this issue and plans to address it.
  • A project to decommission the UW Forest by mid-February 2013 continues. All remaining domains are in the process of domain migrations either to a delegated OU or to a new Windows forest, and all are making good progress.
  • Since June, UWWI has added: 10 delegated OUs (62 total), 1 trusts (54 total), ~1100 computers (5600 total), ~17k users (579k total).

  • UWWI support requests remain steady. 119 UWWI support tickets resolved since June (vs. 122 in prior period).
  • UWWI supports all the new types of institutional groups being piloted in the Groups Service: by degree level, class standing, curriculum, etc.
  • You can see metrics about UWWI at

What's Next

Our objectives for the months ahead include:

  • Continued support of the university-wide Business Continuity Initiative by creating geo-redundancy continuity plans for UWWI NETID domain services.
  • Continued support of the Office 365 project and the UW Exchange service as it integrates the UWWI NETID domain services with an Office 365 deployment.
  • Continue to investigate how Active Directory Federation Services (ADFS) integrates into our overall authentication architecture for customers. 
  • Invest in changes needed for Unix integration.
  • Support UW-IT effort to investigate SCCM 2012 delegation features to enable OU customers to deploy SCCM for computer management within the NETID domain. 

Your Feedback 

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

The UWWI service has a backlog visible to customers at where you can get more details about possible improvements, current prioritization of that work, and even what we've been doing. You can "vote" for items in the backlog to help us rank priorities, or you can contact us via

Weblogin Changes

This post summarizes several changes concerning the UW weblogin service.

1. Mobile-friendly weblogin release on December 18th

On Tuesday, December 18, we plan to deploy a more mobile-friendly version
of the current user interface for the "weblogin" service. This update
preserves the current look-and-feel of its web design, but makes it more
responsive to the kinds of devices and browsers in use today.

To review the design go to

To provide feedback and/or to test it on one of your registered Pubcookie
service provider websites, email

2. Weblogin now using an InCommon certificate

On Tuesday, November 13, the SSL website certificate for the weblogin
service was changed to one issued by the InCommon CA. Apologies for the
postprandial notification. We had a lot of confidence this wouldn't impact
you as customers, nor impact all of our end users. Yet, the change
surprised some folks and I plan to do better with notifications next time.

3. Pubcookie keyserver now trusts InCommon CA

You can now use a certificate issued by the InCommon CA to authenticate
your keyclient connections to the Pubcookie keyserver. Previously, the
keyserver only trusted the UW Service CA and Thawte CA. Now you can obtain
a certificate from InCommon and use it for website SSL and with the
Pubcookie keyclient.

4. Changes to UW Shibboleth IdP metadata

For folks integrating with the weblogin service using Shibboleth service
provider software, you may have received an email on November 29th
(Subject: Changes to U of Washington Shibboleth IdP) notifying registered
contacts about changes to the X.509 certificates used by the UW Shibboleth
IdP and published in the UW IdP metadata. Per the email, action may be
required by Tuesday, January 22. Please review that email if you received
it, and email questions to with a subject line of "IdP
certificate change".

Just posted this to the group-discuss list:

Subject: GID proposal: random, immutable values, above 65, 535

Over the last year, we've had several spurty discussions about adding GIDs to UW groups to help integrate linux systems via UWWI delegated OUs.

We'd like to add this feature during our next groups 2.1.6 release, and need your feedback on the proposed strategy documented in our wiki:

In summary:

We're recommending a design based on random, immutable integer values greater than 65,535 that are assigned at the time a UW group is created.

For existing UW groups, we'll assign a random value within the allowed range.

We developed this strategy thru discussions with Kris and Matt in Statistics, as well as a few others inside and outside of UW-IT.

By October 15th, we'd apprecicate some additional eyes, scrutiny and comments on the proposal.

  • No labels