Ten most common Mistakes with AD FS and Hybrid Identity Sander Berkouwer MVP, DirTeam.com
Agenda Federation A small primer on the open protocols used today for federating identity and achieving hybrid identity Most common mistakes when planning, deploying and operating AD FS and how to avoid them to get the most out of hybrid identity
Federation On claims, identity providers and relying party trusts
Why we need federation NTLM and Kerberos Kerberos (1993) was designed for safe networks NTLM and Kerberos have serious problems Active Directory Active Directory domain memberships are typically Windows-only Domain trusts leak information and scale badly Granular device-agnostic authentication We need device-agnostic, open protocols, designed for the web We need multi-factor authentication
Under the hood Active Directory Federation Services (acting as STS) claim 5 6 4 3 Active Directory Domain Services 2 Colleague Claims-aware App 1 7
Behind the Hybrid Identity mist Colleague 2 10 1 7 4 3 8 9 Azure Active Directory integrated Application Active Directory Domain Services 6 5 Active Directory Federation Services Active Directory Federation Trust (WS-FED) Azure Active Directory On Premises Azure AD Sync Internet
Federation benefits SAML and Oauth2 are Internet-ready Transport over Universal Firewall Bypass Protocol (TCP443) Tickets are compressed, optionally encrypted Relying Party trusts are very flexible Ticket content and authentication is defined per RPT Relying party trusts are flexible and scalable Multi-factor authentication AD FS in Windows Server 2012 R2 is extensible Extensions are configurable per relying party trust, per network
Common mistakes and how to avoid them
1. Planning for AD FS, when you don t need it Some organizations need their own AD FS infrastructure Local authentication requirements (legal, multi-factor auth) Local authentication possibilities (claims issuance, transformation) Azure Active Directory with Password Sync 2500+ SaaS apps in the Azure Active Directory App Gallery Easily configure Single Sign-On and user account management Azure Active Directory Azure Active Directory Free may contain up to 500,000 accounts Federating with up to 5 apps is free. Online accounts may suffice
Who uses AD FS, and who doesn t?
2. Build upon an unhealthy Active Directory Attribute integrity and lingering objects Objects, attributes on some Domain Controllers, not on others Resulting in unpredictable AD FS authentication Private top level domains DNS Domain Name for domains ending with.local,.int User Principal Name (UPN) needs to be added and changed UPN syntax mismatches Critical for solutions with Directory Sync Tool / Azure AD Sync Use the IdFix DirSync Error Remediation Tool
3. Misconfiguring the AD FS Service Account Password changes, security implications AD FS is usually Internet-facing, so it benefits from extra security We want regular password changes, host restrictions, etc. group Managed Service Accounts (gmsas) gmsas solve the service account problem for farms, AD FS supported gmsas offer Automatic SPN and password management Windows Server 2008 DFL 2008 Domain Functional Level offers automatic SPN management Windows 8 and Windows Server 2012 (and up) offer Cmdlets
4. Not designing the right AD FS infrastructure AD FS Server Farms AD FS can easily be deployed highly available, with Windows NLB AD FS Proxies / Web App Proxies deployed in perimeter networks Windows Internal Database or SQL Server A WID farm has a limit of five federation servers, only master is writable, and does not support token replay detection or artifact resolution SQL Server High Availability Take advantage of your existing SQL Server investments Take advantage of database mirroring, failover clustering,and monitoring
5. Let time take its toll on your AD FS Time Sync within an Active Directory environment W32time follows Active Directory hierarchy and sites configuration Set the time for an environment through the PDCe Time Sync within Virtual Machines Virtual machines always sync time with host on boot Continuous time sync is configured with VMware tools, Hyper-V ICs, etc. Time Sync within Perimeter Networks Could be virtual machine time sync, could be an external source Will be none, if you don t configure it
6. Certificate distrust and distress Three non-cng certificates in use by AD FS Token-signing and token-decryption certificates (internally) Service communication certificate (externally) Certificates with 1024bit key length Certificates under 1024bits key length are blocked Request and use certificates with 2048bits key length in the chain Certificates with SHA-1 hash algorithm SHA-1 is deprecated in most browsers and operating systems Request and use certs with SHA-2 hash algorithms throughout the chain
7. Forget about Device Registration in certs AD FS in Windows Server 2012 R2 Many new features! Workplace Join Device-agnostic silent Single Sign-On (SSO) Employees verify devices, enroll a certificate, get cookie EnterpriseRegistration WorkPlace Join AutoDiscover requires DNS Record per UPN Suffix Use enterpriseregistration.domain.tld as Subject Alternative Name
8. Windows updates, anyone? AD FS is regularly updated on Patch Tuesdays Security updates, like MS15-062 Scalability and stability updates, but also security updates AD FS uses Windows Update AD FS updates don t require you to configure Microsoft Update, but AD FS updates only light up after installing the Server Role Wait or test, then deploy updates Wait two weeks before deploying updates, or deploy updates to a test network before production (difficult, I know)
9. Overlooking the Best Practices Analyzers Best Practices Analyzers Part of Server Manager in Windows Server 2008 R2, and up Avoid 90% of situations that result in data or functionality loss AD FS Best Practices Analyzer Checks the Active Directory Federation service Will be updated with additional checks in the future Other BPAs of use: Active Directory Domain Services Best Practices Analyzer Active Directory Certificate Services Best Practices Analyzer
10. Processes, processes, processes Monitoring of the AD FS Service Check the availability and/or usage of the AD FS infrastructure Use Systems Center Operations Manager (with GSM), Operations Management Suite and/or Azure AD Connect Health for Federation Auditing of the AD FS Service AD FS offers built-in auditing and logging of errors and warnings Auditing of claims issuance Logging of success and failure audits Log suspicious or unintended activity
Concluding
Avoid these mistakes and you ll be fine 1. Don t plan for and build AD FS when you don t need to 2. Don t implement Hybrid Identity upon an unhealthy Active Directory 3. Use gmsas instead of ordinary service accounts for AD FS 4. Design the right infrastructure; pick the right database and plan for HA 5. Take care of adequate time synchronization 6. Use non-cng certificates with 2048+bit key length and SHA-2 algorithm 7. Don t forget to plan for Device Registration 8. Don t forget to install Windows Updates 9. Don t forget to use the built-in Best Practice Analyzers once in a while 10. Monitor, audit and backup the AD FS infrastructure
Rules of thumb AD FS is an extension to Active Directory Make sure Active Directory is healthy, run Idfix Rename, migrate or restructure.local domains Plan your AD FS implementation Set requirements, plan accordingly, deploy securely Take care of adequate time synchronization Don t forget to manage AD FS Use the built-in Best Practices Analyzers (BPAs) Take care of monitoring, auditing and backup
Thank you!