DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Similar documents
Office 365 and Azure Active Directory Identities In-depth

Single Sign-On Showdown

Hybrid Identity de paraplu in de cloud

WORKPLACE Data Leak Prevention: Keeping your sensitive out of the public domain. Frans Oudendorp Ronny de Jong

Use EMS to protect your mobile data and mobile app

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

O365 Solutions. Three Phase Approach. Page 1 34

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Okta Integration Guide for Web Access Management with F5 BIG-IP

Overview What is Azure Multi-Factor Authentication? How it Works Get started Choose where to deploy MFA in the cloud MFA on-premises MFA for O365

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

VMware Identity Manager Administration

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Tech Dive: Microsoft Azure Identity Management and Office 365

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Azure Active Directory from Zero to Hero

SAP Security in a Hybrid World. Kiran Kola

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Ten most common Mistakes with AD FS and Hybrid Identity. Sander Berkouwer MVP, DirTeam.com

News and Updates June 1, 2017

MB Microsoft Dynamics CRM 2016 Online Deployment.

CONDITIONAL ACCESS FROM A TO Z

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Five9 Plus Adapter for Agent Desktop Toolkit

App Gateway Deployment Guide

Extranet Identity Management and Authentication for SharePoint On Premise, Office 365 and Beyond

MD-101: Modern Desktop Administrator Part 2

Identity as the core of enterprise mobility

Cloud Access Manager Configuration Guide

ShareFile Technical Presentation

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

A tale of Modern Management Part 1

Integrating AirWatch and VMware Identity Manager

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

StorageZones Controller 3.3

/

Use Microsoft EMS. to Protect your Mobile Data and Mobile Apps. Chris Nackers Nackers Consulting

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

Real4Test. Real IT Certification Exam Study materials/braindumps

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Extranets in SharePoint and SSO for Claims Apps. January 18, 2017

Introduction. The Safe-T Solution

Configuration Guide. BlackBerry UEM. Version 12.9

Object of this document

Cloud Secure Integration with ADFS. Deployment Guide

Multi Factor Authentication & Self Password Reset

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

StorageZones Controller 3.4

Update on new Microsoft Cloud Technology

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Administering Jive Mobile Apps for ios and Android

At Course Completion After completing this course, students will be able to:

Identity as the Entrée to the Microsoft Cloud

BlackBerry UEM Configuration Guide

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

Citrix Workspace. Lausanne Laurent Strauss Christophe Beaugrand

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

VMware AirWatch - Workspace ONE, Single Sign-on and VMware Identity Manager

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

Integration Patterns for Legacy Applications

Extranets in SharePoint and Office 365 May 17, 2017

8.0 Help for Community Managers Release Notes System Requirements Administering Jive for Office... 6

Load Balancing Microsoft AD FS. Deployment Guide v Copyright Loadbalancer.org

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

VMware AirWatch Content Gateway Guide for Windows

SafeNet Authentication Client

Deploying F5 with Microsoft Active Directory Federation Services

ENABLING AND MANAGING OFFICE 365

VMware AirWatch Content Gateway Guide for Windows

Trusted Login Connector (Hosted SSO)

Windows 10 Azure AD / EMS

VMware AirWatch Content Gateway Guide for Windows

Deploying F5 with Microsoft Active Directory Federation Services

Secure your Infrastructure with Azure Multi-Factor Authentication Server

Configuration Guide. BlackBerry UEM Cloud

Course Outline. Enabling and Managing Office 365 Course 20347A: 5 days Instructor Led

Coveo Platform 7.0. Microsoft SharePoint Legacy Connector Guide

Implementing Microsoft Azure Infrastructure Solutions (20533)

Realms and Identity Policies

SafeNet Authentication Service

VMware Identity Manager Administration

Exam : Implementing Microsoft Azure Infrastructure Solutions

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

Microsoft Managing Office 365 Identities and Requirements. Download Full version :

Azure Multi-Factor Authentication: Who do you think you are?

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

VMware AirWatch Content Gateway Guide for Windows

SharePoint 2019 and Extranet User Manager

Transcription:

Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Osman Akagunduz Consultant @ InSpark Microsoft Country Partner Of The Year Twitter: @Osman_Akagunduz

What s in this session The role of Azure AD Identity basics Authentication options Decision chart Summary

Session objectives & takeaways Session objectives: Overview of Authentication Methods for Azure AD How to apply these solutions effectively Key takeaways: Solid understanding of Authentication solutions Choose the right authentication method How to adopt in your organization

Value The old sign-on curve AAD Connect + AD FS AAD Connect + PHS Cloud only Accounts Complexity

Value Today s sign-on curve AAD Connect + PTA and SSO AAD Connect + AD FS AAD Connect + PHS and SSO AAD Connect + PHS Cloud only Accounts Complexity

But first Why is this so important?

It is the first important decision It is your foundation of your infrastructure It is hard easy to change

The role of Azure AD

Today s identity challenges

Azure AD in to the rescue! Commercial IdPs Customers Partners Public cloud Azure Consumer IdPs Microsoft Azure Active Directory Windows Server Active Directory Azure AD Connect

Identity basics

Must know about Identity Cloud identity. Manage your user accounts in Azure AD only. Synchronized identity. Synchronize on-premises directory with Azure AD and manage your users on-premises. Federated identity. Synchronize on-premises directory objects with Azure AD and manage your users on-premises. Authenticate with federation servers on premises or third party IdaaS.

Azure AD Connect AD Connect replaces earlier tools, upgrades are possible DirSync Azure AD Sync FIM and the Azure AD Connector More than just a synchronization engine Manages user sign-in options Write-back for password, devices and groups Tools to support AD FS Simple UI experience to update AD FS SSL certificates Fix trust Login testing Azure AD Connect Health agent, reports status to the Azure AD Connect Health Portal

Authentication Options

Password Hash Sync More options than ever before! Pass-through Authentication Federated Identity 3rd Party Federated ` Pros: Cloud based authentication with same password as onpremises. Quickest and Easiest to deploy. Seamless SSO. Can be used with PTA and ADFS. Cons: Disabling or editing user on prem needs sync cycle to complete Pros: Cloud based authentication with PW validation on prem. Minimal on prem footprint Seamless SSO Cons: Legacy Office clients not supported. Pros: Windows Integrated Desktop SSO, Certificate Based Auth, 3 rd Party MFA integration Cons: On premises deployment. DMZ deployment. Pros: 3 rd party tools and services pretested for basic auth scenarios with WS-Fed Cons: Only basic scenarios. Second directory store in cloud. Multiple support channels Provisioning only using PowerShell and Graph API

Identity + Password (Hash) sync Microsoft Azure Active Directory Identity + Password Hash synchronization Azure Active Directory authenticates user Onpremises

Identity + Password (Hash) sync Core Store RPC TLS 1.2 Azure Active Directory MD4 Hash (Password) (salt + MD4(password) SHA256 (salt + MD4(password), 1000)

Seamless Single Sign-on Azure AD ON PREMISES Active Directory Easy to integrate Easy to administer Great user experience Works with Password Hash Sync and Pass-through Authentication Supports Alternate Login ID No additional on-premise infrastructure Register non-windows 10 devices without AD FS SSO experience from domain-joined devices within your corpnet

Seamless Single Sign-on App Azure AD Azure AD decrypts Kerberos ticket Attempt to sign in to app 2 3 6 8 User redirected to Azure AD for sign-in Kerberos ticket challenge sent Browser forwards Kerberos ticket to Azure AD Azure AD completes the sign-in process If sign-in is successful, access the app ON-PREMISES AD returns Kerberos ticket Request Kerberos ticket from AD Domain-joined device Active Directory

Implement PHS + SSO CLIENT CONFIGURATION Setting(s) Intranet Zone Intranet Zone Description https://autologon.microsoftazuread-sso.com https://aadg.windows.net.nsatc.net NETWORK REQUIREMENTS Setting URL Filtering isn t configured for [pass-through] SSL Inspection Description *.msappproxy.net (HTTPS on port 443) Disabled SUPPORTED CLIENTS OS\Browser Internet Explorer Chrome Firefox Edge Safari Windows 10 Not Supported N/A Windows 8.1 N/A N/A Windows 8 N/A N/A Windows 7 N/A N/A Mac N/A N/A Not Supported Firefox Requires separate configuration: https://liquidstate.net/enabling-ntlm-authentication-single-sign-on-in-firefox/

Demo Password Sync Seamless Sign on

Passtrough authentication Azure AD ON PREMISES AuthN Agent AuthN agent Active Directory Great user experience Same passwords for cloud-based and on-premises apps Integrated with Self-Service Password Reset Secure and compliant Passwords remain on-premises No DMZ and no inbound firewall requirements Integrated with Smart Lockout, Identity Protection and Conditional Access Easy to deploy & administer Agent-based deployment High availability out-of-the-box No complex on-premises deployments or network config Zero management overhead

Passtrough Authentication Azure AD completes sign-in User sent to Azure AD for sign-in Azure AD Credentials encrypted (with public key) & queued User provides credentials Attempt to sign in to app If sign-in is successful, access the app AuthN Agent picks up queued request Identity synchronizatio n using Azure AD Connect App Agent decrypts credentials with private key Agent responds to Azure AD AD responds to Agent Agent validates credentials with AD ON-PREMISES AuthN Agent Active Directory

Implement PTA + SSO NETWORK REQUIREMENTS Setting URL Filtering isn t configured for [pass-through] SSL Inspection Description *.msappproxy.net (HTTPS on port 443) *.servicebus.windows.net Disabled Port [outbound] Description 80 Enables outbound HTTP traffic for security validation such as SSL certificate revocation lists. 443 Enables user authentication against Azure AD. 8080/443 Enables the Connector bootstrap sequence and Connector automatic update. 9090 Enables Connector registration (required only for the Connector registration process). 9091 Enables Connector trust certificate automatic renewal. 9352, 5671 Enables communication between the Connector and the Azure AD service for incoming requests. 9350 [Optional] Enables better performance for incoming requests. 10100 10120 Enables responses from the connector back to Azure AD.

Demo Passthrough Authentication Seamless Sign On

WHY ADFS? SSO with Edge Certificate/Smartcard Based Authentication Login with SAMAccountname Authentication requirements not natively supported by Azure AD Onprem MFA server 3 rd Party MFA Provider

Demo Convert from Federated to PHS/PTA + SSO

Decision Chart Microsoft

Know issues Seamless Sign on In a few cases, enabling Seamless SSO can take up to 30 minutes. If you disable and re-enable Seamless SSO on your tenant, users will not get the single sign-on experience till their cached Kerberos tickets, typically valid for 10 hours, have expired. Edge browser support is not available. If Seamless SSO succeeds, the user does not have the opportunity to select Keep me signed in. Due to this behavior, SharePoint and OneDrive mapping scenarios don't work. Office clients below version 16.0.8730.xxxx don't support non-interactive sign-in with Seamless SSO. On those clients, users must enter their usernames, but not passwords, to sign-in. Seamless SSO doesn't work in private browsing mode on Firefox. Seamless SSO doesn't work in Internet Explorer when Enhanced Protected mode is turned on. Seamless SSO doesn't work on mobile browsers on ios and Android. If a user is part of too many groups in Active Directory, the user's Kerberos ticket will likely be too large to process, and this will cause Seamless SSO to fail. Azure AD HTTPS requests can have headers with a maximum size of 16 KB; Kerberos tickets need to be much smaller than that number to accommodate other Azure AD artifacts such as cookies. Our recommendation is to reduce user's group memberships and try again. If you're synchronizing 30 or more Active Directory forests, you can't enable Seamless SSO through Azure AD Connect. As a workaround, you can manually enable the feature on your tenant. Adding the Azure AD service URL (https://autologon.microsoftazuread-sso.com) to the Trusted sites zone instead of the Local intranet zone blocks users from signing in.

Summary

Summary Feature summary PHS + ssso PTA + ssso ADFS Authentication against credentials held on-premises No Single-Sign-On Passwords remain on premises Salted hash synced On-premises MFA solution No No Azure AD MFA On-premises password policies Partial On-premises account enable/disable Delayed (30 mins) On-premises password lockout No Conditional access ++ ++ Credentials captured from user via Azure AD UI No Protection against on-premise account lockout N/A Smart Lockout Extranet Lockout Cost of implementation Low Medium High Scalability/fault tolerance Cloud scalability Cloud scalability Complex AuthN fails for remote workers if the on-premises Internet connection is down. Requires HA solution. No On-going maintenance for authentication Azure AD Connect Health monitoring Azure AD Identity Protection (requires P2 license) None Limited Automated Not integrated SSL certificate management No

Recommendations New customers: Use cloud authentication (PTA or PHS) Leverage conditional access and Azure AD MFA Existing customers with AD FS Re-evaluate the need for ADFS Keep AD FS for authentication if it meets all your requirements If using AD FS for authentication to apps, switch to Azure AD Application Proxy Existing customers with PTA or PHS Enable Seamless SSO Simple to deploy Immediately enhances the sign-in experience for your users Implement domain_hint for custom apps

Resources Choosing the right authentication method article http://aka.ms/auth-options Migration Guides http://aka.ms/aadauthmigrate Hybrid Identity Digital Transformation Framework http://aka.ms/aadframework Deployment wizard https://aka.ms/aadconnectwiz

Decision Table (Appendix) Consideration Password hash synchronization + Seamless SSO Pass-through Authentication + Seamless SSO Where does authentication happen? In the cloud In the cloud after a secure password verification exchange with the onpremises authentication agent What are the on-premise server requirements beyond the provisioning system: Azure AD Connect? What are the requirements for onpremises Internet and networking beyond the provisioning system? None None One server for each additional authentication agent Outbound Internet access from the servers running authentication agents Federation with AD FS On-premises Two or more AD FS servers Two or more WAP servers in the perimeter/dmz network Inbound Internet accessto WAP servers in the perimeter Inbound network access to AD FS servers from WAP servers in the perimeter Network load balancing Is there an SSL certificate requirement? No No Is there a health monitoring solution? Not required Agent status provided by Azure Active Azure AD Connect Health Directory admin center Do users get single sign-on to cloud resources from domain-joined devices within the company network? with Seamless SSO with Seamless SSO Is Windows Hello for Business supported? Key trust model Certificate trust model with Intune Key trust model Certificate trust model with Intune Key trust model Certificate trust model

Decision Table (Appendix) Consideration What sign-in types are supported? What are the multifactor authentication options? Password hash synchronization + Seamless SSO UserPrincipalName + password Windows Integrated Authentication by using Seamless SSO Alternate login ID What user account states are supported? Disabled accounts (up to 30-minute delay) What are the conditional access options? Pass-through Authentication + Seamless SSO UserPrincipalName + password Windows Integrated Authentication by using Seamless SSO Alternate login ID Federation with AD FS Azure MFA Azure MFA Azure MFA Azure MFA server Third-party MFA Disabled accounts Account locked out Password expired Sign-in hours UserPrincipalName + password samaccountname + password Windows Integrated Authentication Certificate and smart card authentication Alternate login ID Disabled accounts Account locked out Password expired Sign-in hours Azure AD conditional access Azure AD conditional access Azure AD conditional access AD FS claim rules Is blocking legacy protocols supported? Can you customize the logo, image, and, with Azure AD Premium, with Azure AD Premium description on the sign-in pages? What advanced scenarios are supported? Smart password lockout Leaked credentials reports Smart password lockout Multisite low-latency authentication system AD FS extranet lockout Integration with third-party identity systems

Computer Account (Appendix) Do not remove this account otherwise Seamless Sign On will not work.

FUTURE READY DATACENTER SKILLS Do you want to gain more knowledge about Microsoft technology? The Future Ready Skills program offers online courseware, online labs, live Q&A s and expert sessions, so you can acquire your official Microsoft Certificate in the most efficient way. For more information: aka.ms/frsblog

10:15 11:15 My Name is Server, Windows Server Thomas Maurer

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback