Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz
Osman Akagunduz Consultant @ InSpark Microsoft Country Partner Of The Year Twitter: @Osman_Akagunduz
What s in this session The role of Azure AD Identity basics Authentication options Decision chart Summary
Session objectives & takeaways Session objectives: Overview of Authentication Methods for Azure AD How to apply these solutions effectively Key takeaways: Solid understanding of Authentication solutions Choose the right authentication method How to adopt in your organization
Value The old sign-on curve AAD Connect + AD FS AAD Connect + PHS Cloud only Accounts Complexity
Value Today s sign-on curve AAD Connect + PTA and SSO AAD Connect + AD FS AAD Connect + PHS and SSO AAD Connect + PHS Cloud only Accounts Complexity
But first Why is this so important?
It is the first important decision It is your foundation of your infrastructure It is hard easy to change
The role of Azure AD
Today s identity challenges
Azure AD in to the rescue! Commercial IdPs Customers Partners Public cloud Azure Consumer IdPs Microsoft Azure Active Directory Windows Server Active Directory Azure AD Connect
Identity basics
Must know about Identity Cloud identity. Manage your user accounts in Azure AD only. Synchronized identity. Synchronize on-premises directory with Azure AD and manage your users on-premises. Federated identity. Synchronize on-premises directory objects with Azure AD and manage your users on-premises. Authenticate with federation servers on premises or third party IdaaS.
Azure AD Connect AD Connect replaces earlier tools, upgrades are possible DirSync Azure AD Sync FIM and the Azure AD Connector More than just a synchronization engine Manages user sign-in options Write-back for password, devices and groups Tools to support AD FS Simple UI experience to update AD FS SSL certificates Fix trust Login testing Azure AD Connect Health agent, reports status to the Azure AD Connect Health Portal
Authentication Options
Password Hash Sync More options than ever before! Pass-through Authentication Federated Identity 3rd Party Federated ` Pros: Cloud based authentication with same password as onpremises. Quickest and Easiest to deploy. Seamless SSO. Can be used with PTA and ADFS. Cons: Disabling or editing user on prem needs sync cycle to complete Pros: Cloud based authentication with PW validation on prem. Minimal on prem footprint Seamless SSO Cons: Legacy Office clients not supported. Pros: Windows Integrated Desktop SSO, Certificate Based Auth, 3 rd Party MFA integration Cons: On premises deployment. DMZ deployment. Pros: 3 rd party tools and services pretested for basic auth scenarios with WS-Fed Cons: Only basic scenarios. Second directory store in cloud. Multiple support channels Provisioning only using PowerShell and Graph API
Identity + Password (Hash) sync Microsoft Azure Active Directory Identity + Password Hash synchronization Azure Active Directory authenticates user Onpremises
Identity + Password (Hash) sync Core Store RPC TLS 1.2 Azure Active Directory MD4 Hash (Password) (salt + MD4(password) SHA256 (salt + MD4(password), 1000)
Seamless Single Sign-on Azure AD ON PREMISES Active Directory Easy to integrate Easy to administer Great user experience Works with Password Hash Sync and Pass-through Authentication Supports Alternate Login ID No additional on-premise infrastructure Register non-windows 10 devices without AD FS SSO experience from domain-joined devices within your corpnet
Seamless Single Sign-on App Azure AD Azure AD decrypts Kerberos ticket Attempt to sign in to app 2 3 6 8 User redirected to Azure AD for sign-in Kerberos ticket challenge sent Browser forwards Kerberos ticket to Azure AD Azure AD completes the sign-in process If sign-in is successful, access the app ON-PREMISES AD returns Kerberos ticket Request Kerberos ticket from AD Domain-joined device Active Directory
Implement PHS + SSO CLIENT CONFIGURATION Setting(s) Intranet Zone Intranet Zone Description https://autologon.microsoftazuread-sso.com https://aadg.windows.net.nsatc.net NETWORK REQUIREMENTS Setting URL Filtering isn t configured for [pass-through] SSL Inspection Description *.msappproxy.net (HTTPS on port 443) Disabled SUPPORTED CLIENTS OS\Browser Internet Explorer Chrome Firefox Edge Safari Windows 10 Not Supported N/A Windows 8.1 N/A N/A Windows 8 N/A N/A Windows 7 N/A N/A Mac N/A N/A Not Supported Firefox Requires separate configuration: https://liquidstate.net/enabling-ntlm-authentication-single-sign-on-in-firefox/
Demo Password Sync Seamless Sign on
Passtrough authentication Azure AD ON PREMISES AuthN Agent AuthN agent Active Directory Great user experience Same passwords for cloud-based and on-premises apps Integrated with Self-Service Password Reset Secure and compliant Passwords remain on-premises No DMZ and no inbound firewall requirements Integrated with Smart Lockout, Identity Protection and Conditional Access Easy to deploy & administer Agent-based deployment High availability out-of-the-box No complex on-premises deployments or network config Zero management overhead
Passtrough Authentication Azure AD completes sign-in User sent to Azure AD for sign-in Azure AD Credentials encrypted (with public key) & queued User provides credentials Attempt to sign in to app If sign-in is successful, access the app AuthN Agent picks up queued request Identity synchronizatio n using Azure AD Connect App Agent decrypts credentials with private key Agent responds to Azure AD AD responds to Agent Agent validates credentials with AD ON-PREMISES AuthN Agent Active Directory
Implement PTA + SSO NETWORK REQUIREMENTS Setting URL Filtering isn t configured for [pass-through] SSL Inspection Description *.msappproxy.net (HTTPS on port 443) *.servicebus.windows.net Disabled Port [outbound] Description 80 Enables outbound HTTP traffic for security validation such as SSL certificate revocation lists. 443 Enables user authentication against Azure AD. 8080/443 Enables the Connector bootstrap sequence and Connector automatic update. 9090 Enables Connector registration (required only for the Connector registration process). 9091 Enables Connector trust certificate automatic renewal. 9352, 5671 Enables communication between the Connector and the Azure AD service for incoming requests. 9350 [Optional] Enables better performance for incoming requests. 10100 10120 Enables responses from the connector back to Azure AD.
Demo Passthrough Authentication Seamless Sign On
WHY ADFS? SSO with Edge Certificate/Smartcard Based Authentication Login with SAMAccountname Authentication requirements not natively supported by Azure AD Onprem MFA server 3 rd Party MFA Provider
Demo Convert from Federated to PHS/PTA + SSO
Decision Chart Microsoft
Know issues Seamless Sign on In a few cases, enabling Seamless SSO can take up to 30 minutes. If you disable and re-enable Seamless SSO on your tenant, users will not get the single sign-on experience till their cached Kerberos tickets, typically valid for 10 hours, have expired. Edge browser support is not available. If Seamless SSO succeeds, the user does not have the opportunity to select Keep me signed in. Due to this behavior, SharePoint and OneDrive mapping scenarios don't work. Office clients below version 16.0.8730.xxxx don't support non-interactive sign-in with Seamless SSO. On those clients, users must enter their usernames, but not passwords, to sign-in. Seamless SSO doesn't work in private browsing mode on Firefox. Seamless SSO doesn't work in Internet Explorer when Enhanced Protected mode is turned on. Seamless SSO doesn't work on mobile browsers on ios and Android. If a user is part of too many groups in Active Directory, the user's Kerberos ticket will likely be too large to process, and this will cause Seamless SSO to fail. Azure AD HTTPS requests can have headers with a maximum size of 16 KB; Kerberos tickets need to be much smaller than that number to accommodate other Azure AD artifacts such as cookies. Our recommendation is to reduce user's group memberships and try again. If you're synchronizing 30 or more Active Directory forests, you can't enable Seamless SSO through Azure AD Connect. As a workaround, you can manually enable the feature on your tenant. Adding the Azure AD service URL (https://autologon.microsoftazuread-sso.com) to the Trusted sites zone instead of the Local intranet zone blocks users from signing in.
Summary
Summary Feature summary PHS + ssso PTA + ssso ADFS Authentication against credentials held on-premises No Single-Sign-On Passwords remain on premises Salted hash synced On-premises MFA solution No No Azure AD MFA On-premises password policies Partial On-premises account enable/disable Delayed (30 mins) On-premises password lockout No Conditional access ++ ++ Credentials captured from user via Azure AD UI No Protection against on-premise account lockout N/A Smart Lockout Extranet Lockout Cost of implementation Low Medium High Scalability/fault tolerance Cloud scalability Cloud scalability Complex AuthN fails for remote workers if the on-premises Internet connection is down. Requires HA solution. No On-going maintenance for authentication Azure AD Connect Health monitoring Azure AD Identity Protection (requires P2 license) None Limited Automated Not integrated SSL certificate management No
Recommendations New customers: Use cloud authentication (PTA or PHS) Leverage conditional access and Azure AD MFA Existing customers with AD FS Re-evaluate the need for ADFS Keep AD FS for authentication if it meets all your requirements If using AD FS for authentication to apps, switch to Azure AD Application Proxy Existing customers with PTA or PHS Enable Seamless SSO Simple to deploy Immediately enhances the sign-in experience for your users Implement domain_hint for custom apps
Resources Choosing the right authentication method article http://aka.ms/auth-options Migration Guides http://aka.ms/aadauthmigrate Hybrid Identity Digital Transformation Framework http://aka.ms/aadframework Deployment wizard https://aka.ms/aadconnectwiz
Decision Table (Appendix) Consideration Password hash synchronization + Seamless SSO Pass-through Authentication + Seamless SSO Where does authentication happen? In the cloud In the cloud after a secure password verification exchange with the onpremises authentication agent What are the on-premise server requirements beyond the provisioning system: Azure AD Connect? What are the requirements for onpremises Internet and networking beyond the provisioning system? None None One server for each additional authentication agent Outbound Internet access from the servers running authentication agents Federation with AD FS On-premises Two or more AD FS servers Two or more WAP servers in the perimeter/dmz network Inbound Internet accessto WAP servers in the perimeter Inbound network access to AD FS servers from WAP servers in the perimeter Network load balancing Is there an SSL certificate requirement? No No Is there a health monitoring solution? Not required Agent status provided by Azure Active Azure AD Connect Health Directory admin center Do users get single sign-on to cloud resources from domain-joined devices within the company network? with Seamless SSO with Seamless SSO Is Windows Hello for Business supported? Key trust model Certificate trust model with Intune Key trust model Certificate trust model with Intune Key trust model Certificate trust model
Decision Table (Appendix) Consideration What sign-in types are supported? What are the multifactor authentication options? Password hash synchronization + Seamless SSO UserPrincipalName + password Windows Integrated Authentication by using Seamless SSO Alternate login ID What user account states are supported? Disabled accounts (up to 30-minute delay) What are the conditional access options? Pass-through Authentication + Seamless SSO UserPrincipalName + password Windows Integrated Authentication by using Seamless SSO Alternate login ID Federation with AD FS Azure MFA Azure MFA Azure MFA Azure MFA server Third-party MFA Disabled accounts Account locked out Password expired Sign-in hours UserPrincipalName + password samaccountname + password Windows Integrated Authentication Certificate and smart card authentication Alternate login ID Disabled accounts Account locked out Password expired Sign-in hours Azure AD conditional access Azure AD conditional access Azure AD conditional access AD FS claim rules Is blocking legacy protocols supported? Can you customize the logo, image, and, with Azure AD Premium, with Azure AD Premium description on the sign-in pages? What advanced scenarios are supported? Smart password lockout Leaked credentials reports Smart password lockout Multisite low-latency authentication system AD FS extranet lockout Integration with third-party identity systems
Computer Account (Appendix) Do not remove this account otherwise Seamless Sign On will not work.
FUTURE READY DATACENTER SKILLS Do you want to gain more knowledge about Microsoft technology? The Future Ready Skills program offers online courseware, online labs, live Q&A s and expert sessions, so you can acquire your official Microsoft Certificate in the most efficient way. For more information: aka.ms/frsblog
10:15 11:15 My Name is Server, Windows Server Thomas Maurer