Embed Size (px)
Citation preview
DATACENTER
MANAGEMENT
Goodbye ADFS,
Hello Modern
Authentication!
Osman Akagunduz
DATACENTER
MANAGEMENT
Osman Akagunduz
Consultant @ InSpark
Microsoft Country Partner Of The Year
Twitter: @Osman_Akagunduz
DATACENTER
MANAGEMENT What’s in this session
The role of
Azure AD
Identity
basics
Authentication
optionsDecision
chartSummary
DATACENTER
MANAGEMENT Session objectives & takeaways
Session objectives:Overview of Authentication Methods for Azure AD
How to apply these solutions effectively
Key takeaways:Solid understanding of Authentication solutions
Choose the right authentication method
How to adopt in your organization
The “old” sign-on curve
Complexity
Valu
e
Cloud only
Accounts
AAD Connect
+ AD FS
AAD Connect
+ PHS
Today’s sign-on curve
Complexity
Valu
e
Cloud only
Accounts
AAD Connect
+ AD FS
AAD Connect
+ PTA and SSO
AAD Connect
+ PHS and SSO
AAD Connect
+ PHS
DATACENTER
MANAGEMENT
DATACENTER
MANAGEMENT
But first… Why is this so
important?
DATACENTER
MANAGEMENT
It is the first important
decision
It is your
foundation of
your infrastructure
It is hard easy to
change
DATACENTER
MANAGEMENT
DATACENTER
MANAGEMENT
The role of Azure AD
DATACENTER
MANAGEMENT Today’s identity challenges
DATACENTER
MANAGEMENT Azure AD in to the rescue!
CommercialIdPs
ConsumerIdPs
Windows Server
Active Directory Azure AD
Connect
Azure
Public cloudPartners
Customers
Microsoft Azure Active Directory
DATACENTER
MANAGEMENT
DATACENTER
MANAGEMENT
Identity basics
DATACENTER
MANAGEMENT Must know about Identity
Cloud identity.
Manage your user accounts in Azure AD only.
Synchronized identity.
Synchronize on-premises directory with Azure AD and manage your users on-premises.
Federated identity.
Synchronize on-premises directory objects with Azure AD and manage your users on-premises.
Authenticate with federation servers on premises or third party IdaaS.
DATACENTER
MANAGEMENT Azure AD ConnectAD Connect replaces earlier tools, upgrades are possible
■ DirSync
■ Azure AD Sync
■ FIM and the Azure AD Connector
More than just a synchronization engine■ Manages user sign-in options
■ Write-back for password, devices and groups
■ Tools to support AD FS■ Simple UI experience to update AD FS SSL certificates
■ Fix trust
■ Login testing
■ Azure AD Connect Health agent, reports status to the Azure AD Connect Health Portal
DATACENTER
MANAGEMENT
DATACENTER
MANAGEMENT
Authentication Options
More options than ever before!Password Hash Sync
Pros: Cloud based authentication
with same password as on-
premises.
Quickest and Easiest to deploy.
Seamless SSO.
Can be used with PTA and ADFS.
Cons: Disabling or editing user on
prem needs sync cycle to complete
• `
Federated Identity
Pros: Windows Integrated Desktop
SSO, Certificate Based Auth, 3rd
Party MFA integration
Cons: On premises deployment.
DMZ deployment.
3rd Party Federated
Pros: 3rd party tools and services pre-
tested for basic auth scenarios with
WS-Fed
Cons: Only basic scenarios. Second
directory store in cloud.
Multiple support channels
Provisioning only using PowerShell
and Graph API
Pass-through Authentication
Pros: Cloud based authentication
with PW validation on prem.
Minimal on prem footprint
Seamless SSO
Cons: Legacy Office clients not
supported.
Identity + Password (Hash) sync
Identity + Password Hash synchronization
Azure Active Directoryauthenticates user
On-premises
Microsoft Azure Active Directory
Identity + Password (Hash) sync
SHA256(salt + MD4(password), 1000)
(salt + MD4(password)MD4 Hash(Password)
Azure Active Directory
Core Store
TLS 1.2RPC
Seamless Single Sign-on
ON PREMISES
Azure AD
Active Directory
Easy to administer
No additional on-premise infrastructure
Register non-Windows 10 devices
without AD FS
Great user experience
SSO experience from domain-joined
devices within your corpnet
Easy to integrate
Works with Password Hash Sync and
Pass-through Authentication
Supports Alternate Login ID
Seamless Single Sign-on
ON-PREMISES
Active Directory
Azure ADApp
Azure AD decrypts
Kerberos ticket
Request Kerberos ticket from AD
AD returns Kerberos ticket
Attempt to
sign in to
app
If sign-in is successful,
access the app
Azure AD completes the sign-in process8
User redirected to Azure AD for sign-in2
Kerberos ticket challenge sent3
Browser forwards Kerberos ticket to Azure AD6
Domain-joined
device
Implement PHS + SSO
OS\Browser Internet Explorer Chrome Firefox Edge Safari
Windows 10 Yes Yes Yes Not Supported N/A
Windows 8.1 Yes Yes Yes N/A N/A
Windows 8 Yes Yes Yes N/A N/A
Windows 7 Yes Yes Yes N/A N/A
Mac N/A Yes Yes N/A Not Supported
Firefox Requires separate configuration: https://liquidstate.net/enabling-ntlm-authentication-single-sign-on-in-firefox/
Setting(s) Description
Intranet Zone https://autologon.microsoftazuread-sso.com
Intranet Zone https://aadg.windows.net.nsatc.net
CLIENT CONFIGURATION
Setting Description
URL Filtering isn’t configured for
[pass-through]
*.msappproxy.net (HTTPS on port 443)
SSL Inspection Disabled
NETWORK REQUIREMENTS
SUPPORTED CLIENTS
DATACENTER
MANAGEMENT
DATACENTER
MANAGEMENT
Demo
Password Sync
Seamless Sign on
Passtrough authenticationON PREMISES
Azure AD
AuthN Agent
AuthN agent
Active Directory
Secure and compliant
Passwords remain on-premises
No DMZ and no inbound firewall
requirements
Easy to deploy & administer
Agent-based deployment
High availability out-of-the-box
No complex on-premises deployments
or network config
Zero management overhead
Great user experience
Same passwords for cloud-based and
on-premises apps
Integrated with Self-Service Password
Reset
Integrated with Smart Lockout, Identity
Protection and Conditional Access
DATACENTER
MANAGEMENT Passtrough Authentication
ON-PREMISES
AuthN Agent picks
up queued request
Active Directory
AuthN
Agent
Azure AD
App
User provides credentials
User sent to Azure AD for sign-in
Azure AD completes sign-inCredentials encrypted
(with public key) & queued
Agent responds to Azure AD
Agent validates credentials with AD
AD responds to Agent
Agent decrypts
credentials with
private key
Attempt to
sign in to
app
If sign-in is successful,
access the app
Identity synchronization using Azure AD Connect
Implement PTA + SSO
Setting Description
URL Filtering isn’t configured for
[pass-through]
*.msappproxy.net (HTTPS on port 443)
*.servicebus.windows.net
SSL Inspection Disabled
NETWORK REQUIREMENTS
Port [outbound] Description
80 Enables outbound HTTP traffic for security validation
such as SSL certificate revocation lists.
443 Enables user authentication against Azure AD.
8080/443 Enables the Connector bootstrap sequence and
Connector automatic
update.
9090 Enables Connector registration (required only for the
Connector registration process).
9091 Enables Connector trust certificate automatic renewal.
9352, 5671 Enables communication between the Connector and
the Azure AD service for incoming requests.
9350 [Optional] Enables better performance for incoming
requests.
10100–10120 Enables responses from the connector back to Azure
AD.
DATACENTER
MANAGEMENT
DATACENTER
MANAGEMENT
Demo
Passthrough Authentication
Seamless Sign On
WHY ADFS?
• SSO with Edge
• Certificate/Smartcard Based Authentication
• Login with SAMAccountname
• Authentication requirements not natively
supported by Azure AD
• Onprem MFA server
• 3rd Party MFA Provider
DATACENTER
MANAGEMENT
DATACENTER
MANAGEMENT
Demo
Convert from Federated to
PHS/PTA + SSO
Decision Chart Microsoft
Know issues ☺ Seamless Sign on• In a few cases, enabling Seamless SSO can take up to 30 minutes.
• If you disable and re-enable Seamless SSO on your tenant, users will not get the single sign-on
experience till their cached Kerberos tickets, typically valid for 10 hours, have expired.
• Edge browser support is not available.
• If Seamless SSO succeeds, the user does not have the opportunity to select Keep me signed in. Due
to this behavior, SharePoint and OneDrive mapping scenarios don't work.
• Office clients below version 16.0.8730.xxxx don't support non-interactive sign-in with Seamless SSO.
On those clients, users must enter their usernames, but not passwords, to sign-in.
• Seamless SSO doesn't work in private browsing mode on Firefox.
• Seamless SSO doesn't work in Internet Explorer when Enhanced Protected mode is turned on.
• Seamless SSO doesn't work on mobile browsers on iOS and Android.
• If a user is part of too many groups in Active Directory, the user's Kerberos ticket will likely be too
large to process, and this will cause Seamless SSO to fail. Azure AD HTTPS requests can have
headers with a maximum size of 16 KB; Kerberos tickets need to be much smaller than that number
to accommodate other Azure AD artifacts such as cookies. Our recommendation is to reduce user's
group memberships and try again.
• If you're synchronizing 30 or more Active Directory forests, you can't enable Seamless SSO through
Azure AD Connect. As a workaround, you can manually enable the feature on your tenant.
• Adding the Azure AD service URL (https://autologon.microsoftazuread-sso.com) to the Trusted sites
zone instead of the Local intranet zone blocks users from signing in.
DATACENTER
MANAGEMENT
DATACENTER
MANAGEMENT
Summary
DATACENTER
MANAGEMENT
Feature summary PHS + sSSO
Authentication against credentials held on-premises No
Single-Sign-On Yes
Passwords remain on premises Salted hash synced
On-premises MFA solution No
Azure AD MFA Yes
On-premises password policies Partial
On-premises account enable/disable Delayed (30 mins)
On-premises password lockout No
Conditional access Yes++
Credentials captured from user via Azure AD UI Yes
Protection against on-premise account lockout N/A
Cost of implementation Low
Scalability/fault tolerance Cloud scalability
AuthN fails for remote workers if the on-premises Internet
connection is down. Requires HA solution.No
On-going maintenance for authentication None
Azure AD Connect Health monitoring Limited
Azure AD Identity Protection (requires P2 license) Yes
SummaryPTA + sSSO
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes++
Yes
Smart Lockout
Medium
Cloud scalability
Yes
Automated
Not integrated
Yes
ADFS
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Extranet Lockout
High
Complex
Yes
SSL certificate
management
Yes
No
DATACENTER
MANAGEMENT RecommendationsNew customers:
■ Use cloud authentication (PTA or PHS)■Leverage conditional access and Azure AD MFA
Existing customers with AD FS■Re-evaluate the need for ADFS
■Keep AD FS for authentication if it meets all your requirements
■ If using AD FS for authentication to apps, switch to Azure AD Application Proxy
Existing customers with PTA or PHS■ Enable Seamless SSO
■ Simple to deploy
■ Immediately enhances the sign-in experience for your users
■ Implement domain_hint for custom apps
Resources
Deployment wizardhttps://aka.ms/aadconnectwiz
Hybrid Identity Digital Transformation Frameworkhttp://aka.ms/aadframework
Migration Guideshttp://aka.ms/aadauthmigrate
Choosing the right authentication method articlehttp://aka.ms/auth-options
Decision Table (Appendix)Consideration
Password hash synchronization +
Seamless SSO
Pass-through Authentication +
Seamless SSO Federation with AD FS
Where does authentication happen? In the cloud In the cloud after a secure password
verification exchange with the on-
premises authentication agent
On-premises
What are the on-premise server
requirements beyond the provisioning
system: Azure AD Connect?
None One server for each additional
authentication agent
Two or more AD FS servers
Two or more WAP servers in the
perimeter/DMZ network
What are the requirements for on-
premises Internet and networking
beyond the provisioning system?
None Outbound Internet access from the
servers running authentication agents
Inbound Internet accessto WAP servers
in the perimeter
Inbound network access to AD FS
servers from WAP servers in the
perimeter
Network load balancing
Is there an SSL certificate requirement? No No Yes
Is there a health monitoring solution? Not required Agent status provided by Azure Active
Directory admin center
Azure AD Connect Health
Do users get single sign-on to cloud
resources from domain-joined devices
within the company network?
Yes with Seamless SSO Yes with Seamless SSO Yes
Is Windows Hello for Business
supported?
Key trust model
Certificate trust model with Intune
Key trust model
Certificate trust model with Intune
Key trust model
Certificate trust model
Decision Table (Appendix)
Consideration
Password hash synchronization +
Seamless SSO
Pass-through Authentication +
Seamless SSO Federation with AD FS
What sign-in types are supported? UserPrincipalName + password
Windows Integrated Authentication by
using Seamless SSO
Alternate login ID
UserPrincipalName + password
Windows Integrated Authentication by
using Seamless SSO
Alternate login ID
UserPrincipalName + password
sAMAccountName + password
Windows Integrated Authentication
Certificate and smart card authentication
Alternate login ID
What are the multifactor authentication
options?
Azure MFA Azure MFA Azure MFA
Azure MFA server
Third-party MFA
What user account states are supported? Disabled accounts
(up to 30-minute delay)
Disabled accounts
Account locked out
Password expired
Sign-in hours
Disabled accounts
Account locked out
Password expired
Sign-in hours
What are the conditional access
options?
Azure AD conditional access Azure AD conditional access Azure AD conditional access
AD FS claim rules
Is blocking legacy protocols supported? Yes Yes Yes
Can you customize the logo, image, and
description on the sign-in pages?
Yes, with Azure AD Premium Yes, with Azure AD Premium Yes
What advanced scenarios are
supported?
Smart password lockout
Leaked credentials reports
Smart password lockout Multisite low-latency authentication
system
AD FS extranet lockout
Integration with third-party identity
systems
Computer Account (Appendix)
Do not remove
this account
otherwise
Seamless Sign On
will not work.
DATACENTER
MANAGEMENT Do you want to gain more
knowledge about Microsoft
technology?
The Future Ready Skills program
offers online courseware, online
labs, live Q&A’s and expert
sessions, so you can acquire
your official Microsoft Certificate
in the most efficient way.
For more information:
aka.ms/frsblog
FUTURE READY
SKILLS
DATACENTER
MANAGEMENT
10:15 – 11:15
My Name is Server,
Windows Server
Thomas Maurer
