EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
-
Upload
peter-selch-dahl -
Category
Technology
-
view
206 -
download
4
Transcript of EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
Azure AD Pass-Through Authentication and Seamless SSO - EWUG.DK - Level 200-300
Peter Selch Dahl - Cloud Architect and Microsoft Azure MVP
Protect your data
Enable your users
Empowering users
User IT
Unify your environment
People-centric approach
Devices Apps Data
Self-service Single sign on
•••••••••••
Username
Identity as the control plane
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises
Microsoft Azure Active Directory
Empower UsersCentrally managed identities and access.
Monitor and protect access to cloud applications.
Your Directory on the cloud
What is Azure Active Directory?
Connect and Sync on-premises directories with Azure.
Your Directory on the cloud
Azure Active Directory Connect*
Microsoft AzureActive Directory
Other Directories
PowerShell
LDAP v3
SQL (ODBC)
Web Services ( SOAP, JAVA, REST)
*
Connect and Sync on-premises directories with Azure.
Your Directory on the cloud
SaaS appsMicrosoft AzureActive Directory
2400+ Preintegrated popular SaaS apps.
Other Directories
MAY 2, 2023@EWUGDK 8
Pass-Through Authentication and SSO - Simple and better auth for most customers in the future!
Why Pass-Through Auth and SSO?- The Goal of PTA/Seamless SSO!
• Help new customers with the following requirements onboard faster
• AuthN against AD on-prem• No passwords in the cloud• Do not want unauthenticated endpoints on-prem exposed
to internet• Provide an SSO solution
• Help existing customers with above requirements, switch to a lower TCO option
MAY 2, 2023@EWUGDK 9
Azure AD Pass-through Authentication• Enables customers to validate password on-premises without
the complexity of AD FS• Allows for on-premises policies to be evaluated such as account
disabled, login hours restrictions etc.• Simple deployment via AAD Connect, no complex DMZ
requirements• Works for single or multi-forest customers
• Built on AAD Application Proxy infrastructure• Securely validates the user’s password against on-premises AD• Customer can deploy multiple agents for HA
• Bottom line – Similar benefits to federation without the deployment cost
MAY 2, 2023@EWUGDK 10
Azure AD Pass-through Authentication• True single sign on without the cost of AD FS
• No additional servers or infrastructure required on premises• Accelerated deployment
• Utilizes existing AD infrastructure• Inherit support for multiple regions• Inherit support for finding the closest DC• Based on Kerberos• No DR plan outside of existing AD plans
• Support for both PTA and PHS customers• SSO is provide for all domain joined corporate machines with line
of sight to a DC
MAY 2, 2023@EWUGDK 11
Azure AD Pass-through Authentication• Provides similar services to AD FS
• Forms based authentication for non-domain joined/outside of corp net users (PTA)
• SSO for domain joined users on corp net (SSO)• No need for dedicated servers
• PTA can be installed on existing servers or DC’s• SSO is only a computer account in AD
• No load balancers• PTA automatically uses all available connectors no need to load balance
• No DMZ• All connections are outbound • No unauthenticated end points on the internet
• Less to manage ongoing• Simple DR, place connectors where needed• No certificates to manage
MAY 2, 2023@EWUGDK 12
Why Pass-Through Auth and SSO? -Sign-in Options today
Complexity
Valu
e
Cloud only Accounts
AAD Connect+ AD FS
AAD ConnectCloud Accounts
AAD Connect+ PHS
MAY 2, 2023@EWUGDK 13
Why Pass-Through Auth and SSO? -Sign-in Options today
Complexity
Valu
e
Cloud only Accounts
AAD Connect+ AD FS
AAD ConnectCloud Accounts
AAD Connect+ PHS
AAD Connect+ PTA and SSO
AAD Connect+ PHS and SSO
MAY 2, 2023@EWUGDK 14
What AD FS offers that PTA and SSO Don’t
• Support for smartcard authentication• Support for 3rd Party MFA providers• Passwords are always in your control boundary – i.e.
don’t pass through the cloud• Conditional access rules based on Exchange
protocols (e.g. pop, imap etc)• Support for on-premises device based conditional
access (device write back)
MAY 2, 2023@EWUGDK 15
What PTA and SSO offers that AD FS Don’t
• Common authentication for cloud and on-prem users• Co-existence authentication
MAY 2, 2023@EWUGDK 16
Authentication comparison• 45% are cloud only and completed directly
by Azure AD (down from 56% in March).
• 37% are federated and completed by an ADFS server at a customer site (up from 32% in March).
• 18% are completed using a password hash that was synced from on-premises to the cloud using AAD Connect or one of its predecessors (up from 7% in March).
• 1% are completed by a syndication partner (large companies who resell Microsoft services)
• Just under 1% are completed by a 3rd party federation server (i.e. Ping Federate, CA Site Minder, etc.)
• Just under 1% are completed by a 3rd party identity service (a company like Centrify, Okta, OneLogin, etc.)
• The remaining 1% are completed by a custom or open source identity server
MAY 2, 2023@EWUGDK 17
• The use of ADFS with Azure AD/Office 365 continues to grow. It now accounts for 36% of all authentications (up from 32% nine months ago).
Note: Number are a bit old... waiting new numbers from Alex Simons - Director of PM
MAY 2, 2023@EWUGDK 18
How do they work?
Pass-Through Auth – Updated flow
MAY 2, 2023@EWUGDK 19DC
Contoso Corpnet
AAD STSAD App ProxyUser Name and
password
Username and password sent AAD
App Proxy
Connector notified of
request
Connector validates the credentials
against AD
Result returned back to AAD STSToken returned to use
or further proofs (MFA) are initiated
1 2
3
4
5
6
78
Connector
DC returns result
Connector returns result
2
Polling
Pass-Through Auth
• Supported Scenarios• Rich Clients that utilize modern authentication, think ADAL enabled• Browser based passive Web flows
• Future Supported Scenarios• Legacy clients (PowerShell, Lync/Skype, Outlook not using ADAL) – GA• EAS, native mobile email clients - GA
• Until then• Customers need to use ADAL enabled clients• Alternatively, use PHS as a fallback
MAY 2, 2023@EWUGDK 20
MAY 2, 2023@EWUGDK 21
Desktop SSO
How does it work - Setup
MAY 2, 2023@EWUGDK 22
How does it work - Setup
MAY 2, 2023@EWUGDK 23
DC
Azure AD
Machine Account created in on-prem
AD
Kerberos key stored securely in Azure
AD
1
2
3
GPO to set Intranet zone
Contoso Corpnet
How does it work - Runtime
MAY 2, 2023@EWUGDK 24
5User sends ticket to AAD
STS
DCContoso Corpnet
AAD STS
User enters their username
1
401 response to get a Kerberos ticket
2
User requests a Kerberos ticket
3
6 AAD STS returns token to
the user
4
AD returns Kerberos ticket
What’s In A Token? (In Brief)
Claim Example Intended PurposeTenant ID 81aabdd2-3682-48fd-9efa-2cb2fcea8557 Immutable tenant identifierName [email protected] Display onlyFirst Name Peter Display onlyLast Name Dahl Display onlyObject ID b3809430-6c28-4e43-870d-fa7d38636dcd Immutable security
identifier
Token also contains Group information
Ports required for Azure AD Connect
MAY 2, 2023@EWUGDK 26
• 80 Enable outbound HTTP traffic for security validation such as SSL.• 443 Enable user authentication against Azure AD• 10100–10120 Enable responses from the connector back to the Azure
AD• 9352, 5671 Enable communication between the Connector toward the
Azure service for incoming requests.• 9350 Optional, to enables better performance for incoming requests• 8080/443 Enable the Connector bootstrap sequence and Connector
automatic update• 9090 Enable Connector registration (required only for the Connector
registration process)• 9091 Enable Connector trust certificate automatic renewal
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-ports
Pass-Through Auth and SSO
MAY 2, 2023@EWUGDK 27
• Only works with Web flows• ADAL rich clients supported
• Limited browser support• IE, Chrome, Firefox• Edge not currently (due to lack of SSO support)
• Alternate login ID• Not supported, will be supported in Public Preview
Supported Browsers / Clients (ADAL)
MAY 2, 2023@EWUGDK 28
Which of the following would you choose
MAY 2, 2023@EWUGDK 29
• PTA + Desktop SSO• Password Hash Sync (PHS) + SSO• Either, PTA or PHS + SSO is good for me/my
customers• PTA + Desktop SSO with fallback to PHS• I don’t really need SSO or PTA – Why?
Hvem anvender dette Public Preview?
MAY 2, 2023@EWUGDK 30
Outlook Modern Authentication Support
MAY 2, 2023@EWUGDK 31
Outlook Modern Authentication Support$credential = get-credential$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $credential -Authentication Basic -AllowRedirectionImport-PSSession $ExchangeSession
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*
MAY 2, 2023@EWUGDK 32
Officiel link: https://support.office.com/en-us/article/Enable-Exchange-Online-for-modern-authentication-58018196-f918-49cd-8238-56f57f38d662
MAY 2, 2023@EWUGDK 33
AzureAD: Primary Refresh Tokens
MAY 2, 2023@EWUGDK 34
AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory
10
Dave authenticates to Azure AD as part of logon process
MAY 2, 2023@EWUGDK 35
AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory
Primary Refresh Token (PRT)Returned by Azure AD and cached by Windows 10
10
MAY 2, 2023@EWUGDK 36
AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory
Office 365
10
MAY 2, 2023@EWUGDK 37
AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory
Here is my PRT can I please have an SSO token for Office 365
10
Office 365
MAY 2, 2023@EWUGDK 38
AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory
Your PRT checks out so here is the SSO token you have asked for10
Office 365
MAY 2, 2023@EWUGDK 39
AzureAD: Primary Refresh Tokens
Microsoft Azure Active DirectoryHere is my Office
365 SSO token give me access please
10
Office 365
MAY 2, 2023@EWUGDK 40
AzureAD: Tokens Kerberos Maximum lifetime for service ticket: 10 Timer før brugeren skal hente en ny ticket fra domain controlleren intern (Validering):https://technet.microsoft.com/en-us/library/cc775748(v=ws.10).aspx
Session timeouts for Office 365https://support.office.com/en-US/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US Modern AuthenticationVi skal på et tidspunkt også have talt ”Modern Authentication” med jer, men jeg ser ikke lige tiden er moden endnu til dette: https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/. Det hænger meget sammen med EMS (Conditional Access) ”Modern Authentication” : http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/
Basic AuthenticationADFS Token: 8 timer (Det er standard fra Microsoft).
T: +45 82 32 32 32F: +45 82 32 32 22M: [email protected]: www.proactive.dk
Questions and Answers
Thanks
Microsoft MCSA: 2012 Windows Server 2016,Microsoft MCSA: 2012 Windows Server 2012,Microsoft MCITP: 2008 Server and Enterprise Administrator,Microsoft MCSA: 2008 Windows Server 2008,Microsoft MCSA/MCSE : 2003 Security,Microsoft MCITP:Windows Server 2008 R2, Virtualization Administrator,Microsoft MCTS: SCOM 2007, ISA 2006, DPM,Microsoft MCTS: Forefront Protection, etc.,VMWare Certified Professional VI3/VI4/VI5,CompTIA A+, Network+,Citrix CCA: Branch Repeater (CloudBridge),EC-Council: Certified Ethical Hacker (CEH v7),And more
Peter Selch DahlSr. IT Architect, Cloud and IT InfrastructureTwitter: @PeterSelchDahlYouTube: www.youtube.com/user/PeterSelchDahlBlog : http://blog.peterdahl.netLinkedIn: https://dk.linkedin.com/in/petersdahl