EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On

Azure AD Pass-Through Authentication and Seamless SSO - EWUG.DK - Level 200-300

Peter Selch Dahl - Cloud Architect and Microsoft Azure MVP

Protect your data

Enable your users

Empowering users

User IT

Unify your environment

People-centric approach

Devices Apps Data

Self-service Single sign on

•••••••••••

Username

Identity as the control plane

Simple connection

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

On-premises

Microsoft Azure Active Directory

Empower UsersCentrally managed identities and access.

Monitor and protect access to cloud applications.

Your Directory on the cloud

What is Azure Active Directory?

Connect and Sync on-premises directories with Azure.


Azure Active Directory Connect*

Microsoft AzureActive Directory

Other Directories

PowerShell

LDAP v3

SQL (ODBC)

Web Services ( SOAP, JAVA, REST)

*

Connect and Sync on-premises directories with Azure.


SaaS appsMicrosoft AzureActive Directory

2400+ Preintegrated popular SaaS apps.

Other Directories

MAY 2, 2023@EWUGDK 8

Pass-Through Authentication and SSO - Simple and better auth for most customers in the future!

Why Pass-Through Auth and SSO?- The Goal of PTA/Seamless SSO!

• Help new customers with the following requirements onboard faster

• AuthN against AD on-prem• No passwords in the cloud• Do not want unauthenticated endpoints on-prem exposed

to internet• Provide an SSO solution

• Help existing customers with above requirements, switch to a lower TCO option


Azure AD Pass-through Authentication• Enables customers to validate password on-premises without

the complexity of AD FS• Allows for on-premises policies to be evaluated such as account

disabled, login hours restrictions etc.• Simple deployment via AAD Connect, no complex DMZ

requirements• Works for single or multi-forest customers

• Built on AAD Application Proxy infrastructure• Securely validates the user’s password against on-premises AD• Customer can deploy multiple agents for HA

• Bottom line – Similar benefits to federation without the deployment cost


Azure AD Pass-through Authentication• True single sign on without the cost of AD FS

• No additional servers or infrastructure required on premises• Accelerated deployment

• Utilizes existing AD infrastructure• Inherit support for multiple regions• Inherit support for finding the closest DC• Based on Kerberos• No DR plan outside of existing AD plans

• Support for both PTA and PHS customers• SSO is provide for all domain joined corporate machines with line

of sight to a DC


Azure AD Pass-through Authentication• Provides similar services to AD FS

• Forms based authentication for non-domain joined/outside of corp net users (PTA)

• SSO for domain joined users on corp net (SSO)• No need for dedicated servers

• PTA can be installed on existing servers or DC’s• SSO is only a computer account in AD

• No load balancers• PTA automatically uses all available connectors no need to load balance

• No DMZ• All connections are outbound • No unauthenticated end points on the internet

• Less to manage ongoing• Simple DR, place connectors where needed• No certificates to manage


Why Pass-Through Auth and SSO? -Sign-in Options today

Complexity

Valu

e

Cloud only Accounts

AAD Connect+ AD FS

AAD ConnectCloud Accounts

AAD Connect+ PHS


Why Pass-Through Auth and SSO? -Sign-in Options today

Complexity

Valu

e

Cloud only Accounts

AAD Connect+ AD FS

AAD ConnectCloud Accounts

AAD Connect+ PHS

AAD Connect+ PTA and SSO

AAD Connect+ PHS and SSO


What AD FS offers that PTA and SSO Don’t

• Support for smartcard authentication• Support for 3rd Party MFA providers• Passwords are always in your control boundary – i.e.

don’t pass through the cloud• Conditional access rules based on Exchange

protocols (e.g. pop, imap etc)• Support for on-premises device based conditional

access (device write back)


What PTA and SSO offers that AD FS Don’t

• Common authentication for cloud and on-prem users• Co-existence authentication


Authentication comparison• 45% are cloud only and completed directly

by Azure AD (down from 56% in March).

• 37% are federated and completed by an ADFS server at a customer site (up from 32% in March).

• 18% are completed using a password hash that was synced from on-premises to the cloud using AAD Connect or one of its predecessors (up from 7% in March).

• 1% are completed by a syndication partner (large companies who resell Microsoft services)

• Just under 1% are completed by a 3rd party federation server (i.e. Ping Federate, CA Site Minder, etc.)

• Just under 1% are completed by a 3rd party identity service (a company like Centrify, Okta, OneLogin, etc.)

• The remaining 1% are completed by a custom or open source identity server


• The use of ADFS with Azure AD/Office 365 continues to grow. It now accounts for 36% of all authentications (up from 32% nine months ago).

Note: Number are a bit old... waiting new numbers from Alex Simons - Director of PM


How do they work?

Pass-Through Auth – Updated flow

MAY 2, 2023@EWUGDK 19DC

Contoso Corpnet

AAD STSAD App ProxyUser Name and

password

Username and password sent AAD

App Proxy

Connector notified of

request

Connector validates the credentials

against AD

Result returned back to AAD STSToken returned to use

or further proofs (MFA) are initiated

1 2

3

4

5

6

78

Connector

DC returns result

Connector returns result

2

Polling

Pass-Through Auth

• Supported Scenarios• Rich Clients that utilize modern authentication, think ADAL enabled• Browser based passive Web flows

• Future Supported Scenarios• Legacy clients (PowerShell, Lync/Skype, Outlook not using ADAL) – GA• EAS, native mobile email clients - GA

• Until then• Customers need to use ADAL enabled clients• Alternatively, use PHS as a fallback



Desktop SSO

How does it work - Setup


How does it work - Setup


DC

Azure AD

Machine Account created in on-prem

AD

Kerberos key stored securely in Azure

AD

1

2

3

GPO to set Intranet zone

Contoso Corpnet

How does it work - Runtime


5User sends ticket to AAD

STS

DCContoso Corpnet

AAD STS

User enters their username

1

401 response to get a Kerberos ticket

2

User requests a Kerberos ticket

3

6 AAD STS returns token to

the user

4

AD returns Kerberos ticket

What’s In A Token? (In Brief)

Claim Example Intended PurposeTenant ID 81aabdd2-3682-48fd-9efa-2cb2fcea8557 Immutable tenant identifierName [email protected] Display onlyFirst Name Peter Display onlyLast Name Dahl Display onlyObject ID b3809430-6c28-4e43-870d-fa7d38636dcd Immutable security

identifier

Token also contains Group information

mailto:[email protected]

Ports required for Azure AD Connect


• 80 Enable outbound HTTP traffic for security validation such as SSL.• 443 Enable user authentication against Azure AD• 10100–10120 Enable responses from the connector back to the Azure

AD• 9352, 5671 Enable communication between the Connector toward the

Azure service for incoming requests.• 9350 Optional, to enables better performance for incoming requests• 8080/443 Enable the Connector bootstrap sequence and Connector

automatic update• 9090 Enable Connector registration (required only for the Connector

registration process)• 9091 Enable Connector trust certificate automatic renewal

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-ports

Pass-Through Auth and SSO


• Only works with Web flows• ADAL rich clients supported

• Limited browser support• IE, Chrome, Firefox• Edge not currently (due to lack of SSO support)

• Alternate login ID• Not supported, will be supported in Public Preview

Supported Browsers / Clients (ADAL)


Which of the following would you choose


• PTA + Desktop SSO• Password Hash Sync (PHS) + SSO• Either, PTA or PHS + SSO is good for me/my

customers• PTA + Desktop SSO with fallback to PHS• I don’t really need SSO or PTA – Why?

Hvem anvender dette Public Preview?


Outlook Modern Authentication Support


Outlook Modern Authentication Support$credential = get-credential$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $credential -Authentication Basic -AllowRedirectionImport-PSSession $ExchangeSession

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Get-OrganizationConfig | Format-Table -Auto Name,OAuth*


Officiel link: https://support.office.com/en-us/article/Enable-Exchange-Online-for-modern-authentication-58018196-f918-49cd-8238-56f57f38d662


AzureAD: Primary Refresh Tokens




10

Dave authenticates to Azure AD as part of logon process




Primary Refresh Token (PRT)Returned by Azure AD and cached by Windows 10

10




Office 365

10




Here is my PRT can I please have an SSO token for Office 365

10

Office 365




Your PRT checks out so here is the SSO token you have asked for10

Office 365



Microsoft Azure Active DirectoryHere is my Office

365 SSO token give me access please

10

Office 365


AzureAD: Tokens Kerberos Maximum lifetime for service ticket: 10 Timer før brugeren skal hente en ny ticket fra domain controlleren intern (Validering):https://technet.microsoft.com/en-us/library/cc775748(v=ws.10).aspx

Session timeouts for Office 365https://support.office.com/en-US/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US Modern AuthenticationVi skal på et tidspunkt også have talt ”Modern Authentication” med jer, men jeg ser ikke lige tiden er moden endnu til dette: https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/. Det hænger meget sammen med EMS (Conditional Access) ”Modern Authentication” : http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/

Basic AuthenticationADFS Token: 8 timer (Det er standard fra Microsoft).

https://technet.microsoft.com/en-us/library/cc775748(v=ws.10).aspx

https://support.office.com/en-US/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US

https://support.office.com/en-US/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US

https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/

http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/

T: +45 82 32 32 32F: +45 82 32 32 22M: [email protected]: www.proactive.dk

Questions and Answers

Thanks

Microsoft MCSA: 2012 Windows Server 2016,Microsoft MCSA: 2012 Windows Server 2012,Microsoft MCITP: 2008 Server and Enterprise Administrator,Microsoft MCSA: 2008 Windows Server 2008,Microsoft MCSA/MCSE : 2003 Security,Microsoft MCITP:Windows Server 2008 R2, Virtualization Administrator,Microsoft MCTS: SCOM 2007, ISA 2006, DPM,Microsoft MCTS: Forefront Protection, etc.,VMWare Certified Professional VI3/VI4/VI5,CompTIA A+, Network+,Citrix CCA: Branch Repeater (CloudBridge),EC-Council: Certified Ethical Hacker (CEH v7),And more

Peter Selch DahlSr. IT Architect, Cloud and IT InfrastructureTwitter: @PeterSelchDahlYouTube: www.youtube.com/user/PeterSelchDahlBlog : http://blog.peterdahl.netLinkedIn: https://dk.linkedin.com/in/petersdahl

EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On

Technology

Transcript of EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On