Ten most common mistakes

with AD FS and Hybrid Identity

Sander Berkouwer

Tweet and win an Ignite 2016 ticket #itproceed#activedirectory #hybrididentity

AgendaFederationA small primer on the open protocols used today for

federating identity and achieving hybrid identity

Most common mistakeswhen planning, deploying and operating AD FS

… and how to avoid themto get the most out of your hybrid identity implementation

FederationOn claims, identity providers and relying party trusts

Why we need federation

NTLM and KerberosKerberos (1993) was designed for ‘safe’ networks

NTLM and Kerberos have serious problems

Active DirectoryActive Directory domain memberships are typically Windows-only

Domain trusts leak information and scale badly

Granular device-agnostic authenticationWe need device-agnostic, open protocols, designed for the web

We need multi-factor authentication

Under the hood

4

1

Colleague

Claims-aware

App

Active Directory

Federation Services

(acting as STS)

Active Directory

Domain Services

3

5 6

7

2

Behind the mist

On Premises

Active Directory

Domain Services

Azure

Active Directory

1

Active Directory

Federation Services

Active Directory Federation Trust

4

5

6

7

8Colleague

Directory

Synchronization

ToolAzure Active Directory

Management API

Azure Active Directory

integrated Application

Internet

23

Federation benefits

SAML and Oauth2 are Internet-readyTransport over Universal Firewall Bypass Protocol (TCP443)

Tickets are compressed, optionally encrypted

Relying Party trusts are very flexibleTicket content and authentication is defined per relying party trust

Relying party trusts are flexible and scalable

Multi-factor authenticationAD FS in Windows Server 2012 R2 is extensible

Extensions are configurable per relying party trust, per network

Common mistakes

Some organizations need their own AD FS infrastructureLocal authentication requirements (legal, multi-factor authentication)

Local authentication possibilities (claims issuance, transformation rules)

Azure Active Directory with Password Sync2488 Software-as-a-Service apps in the Azure Active Directory App Gallery

Easily configure Single Sign-On and user account management

Azure Active DirectoryAzure Active Directory Free may contain up to 500,000 accounts

Federating with up to 5 apps is free. Online accounts may suffice

1. AD FS when you don’t need it

2. Build upon an unhealthy Active Directory

Attribute integrity and lingering objectsObjects, attributes on some Domain Controllers, not on others

Resulting in unpredictable AD FS authentication

Private top level domainsDNS Domain Name for domains ending with .local, .int

User Principal Name (UPN) needs to be added and changed

UPN syntax mismatchesCritical for solutions with Directory Sync Tool / Azure Active Directory Sync

Use the IdFix DirSync Error Remediation Tool

3. The AD FS Service Account

Password changes, security implicationsAD FS is usually Internet-facing, so it benefits from extra security

We want regular password changes, host restrictions, etc.

group Managed Service Accounts (gMSAs)gMSAs solve ‘the service account problem’ for farms, AD FS supported

gMSAs offer Automatic SPN and password management

Windows Server 2008 DFL2008 Domain Functional Level offers automatic SPN management

Windows 8 and Windows Server 2012 (and up) offer Cmdlets

4. Designing the right AD FS infrastructure

AD FS Server FarmsAD FS can easily be deployed highly available, if need be with Windows NLB

AD FS Proxies / Web App Proxies can be deployed in perimeter networks

Windows Internal Database or SQL ServerA WID farm has a limit of five federation servers, does not support token replay detection or artifact resolution

SQL Server High AvailabilityTake advantage of your existing SQL Server investments

Take advantage of database mirroring, failover clustering, monitoring

5. Skewed Time Synchronization

Time Sync within an Active Directory environmentW32time follows Active Directory hierarchy and sites configuration

Set the time for an environment through the PDCe

Time Sync within Virtual MachinesVirtual machines always sync time with host on boot

Continuous time sync is configured with VMware tools, Hyper-V ICs, etc.

Time Sync within Perimeter NetworksCould be virtual machine time sync, could be an external source

Will be none, if you don’t configure it…

6. Certificate Distrust

Certificates in use by AD FSToken-signing and token-decryption certificates

Service communication certificate

Certificates with 1024bit key lengthCertificates under 1024bits key length are blocked

Request and use certificates with 2048bits key length throughout the chain

Certificates with SHA-1 hash algorithmStarting 2016, SHA-1 will be deprecated

Request and use certs with SHA-2 hash algorithms throughout the chain

7. Forget Enterprise Registration

AD FS in Windows Server 2012 R2Many new features!

Workplace JoinDevice-agnostic silent Single Sign-On (SSO)

Employees verify devices, enroll a certificate, get cookie

EnterpriseRegistrationWorkPlace Join AutoDiscover requires DNS Record per UPN Suffix

Use enterpriseregistration.domain.tld as Subject Alternative Name

8. Windows Updates, anyone?

AD FS is regularly updatedSecurity updates, like MS15-062

Scalability and stability updates

AD FS uses Windows UpdateAD FS updates don’t require Microsoft Update :-)

AD FS updates only light up after installing the Server Role

Wait, test, then deploy updatesWait two weeks before deploying updates, or

Deploy updates to a test network before production

9. Best Practices Analyzers

Best Practices AnalyzersPart of Server Manager in Windows Server 2008 R2 and up

Avoid 90% of situations with data or functionality loss

AD FS Best Practices AnalyzerChecks the Active Directory Federation service

Will be updated with additional checks in the future

Other BPAs of use:Active Directory Domain Services Best Practices Analyzer

Active Directory Certificate Services Best Practices Analyzer

10. Processes, processes, processes

Monitoring of the AD FS ServiceCheck the availability and/or usage of the AD FS infrastructure

Use Systems Center Operations Manager with GSM, Azure Operational Insights and/or the Azure Active Directory Connect Health Service *

Auditing of the AD FS ServiceAD FS offers built-in auditing and logging of errors, warnings, information

Auditing of claims issuanceLogging of success and failure audits

Log suspicious or unintended activity

Concluding

Avoid the mistakes and you’ll be fine

1. Don’t build AD FS when you don’t need to

2. Don’t build upon an unhealthy Active Directory

3. Use gMSAs instead of ‘ordinary’ service acounts for AD FS

4. Design the right infrastructure

5. Take care of adequate time synchronization

6. Use certificates with 2048+bit keylength and SHA-2 algorithm

7. Don’t forget to plan for Enterprise Registration

8. Don’t forget to install Windows Update

9. Don;’t forget to use the Best Practice Analyzers

10. Monitor, audit and backup the AD FS infrastructure

Rules of thumb

AD FS is an extension to Active DirectoryMake sure Active Directory is healthy

Rename, migrate or restructure .local domains

Plan your AD FS implementationSet requirements, plan accordingly, deploy securely

Take care of adequate time synchronization

Don’t forget to manage AD FSUse the Best Practices Analyzers (BPAs)

Take care of information security, like monitoring, auditing, backup

And win a Lumia 635

Feedback form will be sent to you by email

Give me feedback

Follow Technet Belgium

@technetbelux

Subscribe to the TechNet newsletter

aka.ms/benews

Be the first to know

Thank you!

Belgiums’ biggest IT PRO Conference