Mod 3: DirSync , Single Sign-On & ADFS
description
Transcript of Mod 3: DirSync , Single Sign-On & ADFS
Mod 3: DirSync, Single Sign-On & ADFSChris Oakman | Managing Partner Infrastructure Team | Eastridge TechnologyStephen Hall | CEO & SMB Technologist | District Computers
Version 2.0 for Office 365
Day 1Administering Office 365
Day 2Administering Office 365
Office 365 Overview & Infrastructure Administering Lync Online
Office 365 User Management Administering SharePoint Online
Office 365 DirSync, Single Sign-On & ADFS Exchange Online Basic Management
MEAL BREAKExchange Online Deployment & MigrationExchange Security & Protection
Exchange Online Archiving & Compliance
Jump Start Schedule – Target Agenda
Module 3: DirSync, Single Sign-On & ADFS
• Reviewing Identities• Understanding DirSync• DirSync Requirements• Understanding Single Sign-On & ADFS• Windows Azure & ADFS
For Midsize Businesses and Enterprises
Identity management deals with identifying individuals in a system and controlling access to the resources in that system
Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.
Integral components of identity and access management
Determining which actions an authenticated entity is authorized to perform on the network
Authentication Authorization
What is identity management?
Core identity scenarios with Office 365Cloud Identity
Single identity in the cloud Suitable for small organizations with no integration to on-premises directories
Directory & Password Synchronization*
Single identitysuitable for medium and large organizations without federation*
Federated Identity
Single federated identity and credentials suitable for medium and large organizations
* Password Synchronization may not be available at GA, the target is to update the service by 1HCY2013
Cloud identityRich experience with Office AppsEase of deployment, management and supportLower cost as no additional servers are required On-PremisesHigh availability and reliability as all Identities and Services are managed in the cloud
Windows Azure Active Directory
User
Cloud IdentityEx: [email protected]
Directory & Password Synchronization*Rich experience with Office AppsDirectory synchronization between on-premises and onlineIdentities are created and managed on-premises and synchronized to the cloudSingle identity and credentials but no single Sign-On for on-premises and office 365 servicesPassword synchronization enables single sign-on at lower cost than federationReuse existing directory implementation on-premises
Windows Azure Active Directory
User
On-Premises IdentityEx: Domain\Alice
Directory SynchronizationPassword Synchronization
Cloud IdentityEx: [email protected]
ADNon-AD(LDAP)
* Password Synchronization may not be available at GA, the target is to update the service in 1H CY2013
Federated identitySingle identity and sign-on for on-premises and office 365 servicesIdentities mastered on-premises with single point of managementDirectory synchronization to synchronize directory objects into Office 365Secure Token based authenticationClient access control based on IP address with ADFSStrong factor authentication optionsfor additional security with ADFS
Windows Azure Active Directory
User
On-Premises IdentityEx: Domain\Alice
Federation
ADNon-AD(LDAP)
Directory Synchronization
Module 3: DirSync, Single Sign-On & ADFS
• Reviewing Identities• Understanding DirSync• DirSync Requirements• Understanding Single Sign-On & ADFS• Windows Azure & ADFS
For Midsize Businesses and Enterprises
What is DirSync? An application that synchronizes on-premises Active
Directory Objects with Office365 Users, Contacts and Groups
Initially designed as a software based “appliance” “Set it and forget it”
Multi Forest Support now available Now called the Windows Azure Active Directory Sync
Tool
DirSync | Enables Coexistence Provisions objects in Office 365 with same email
addresses as the objects in the on-premises environment
Provides a unified Global Address List experience between on-premises and Office 365 Objects hidden from the GAL on-premises are also hidden from the GAL in Office
365 Enables coexistence for Exchange
Works in both simple and hybrid deployment scenarios Enabler for mail routing between on-premises and
Office 365 with a shared domain namespace Enables coexistence for Microsoft Lync
DirSync | Enables Single Sign-On Enables “run-State” administration and management
of users, groups and contacts Synchronizes adds/deletes/modifications of users, groups and contacts from on-
premise to Office 365 Enabler for Single Sign-On Not intended as a single use bulk upload tool
Directory Synchronization Options
Suitable for small/medium size organizations with AD or Non-ADPerformance limitations apply with PowerShell and Graph API provisioningPowerShell requires scripting experiencePowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)
PowerShell & Graph API
Suitable for Organizations using Active Directory (AD)Provides best experience to most customers using ADSupports Exchange Co-existence scenariosCoupled with ADFS, provides best option for federation and synchronizationSupports Password Synchronization with no additional costDoes not require any additional software licenses
Suitable for large organizations with certain AD and Non-AD scenariosComplex multi-forest AD scenariosNon-AD synchronization through Microsoft premier deployment supportRequires Forefront Identity Manager and additional software licenses
Single Forest Dirsync• X64 FIM Appliance (set and forget)• X86 MIIS Appliance now unsupported
• If you call into support with they will make you upgrade first before helping• Scoping of object sync within Forest now
supported• AD GUID used as SourceAnchor (Link between
AD and Office 365 Object)• Password Synchronization for DirSync coming
1H CY2013• Password Sync Early On-Boarding program underway
DirSync Synchronization Entire Active Directory Forest is scoped for
synchronization by default Ability to modify what gets synced has been added
What is synchronized? All user objects All group objects Mail-enabled contact objects Synchronization is from on-premises to Office 365 only (unless “write-back” is
enabled Synchronization occurs every 3 hours
Use “Start-OnlineCoexistenceSync” cmdlet to force a sync
DirSync Synchronization | User Objects Mail-enabled/mailbox-enabled users are synchronized
as mail-enabled users (not mailbox-enabled users) Visible in the Office 365 GAL (unless explicitly hidden from GAL) Logon enabled, but not automatically licensed to use services Target address is synchronized for mail-enabled users
Regular NT users are synchronized as regular NT users Not automatically provisioned as mail-enabled in Office 365
Resource mailboxes are synchronized as resource mailboxes
Synchronized users are not automatically assigned a license
DirSync Synchronization Group Objects
Mail-enabled groups are synchronized as mail-enabled Group memberships are synchronized Security groups are synchronized as security groups
Contacts Objects Only mail-enabled contacts are synchronized Target address is synchronized to Office 365
DirSync Synchronization New user, group, and contact objects that are added to
on-premises are added to Office 365 Existing user, group, and contact objects that are
deleted from on-premises are deleted from Office 365 Existing user objects that are disabled on-premises are
disabled in Office 365 Existing user, group, or contact objects attributes
(those that are synchronized) that are modified on-premises are modified in Office 365
Objects are recoverable within 30 days of deletion
DirSync Synchronization First synchronization cycle after installation is a full
synchronization Time-consuming process relative to number of objects synchronized ~5000 objects per hour
Subsequent synchronization cycles are deltas only Much faster
Not all on-premises attributes synchronized for each object type, but 100+ attributes are synchronized
DirSync Synchronization Once implemented, on-premises AD becomes the
“source of authority” for synchronized objects Modifications to synchronized objects must occur in the on-premises AD Synchronized objects cannot be modified or deleted via the portal unless DirSync
is disabled for the tenant Scoping/Filtering
• Customers can exclude objects from synchronizing to Office 365• Scoping can be done at the following levels:
• AD Domain-based
• Organizational Unit-based
• User Attribute based
DirSync Synchronization On-premises objectGuid AD attribute assigned value
for sourceAnchor attribute during initial object synchronization Referred to as a “hard match” DirSync knows which Office 365 objects it is the “source of authority” for by
examining sourceAnchor attribute DirSync can also match user objects created via the
portal with on-premises objects if there is a match using the primary SMTP address Referred to as a “soft match”
DirSync Synchronization Synchronization errors are emailed to the Technical
Contact for the subscription Recommend using distribution group as Technical Contact email address
Example errors include: Synchronization health status
Sent once a day if a synchronization cycle has not registered 24 hours after last successful synchronization
Objects whose attributes contain invalid characters Objects with duplicate/conflicting email addresses Sync quota limit exceeded
List of attributes that are synchronized http://
support.microsoft.com/default.aspx?scid=kb;en-US;2256198&wa=wsignin1.0
Module 3: DirSync, Single Sign-On & ADFS
• Reviewing Identities• Understanding DirSync• DirSync Requirements• Understanding Single Sign-On & ADFS• Windows Azure & ADFS
For Midsize Businesses and Enterprises
DirSync Prerequisite Remediation Run the Microsoft Office 365 Deployment Rediness Tool
– http://community.office365.com/en-us/forums/183/p/2285/8155.aspx Analyze on-premise environment
Domains User Identity and Account Provisioning Exchange Online Lync Online SharePoint Online Client Network
DirSync Requirements DirSync (Single Forest) must be joined to a domain
with the same forest that will be synchronized DirSync Server should never be installed on a domain
controller DirSync Server should be Windows Server 2008 (x64)
or better By default SQL Server 2008 R2 Express is installed
10GB Database limit (approx. 50,000 objects) Full SQL Option available
X64 Single\Multi Forest Appliance available (O365 connector also available for complex scenarios
DirSync | AD Requirements Only routable domains can be used with DirSync
deployment Non-routable domains include .local OR .loc OR .internal.
If organization has AD w/ only internal namespace, must: Add a routable UPN suffix in Active Directory Forests and Trusts. Configure each user with that routable UserPrincipalName suffix [email protected] must be changed do [email protected] If this is not done, once DirSync runs, users will appear in Office365 as
[email protected] instead of [email protected]
Hardware Recommendations Recommend a system that exceeds the
minimum OS requirementsNumber of
objects in ADCPU Memory Hard disk size
Fewer than 10,000
1.6GHz 4GB 70GB
10,000-50,000 1.6GHz 4GB 70GB50,000-100,000 1.6GHz 16GB 100GB100,000-300,000
1.6GHz 32GB 300GB
300,000-600,000
1.6GHz 32GB 450GB
More than 600,000
1.6GHz 32GB 500GB
DirSync | Network Requirements Synchronization with
Office 365 occurs over SSL
Internal network communication will use typical Active Directory related ports
DirSync server must be able to contact all DC’s in the Forest
Service Protocol PortLDAP TCP/UDP 389
Kerberos TCP/UDP 88DNS TCP/UDP 53
Kerberos Change
Passowrd
TCP/UDP 464
RPC TCP 135RPC randomly allocated high
TCP Ports
TCP 1024-6443549152-65535*
SMB TCP 445SSL TCP 443SQL TCP 1433
* This is the range in Windows Server 2008
DirSync | Permission Requirements• Account used to install DirSync must have
• local machine administrator permissions• If using full SQL, rights within SQL to create the DirSync database, and to setup
the SQL service account with the role of db_owner• Account used to configure DirSync must reside in the
local machine MIISAdmins group• Account used to install DirSync is automatically added
• Administrator permission in the Office 365 tenant• DirSync uses an administrator account in the tenant to provision and
update/modify objects
DirSync | Permission Requirements Enterprise Administrator permission in the on-premise
Active Directory Credential is not stored/saved by the configuration wizard Used to create the “MSOL_AD_Sync” domain account in the “CN=Users” container
of the root domain of the forest Used to delegate the following permissions on each domain partition in the forest
Replicating Directory Changes Replicating Directory Changes all Replication Synchronization
Module 3: DirSync, Single Sign-On & ADFS
• Reviewing Identities• Understanding DirSync• DirSync Requirements• Understanding Single Sign-On & ADFS• Windows Azure & ADFS
For Midsize Businesses and Enterprises
Single Sign-On | Purpose Enables users to access both the on-premises and cloud-based organizations with a single user name and password
Provides users with a familiar sign-on experience
Allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools.
Single Sign-On | Benefits Policy Control Access Control Reduced Support Calls Security
Single Sign-On | Server Requirements Windows Server 2008 or Windows Server 2008 R2 (2012 not currently supported) ADFS 2.0 Setup installs: Web Server (IIS), .Net 3.5 SP1, Windows Identity
Foundation Publicly registered, routable domain name SSL Certificate(s), *Wild Card Supported Microsoft Online Services Module for Windows PowerShell Microsoft Online Sign In Assistant High Availability Design, Dual-Site, Load Balanced Choice between Windows Internal Database(WID) and SQL
WID supports a maximum of 5 Federation Servers SQL supports SAML Replay Detection, Artifact Store
Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.
Single Sign-On | Client Requirements Browser
Internet Explorer 8.0 or later, Firefox 10.0, Chrome 17.0 or later, Safari 5.0 or later
Office Client Microsoft Office 2010/2007 (Latest Service Pack) Microsoft Office for Mac 2011 (Latest Service Pack) Note: Support for Microsoft Office 2008 for Mac version 12.2.9 ended
4/9/2013
Office 365 Desktop Setup (Suggested) Microsoft Online Sign In Assistant
Single Sign-On | Client Endpoints Active Federation (MEX)
Applies to rich clients supporting ADFS Used by Lync and Office Subscription client Clients will negotiate authentication directly with on-premises ADFS server
Basic Authentication (Active Profile) Applies to clients authenticating with basic authentication Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web
Services Clients send “basic authentication” credentials to Exchange Online via SSL.
Exchange Online proxies the request to the on-premises ADFS server on behalf of the client
Passive Federation (Passive Profile) Applies to web browsers and documents opened via SharePoint Online Used by the Microsoft Online Portal, OWA, and SharePoint Portal Web clients (browsers) will authenticate directly with on-premises ADFS server
When working through the firewall considerations ensure that MSO Datacenter IP ranges have been granted access to port 443 to the ADFS Proxy Server located in the DMZ.
Client access controlLimit access to Office 365 based on network connectivity (internet versus intranet)Block all external access to Office 365 based on the IP address of the external clientBlock all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online
Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default log all denied authorizations and the values it based the denial upon.
Deployment Considerations for UPN User objects must have a value for UPN in on-premises
Active Directory UPN domain suffix must match a verified domain in
Office 365 Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified
domain and is used if UPN does not match a verified domain Users must switch to using UPN to logon to Office 365
Not domain\username UPN must have valid characters
Office 365 Deployment Readiness Tool will verify that on-premises objects have valid characters
If the customer does not have a valid and routable UPN suffix then one can be added via Active Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix.
Single Sign-On | Requirements Office 365 Desktop Setup Automatically detects necessary updates for a
computer Installs Microsoft Online Sign In Assistant Installs operating system and client software updates required for connectivity
with Office 365 Automatically configures Internet Explorer and rich
clients for use with Office 365 Office 365 Desktop Setup is not an authentication or
sign-in service and should not be confused with single sign-on
Single Sign-On | Requirements Microsoft Online Sign-In Assistant Can be installed automatically by Office 365 Desktop
Setup or manually Enables authentication support by obtaining a service
token from Office 365 and returning it to a rich client (e.g. Lync)
Not required for web kiosk scenarios (e.g. OWA) Required for on-premises computers connecting to
Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)
Single Sign-On | ADFS 2.x Components
AD FS 2.x Server• Default topology for Office 365 is
an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service
• Recommend using at least two federation servers in a load-balanced configuration
AD FS 2.x Proxy Server• Federation server proxies are
used to redirect client authentication requests coming from outside your corporate network to the federation server farm
• Federation server proxies should be deployed in the DMZ
Single Sign-On | ADFS 2.x Deployment Options Single server configuration AD FS 2.x Server Farm and load-balancer AD FS 2.x Proxy Server or UAG/TMG
(External Users, Active Sync, Down-level Clients with Outlook)
1. Single server configuration2. AD FS 2.0 Server Farm and load-balancer 3. AD FS 2.0 Proxy Server or UAG/TMG
i. (External Users, Active Sync, Down-level Clients with Outlook)
AD FS 2.0 Deployment Options
EnterprisePerimeter
AD FS 2.0 ServerProxy
External user
Internaluser
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
Deployment ArchitectureNumber of users Minimum number of servers
Fewer than 1,000 users0 dedicated federation servers0 dedicated federation server proxies 1 dedicated NLB server
1,000 to 15,000 users 2 dedicated federation servers2 dedicated federation server proxies
15,000 to 60,000 usersBetween 3 and 5 dedicated federation serversAt least 2 dedicated federation server proxies
AD FS 2.0 Capacity Planning Sizing Spreadsheethttp://www.microsoft.com/en-us/download/details.aspx?id=2278
Understanding client authentication path
Lync 2010/Office Subscription
Active Sync
Corporate Boundary
Exchange Online
AD FS 2.0Server
MEX
Web
Active
AD FS 2.0 Proxy
MEX
Web
Active
Outlook 2010/2007IMAP/POP
UsernamePassword
UsernamePassword
OWAInternal
Lync 2010/Office Subscription
Outlook 2010/2007IMAP/POP
OWAExternal
UsernamePassword
Active Sync
UsernamePassword
Basic auth proposal: Pass
client IP, protocol, device name
Module 3: DirSync, Single Sign-On & ADFS
• Reviewing Identities• Understanding DirSync• DirSync Requirements• Understanding Single Sign-On & ADFS• Windows Azure & ADFS
For Midsize Businesses and Enterprises
Windows Azure & ADFS Virtual Network Support – Site to Site VPN Computing: 99.95% SLA Uptime for High Available
System 99.9% SLA Uptime for Single System
Storage: 99.9% Full Control over your Virtual Machines Pay as you Go, OPEX vs CAPEX
Why Windows Azure for ADFS?
48
IaaS
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 ServerActive
Directory
Enterprise
VPN
Windows Azure: Terminology Cloud Service: Role which several VM’s take upon
themselves to execute. E.G. ADFS. Cloud services need to have two instances or more to quality for the SLA of 99,95%. 1 External Virtual IP Address per Cloud Service
Availability Group
Windows Azure: Terminology EndPoints: You need to add an endpoint to a machine
for other resources on the Internet or other virtual networks to communicate with it. You can associate specific ports and a protocol to endpoints. Resources can connect to an endpoint by using a protocol of TCP or UDP. The TCP protocol includes HTTP and HTTPS communication.
Virtual Network enables you to create secure site-to-site connectivity, as well as protected private virtual networks in the cloud.
Windows Azure Example
ADFS – Windows Azure
IP SEC DEVICEGATEWAY
CLOUD SERVICE
AD FS 2.0 Server
AD FS 2.0 Server
DirSyncLB
ENDPOINT
EnterpriseWindows Azure
Additional Resources Prepare for directory synchronization:
http://technet.microsoft.com/en-us/library/jj151831.aspx Directory synchronization roadmap: http://technet.microsoft.com/en-us/library/hh967642.aspx
Set up your directory sync computer: http://technet.microsoft.com/en-us/library/dn144767.aspx
Update Rollup 2 for ADFS 2.0: http://support.microsoft.com/kb/2681584
ADFS 2.0 Step-by-Step and How To Guides http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx