2. Intro
• Chicago based
• Active Directory & Identity consultant
– Edgile, Inc – www.edgile.com
• Microsoft MVP for Active Directory since 2003
• Author of Active Directory, 5th Ed from O’Reilly
– You should own a copy!
e-mail: brian.desmond@edgile.com
e-mail: brian@briandesmond.com
website & blog: www.briandesmond.com
@brdesmond
3. Agenda
• Identity Management in the Cloud
• Directory Synchronization with DirSync
• Federated Identity with Active Directory
Federation Services
5. Identity Options
• Identities can be mastered in
– Office365
– Active Directory
• Single Sign On (SSO) is optional
– Keeps passwords out of O365
– Greatly improves the end user experience
• DirSync and ADFS may be required to meet your goals
6. Mastering Identities in Office365
•
•
•
•
Separate Microsoft Online ID for each user
Separate passwords stored in the cloud
Very easy to deploy
Support costs may be higher with differing
passwords and password policies
• Manage your users with PowerShell or the Online
Services administration center
7. Mastering Identities in Active Directory
• Two options
– Separate Microsoft Online ID for each user
– Federated identities
• Requires Windows Azure Active Directory Directory Synchronization
for either option
– Sync Active Directory data to the cloud
– Passwords can be synchronized
• Without federation or password sync, users still maintain a separate
password in the cloud
• Enables rich coexistence scenarios
8. Federated Identity
• Users are authenticated via on-premise ADFS
environment
• DirSync sends objects and key attributes to the cloud
• Password is always maintained (and only exists) onpremise
• Requires additional infrastructure for ADFS
– Access to any Office 365 service requires ADFS to be
available!
9. Identity Architecture Comparison
Microsoft Online IDs
• Pros
• No servers required
• Simple setup
• Cons
• Separate user accounts
and password policies
• Potentially higher
support costs
Microsoft Online IDs with
DirSync
• Pros
• Coexistence possible
• Provisioning /
deprovisioning
performed on-premise
• Cons
• Requires additional
servers
• Separate user accounts
and password policies
• Potentially higher
support costs
Federated IDs with DirSync
• Pros
• Coexistence possible
• Provisioning /
deprovisioning
performed on-premise
• Passwords managed
on-premise
• Two-factor
authentication possible
• Cons
• Requires additional
servers
• Complex to implement
and manage
11. What Does DirSync Enable?
•
Enables Identity and Application coexistence
– Identities are managed on premises
•
•
Copies users, groups, and contacts into Office 365
Enables easy identity federation
– Enables application coexistence
•
•
On-premises Microsoft Exchange and Microsoft Lync services work with their corresponding cloud
services.
Lync users, on-premises IM cloud users, and on-premises mail routes to the cloud (and the cloud
routes back to on premises).
– Enables rich coexistence features in Exchange, including write-back to the on-premises
directory
•
Populates the Windows Azure Active Directory service
– Can be used with other Microsoft cloud services, federation with third party cloud services
and applications
12. What’s Under the Hood?
• Shrink wrapped appliance version of Forefront Identity Manager
(FIM)
– Frequent updates
– http://social.technet.microsoft.com/wiki/contents/articles/18429.win
dows-azure-active-directory-sync-tool-version-release-history.aspx
• Appliance is preconfigured to synchronize everything in your AD
with Office 365
– Passwords are not synchronized to Azure AD by default
• There are very few settings which can be configured in DirSync (in a
supported manner)
13. DirSync Challenges
•
The native DirSync appliance does not support a number of potential customer scenarios
–
–
•
A custom FIM deployment with the Azure AD connector can be built to address these
scenarios
–
–
•
Requires deep subject matter expertise in FIM
FIM deployment now has a dependency on changes and upgrade requirements for Azure
Many common Active Directory data errors will cause directory synchronization errors
–
•
Multi-forest Active Directory topologies
Authoritative data sources other than Active Directory
Use IdFix toolset to identify and correct data - http://www.microsoft.com/enus/download/details.aspx?id=36832
Tenants that require more than 100,000 synchronized objects must contact Microsoft
support to have their tenant limit raised
–
This can take some time – plan in advance
14. User Principal Names
• Users will login to Office365 with their UPN
– Ideally this matches the user’s primary email address
• UPN must be a routable domain that you can prove ownership of
– No .local domains
– No domains that you don’t own
• Multiple UPN suffixes are acceptable
• You may need to re-assign or scrub UPNs in your forest
– Communicate UPN to your users if it doesn’t match email address
16. Server Requirements
•
•
Windows Server 2008 R2 or Windows Server 2012
Domain Joined
– Cannot be a domain controller
•
SQL Server Express Edition
– 50,000 or more objects requires full SQL Server installation
– SQL Server 2008 R2 or better is supported
•
Virtually no advantage to increasing CPU count
– The FIM Synchronization Service is a single threaded application
– Memory and disk I/O will improve sync performance if you have a large environment
•
DirSync appliance could be installed on an Azure virtual machine
– Configure a point-to-site virtual network VPN in Windows Azure
17. DirSync Installation Prerequisites
• Enterprise Administrator level Active Directory permissions
• Setup will perform a number of tasks
– Create a service account for DirSync in the forest root domain
– Delegate the service account permissions to use the DirSync
LDAP control in Active Directory
– Optionally delegate the service account access to write-back
attributes
• Once setup is complete, elevated privileges are no longer
necessary
18. DirSync On-Premises Active Directory Changes
Exchange Full Fidelity feature
Write Back To attribute
Filtering Coexistence provides on-premises filtering with cloud
sourced safe/blocked sender data
SafeSendersHash
BlockedSendersHash
SafeRecipientHash
Online Archive mailbox in the cloud
msExchArchiveStatus
Move mailboxes back and forth between cloud and onpremises; Outlook auto-complete and calendaring fidelity
proxyAddresses
(Adds cloud LegacyExchangeDN value)
Enable cloud based Unified Messaging (voicemail) with onpremise Lync deployment
msExchUCVoiceMailSettings
Cross-premises mailbox delegation
publicDelegates
Cross-premises litigation hold management
msExchUserHoldPolicies
20. Password Synchronization
• DirSync was updated in June 2013 to support synchronization of
password hashes to the cloud
– Synchronizes passwords for all users in scope of DirSync
– Hash of the on-premises Active Directory password hash is sent to the
cloud
• Password changes are synchronized to the cloud every two minutes
• Office365 Change password button is hidden for users that have a
synchronized password
– User is also configured such that their cloud password never expires
21. Common DirSync Tweaks
• Run DirSync manually
–
–
%ProgramFiles%Windows Azure Active Directory SyncDirSyncConfigShell.psc1
Start-OnlineCoexistenceSync
• Filter objects in specific organizational units or domains
– Modify container selection in “Active Directory Connector” Management
Agent
• Filter objects based on an attributes in AD
– Create a connector filter in “Active Directory Connector” Management Agent
• If you make an error and erroneously filter objects, they will be deleted
from Office 365
– Deletes are “soft” and objects can be recovered for thirty days
C:Program FilesWindows Azure Directory SyncSYNCBUSSynchronization ServiceUIShellmiisclient.exe
26. Application Authentication Before Federation
• Standalone credential stores
• Integrated with Active Directory via LDAP
– Forms based pages
– Custom code
• Windows Integrated Authentication
– NTLM
– Kerberos
• How do we extend these options into the cloud?
27. What is Federation?
• Standardized (sort of) mechanism to assert
identity across boundaries
• Works great with web applications – all HTTP(S)
• No Active Directory trusts required
• No Kerberos or NTLM involved between parties
• You take a federation token to the relying party
and present it to access the application
28. Federation Buzzwords: Tokens and Claims
•
How do I use/make/get tokens?
– an STS: security-token service
•
•
•
transforms one set of claims to another, issues tokens with claims
aka. Identity Provider (IdP) / Claims Provider / Claims Transformer / Federation Provider (FP)
What is a token?
– Proof of identity for a given user
– Contains a set of claims about the user
•
What is a claim?
•
•
•
assertion made by the STS about its users
used to make authorization & personalization decisions
Who & what supports them?
– a “claims-aware application”
29. What’s a Claim?
•
Attribute Value Pairs
– Role : “Marketing”
• “I am a member of the Marketing group”
– Email : “brian@briandesmond.com”
• “My email address is …”
– HomeTown : “Chicago”
• “I am from Chicago.”
•
Populated using information from
–
–
–
–
Active Directory
AD Lightweight Directory Service (AD LDS)
SQL database
Custom source
31. The Federation Trust
• The ADFS servers need to exchange information securely
– Send public key for the token-signing certificate
– Tokens are verified by relying party using this key
• During the setup process you’ll agree on the signing keys,
claims formats, etc.
• Each application will trust a single ADFS server (or server
farm)
– the ADFS server can have many applications that trust it
– the ADFS server can trust one or more ADFS/federation servers
32. The ADFS Passive Logon Process
A. DatumFabrikam
Account Forest
(Users)
Trey
Office365
Federation Trust Research
Resource Forest
(Resource)
Active Directory
AD FS
User
AD FS
SharePoint
33. ADFS with Outlook and ActiveSync
A. DatumFabrikam
Account Forest
(Users)
Trey
Office365
Federation Trust Research
Resource Forest
(Resource)
Active Directory
AD FS
User
AD FS
Exchange
34. ADFS Server Topology Options
• Single internal federation server and a single federation server proxy
• Load balanced servers proxies
– You can use an alternative reverse proxy if you have a need or existing
infrastructure
• Geographically redundant ADFS servers
Two important points
1. Treat your ADFS servers with the same level of security as AD Domain
Controllers
2. Keep in mind that Office 365 availability depends on your ADFS service!
35. ADFS and SQL Server
• ADFS requires SQL Server to store configuration information
– SQL Express
– Full SQL Server installation
• ADFS will replicate data between servers if using SQL Express
– SQL Express does not offer token replay detection or SAML artifact
resolution
• If using full SQL install, don’t forget to account for SQL high
availability
– SQL Server clustering within a given site
– SQL Server mirroring between sites
36. Highly Available Single Site ADFS Deployment
Enterprise Network
DMZ
Active
Directory
AD FS 2.X
Server
AD FS 2.X
Server
AD FS 2.X
Server
Proxy
AD FS 2.X
Server
Proxy
NLB
37. Highly Available Multi Site ADFS Deployment
Site A Enterprise Network
Site A DMZ
Active
Directory
GLB
NLB
AD FS 2.X
Server
AD FS 2.X
Server
NLB
GLB
AD FS 2.X
Server
Proxy
SQL Server
Cluster
SQL Mirroring
AD FS 2.X
Server
Proxy
Site B Enterprise Network
Site B DMZ
Active
Directory
AD FS 2.X
Server
GLB
AD FS 2.X
Server
Proxy
AD FS 2.X
Server
SQL Server
Cluster
NLB
AD FS 2.X
Server
Proxy
NLB
GLB
38. Office 365 ADFS Configuration
• Install ADFS servers and ADFS proxies
• Run configuration scripts to configure ADFS for
Office365 integration
• Setup federated domains in Office 365 tenant
– Use *-MsolFederated* PowerShell cmdlets
• Testing
– www.testexchangeconnectivity.com
– MOSDAL tool - http://support.microsoft.com/kb/960625
39. Third Party On-Premises STS’
• Office365 supports a number of third party federation
services (STS – security token service)
• The list continues to evolve however these third party
options are currently supported
– OptimalIDM
– Ping Federate
– Shibboleth (common in Higher Education)
• Limitations may apply to third party solutions – be sure to
do your research
40. Summary
• AAD DirSync will connect your AD to Office365
• Plan to spend time cleaning your AD data first
• Federation is critical as applications move to
the cloud
And so here we are. We have these scenarios where AD integrated auth isn’t going to get us all the way to where we want to be. We want to solve this problem. And how do you solve any problem in computer science?You add a layer of abstraction. You stick something in-between your developers and the directory, so that even if the directory changes, or you add a new forest or you start using smart cards or something, the applications can keep chugging right along.And for the cloud? Well, in that case, you add a layer of abstraction between your on-premises directory, and the applications sitting up in the cloud where there’s nothing between you and them but the great big Internet.And the way we do this, the way we create this layer of abstraction, is to use something called federation. Three big words you always hear when someone talks about ADFS, are FEDERATION, CLAIMS, and TOKENS.Role of an STS – requests in, token out. Sounds a lot like a domain controller, doesn’t it? Sounds a lot like a PKI server, doesn’t it? In a lot of ways, it’s performing a very similar function. A user wants to prove their Identity to an application – but instead of handing the application a PKI certificate that got issued by a CA, or a Kerberos Ticket that got issued by a DC, they’re presenting this TOKEN that came from an STS. What’s a token? A big bag of claims. What’s a claim? Something that the STS is asserting about the user – their email address, their age, their first name, what groups they’re in…And just like your applications need to know how to consume a Kerb token from AD, or a certificate from a CA, the applications that can make use of this new model, need to be what’s called CLAIMS-AWARE applications – which means just what it sounds like, they know how to take this TOKEN, this big bag of CLAIMS, and use that to authenticate the user.
Before we start, let’s talk about the players involved…
No Kerb secure channelNow PKI does still have a role to play here, because each of these TOKENS is going to be SIGNED by a PKI certificate, that you’ll install on each ADFS server that’s going to be issuing tokens. And the reason we do that, is so that when my ADFS server sends YOUR ADFS server a token, you can VERIFY that that token actually came from me, and not from somebody else.
20 minutes.Be sure to make the deprovisioning point. “I want the integrity of your users Identities…”
20 minutes.Be sure to make the deprovisioning point. “I want the integrity of your users Identities…”