ewug - azure ad pass-through authentication and seamless single sign-on
TRANSCRIPT
![Page 1: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/1.jpg)
Azure AD Pass-Through Authentication and Seamless SSO - EWUG.DK - Level 200-300
Peter Selch Dahl - Cloud Architect and Microsoft Azure MVP
![Page 2: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/2.jpg)
![Page 3: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/3.jpg)
Protect your data
Enable your users
Empowering users
User IT
Unify your environment
People-centric approach
Devices Apps Data
![Page 4: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/4.jpg)
Self-service Single sign on
•••••••••••
Username
Identity as the control plane
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises
Microsoft Azure Active Directory
![Page 5: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/5.jpg)
Empower UsersCentrally managed identities and access.
Monitor and protect access to cloud applications.
Your Directory on the cloud
What is Azure Active Directory?
![Page 6: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/6.jpg)
Connect and Sync on-premises directories with Azure.
Your Directory on the cloud
Azure Active Directory Connect*
Microsoft AzureActive Directory
Other Directories
PowerShell
LDAP v3
SQL (ODBC)
Web Services ( SOAP, JAVA, REST)
*
![Page 7: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/7.jpg)
Connect and Sync on-premises directories with Azure.
Your Directory on the cloud
SaaS appsMicrosoft AzureActive Directory
2400+ Preintegrated popular SaaS apps.
Other Directories
![Page 8: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/8.jpg)
MAY 2, 2023@EWUGDK 8
Pass-Through Authentication and SSO - Simple and better auth for most customers in the future!
![Page 9: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/9.jpg)
Why Pass-Through Auth and SSO?- The Goal of PTA/Seamless SSO!
• Help new customers with the following requirements onboard faster
• AuthN against AD on-prem• No passwords in the cloud• Do not want unauthenticated endpoints on-prem exposed
to internet• Provide an SSO solution
• Help existing customers with above requirements, switch to a lower TCO option
MAY 2, 2023@EWUGDK 9
![Page 10: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/10.jpg)
Azure AD Pass-through Authentication• Enables customers to validate password on-premises without
the complexity of AD FS• Allows for on-premises policies to be evaluated such as account
disabled, login hours restrictions etc.• Simple deployment via AAD Connect, no complex DMZ
requirements• Works for single or multi-forest customers
• Built on AAD Application Proxy infrastructure• Securely validates the user’s password against on-premises AD• Customer can deploy multiple agents for HA
• Bottom line – Similar benefits to federation without the deployment cost
MAY 2, 2023@EWUGDK 10
![Page 11: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/11.jpg)
Azure AD Pass-through Authentication• True single sign on without the cost of AD FS
• No additional servers or infrastructure required on premises• Accelerated deployment
• Utilizes existing AD infrastructure• Inherit support for multiple regions• Inherit support for finding the closest DC• Based on Kerberos• No DR plan outside of existing AD plans
• Support for both PTA and PHS customers• SSO is provide for all domain joined corporate machines with line
of sight to a DC
MAY 2, 2023@EWUGDK 11
![Page 12: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/12.jpg)
Azure AD Pass-through Authentication• Provides similar services to AD FS
• Forms based authentication for non-domain joined/outside of corp net users (PTA)
• SSO for domain joined users on corp net (SSO)• No need for dedicated servers
• PTA can be installed on existing servers or DC’s• SSO is only a computer account in AD
• No load balancers• PTA automatically uses all available connectors no need to load balance
• No DMZ• All connections are outbound • No unauthenticated end points on the internet
• Less to manage ongoing• Simple DR, place connectors where needed• No certificates to manage
MAY 2, 2023@EWUGDK 12
![Page 13: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/13.jpg)
Why Pass-Through Auth and SSO? -Sign-in Options today
Complexity
Valu
e
Cloud only Accounts
AAD Connect+ AD FS
AAD ConnectCloud Accounts
AAD Connect+ PHS
MAY 2, 2023@EWUGDK 13
![Page 14: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/14.jpg)
Why Pass-Through Auth and SSO? -Sign-in Options today
Complexity
Valu
e
Cloud only Accounts
AAD Connect+ AD FS
AAD ConnectCloud Accounts
AAD Connect+ PHS
AAD Connect+ PTA and SSO
AAD Connect+ PHS and SSO
MAY 2, 2023@EWUGDK 14
![Page 15: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/15.jpg)
What AD FS offers that PTA and SSO Don’t
• Support for smartcard authentication• Support for 3rd Party MFA providers• Passwords are always in your control boundary – i.e.
don’t pass through the cloud• Conditional access rules based on Exchange
protocols (e.g. pop, imap etc)• Support for on-premises device based conditional
access (device write back)
MAY 2, 2023@EWUGDK 15
![Page 16: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/16.jpg)
What PTA and SSO offers that AD FS Don’t
• Common authentication for cloud and on-prem users• Co-existence authentication
MAY 2, 2023@EWUGDK 16
![Page 17: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/17.jpg)
Authentication comparison• 45% are cloud only and completed directly
by Azure AD (down from 56% in March).
• 37% are federated and completed by an ADFS server at a customer site (up from 32% in March).
• 18% are completed using a password hash that was synced from on-premises to the cloud using AAD Connect or one of its predecessors (up from 7% in March).
• 1% are completed by a syndication partner (large companies who resell Microsoft services)
• Just under 1% are completed by a 3rd party federation server (i.e. Ping Federate, CA Site Minder, etc.)
• Just under 1% are completed by a 3rd party identity service (a company like Centrify, Okta, OneLogin, etc.)
• The remaining 1% are completed by a custom or open source identity server
MAY 2, 2023@EWUGDK 17
• The use of ADFS with Azure AD/Office 365 continues to grow. It now accounts for 36% of all authentications (up from 32% nine months ago).
Note: Number are a bit old... waiting new numbers from Alex Simons - Director of PM
![Page 18: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/18.jpg)
MAY 2, 2023@EWUGDK 18
How do they work?
![Page 19: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/19.jpg)
Pass-Through Auth – Updated flow
MAY 2, 2023@EWUGDK 19DC
Contoso Corpnet
AAD STSAD App ProxyUser Name and
password
Username and password sent AAD
App Proxy
Connector notified of
request
Connector validates the credentials
against AD
Result returned back to AAD STSToken returned to use
or further proofs (MFA) are initiated
1 2
3
4
5
6
78
Connector
DC returns result
Connector returns result
2
Polling
![Page 20: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/20.jpg)
Pass-Through Auth
• Supported Scenarios• Rich Clients that utilize modern authentication, think ADAL enabled• Browser based passive Web flows
• Future Supported Scenarios• Legacy clients (PowerShell, Lync/Skype, Outlook not using ADAL) – GA• EAS, native mobile email clients - GA
• Until then• Customers need to use ADAL enabled clients• Alternatively, use PHS as a fallback
MAY 2, 2023@EWUGDK 20
![Page 21: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/21.jpg)
MAY 2, 2023@EWUGDK 21
Desktop SSO
![Page 22: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/22.jpg)
How does it work - Setup
MAY 2, 2023@EWUGDK 22
![Page 23: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/23.jpg)
How does it work - Setup
MAY 2, 2023@EWUGDK 23
DC
Azure AD
Machine Account created in on-prem
AD
Kerberos key stored securely in Azure
AD
1
2
3
GPO to set Intranet zone
Contoso Corpnet
![Page 24: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/24.jpg)
How does it work - Runtime
MAY 2, 2023@EWUGDK 24
5User sends ticket to AAD
STS
DCContoso Corpnet
AAD STS
User enters their username
1
401 response to get a Kerberos ticket
2
User requests a Kerberos ticket
3
6 AAD STS returns token to
the user
4
AD returns Kerberos ticket
![Page 25: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/25.jpg)
What’s In A Token? (In Brief)
Claim Example Intended PurposeTenant ID 81aabdd2-3682-48fd-9efa-2cb2fcea8557 Immutable tenant identifierName [email protected] Display onlyFirst Name Peter Display onlyLast Name Dahl Display onlyObject ID b3809430-6c28-4e43-870d-fa7d38636dcd Immutable security
identifier
Token also contains Group information
![Page 26: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/26.jpg)
Ports required for Azure AD Connect
MAY 2, 2023@EWUGDK 26
• 80 Enable outbound HTTP traffic for security validation such as SSL.• 443 Enable user authentication against Azure AD• 10100–10120 Enable responses from the connector back to the Azure
AD• 9352, 5671 Enable communication between the Connector toward the
Azure service for incoming requests.• 9350 Optional, to enables better performance for incoming requests• 8080/443 Enable the Connector bootstrap sequence and Connector
automatic update• 9090 Enable Connector registration (required only for the Connector
registration process)• 9091 Enable Connector trust certificate automatic renewal
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-ports
![Page 27: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/27.jpg)
Pass-Through Auth and SSO
MAY 2, 2023@EWUGDK 27
• Only works with Web flows• ADAL rich clients supported
• Limited browser support• IE, Chrome, Firefox• Edge not currently (due to lack of SSO support)
• Alternate login ID• Not supported, will be supported in Public Preview
![Page 28: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/28.jpg)
Supported Browsers / Clients (ADAL)
MAY 2, 2023@EWUGDK 28
![Page 29: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/29.jpg)
Which of the following would you choose
MAY 2, 2023@EWUGDK 29
• PTA + Desktop SSO• Password Hash Sync (PHS) + SSO• Either, PTA or PHS + SSO is good for me/my
customers• PTA + Desktop SSO with fallback to PHS• I don’t really need SSO or PTA – Why?
![Page 30: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/30.jpg)
Hvem anvender dette Public Preview?
MAY 2, 2023@EWUGDK 30
![Page 31: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/31.jpg)
Outlook Modern Authentication Support
MAY 2, 2023@EWUGDK 31
![Page 32: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/32.jpg)
Outlook Modern Authentication Support$credential = get-credential$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $credential -Authentication Basic -AllowRedirectionImport-PSSession $ExchangeSession
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*
MAY 2, 2023@EWUGDK 32
Officiel link: https://support.office.com/en-us/article/Enable-Exchange-Online-for-modern-authentication-58018196-f918-49cd-8238-56f57f38d662
![Page 33: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/33.jpg)
MAY 2, 2023@EWUGDK 33
AzureAD: Primary Refresh Tokens
![Page 34: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/34.jpg)
MAY 2, 2023@EWUGDK 34
AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory
10
Dave authenticates to Azure AD as part of logon process
![Page 35: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/35.jpg)
MAY 2, 2023@EWUGDK 35
AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory
Primary Refresh Token (PRT)Returned by Azure AD and cached by Windows 10
10
![Page 36: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/36.jpg)
MAY 2, 2023@EWUGDK 36
AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory
Office 365
10
![Page 37: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/37.jpg)
MAY 2, 2023@EWUGDK 37
AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory
Here is my PRT can I please have an SSO token for Office 365
10
Office 365
![Page 38: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/38.jpg)
MAY 2, 2023@EWUGDK 38
AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory
Your PRT checks out so here is the SSO token you have asked for10
Office 365
![Page 39: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/39.jpg)
MAY 2, 2023@EWUGDK 39
AzureAD: Primary Refresh Tokens
Microsoft Azure Active DirectoryHere is my Office
365 SSO token give me access please
10
Office 365
![Page 40: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/40.jpg)
MAY 2, 2023@EWUGDK 40
AzureAD: Tokens Kerberos Maximum lifetime for service ticket: 10 Timer før brugeren skal hente en ny ticket fra domain controlleren intern (Validering):https://technet.microsoft.com/en-us/library/cc775748(v=ws.10).aspx
Session timeouts for Office 365https://support.office.com/en-US/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US Modern AuthenticationVi skal på et tidspunkt også have talt ”Modern Authentication” med jer, men jeg ser ikke lige tiden er moden endnu til dette: https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/. Det hænger meget sammen med EMS (Conditional Access) ”Modern Authentication” : http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/
Basic AuthenticationADFS Token: 8 timer (Det er standard fra Microsoft).
![Page 41: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/41.jpg)
T: +45 82 32 32 32F: +45 82 32 32 22M: [email protected]: www.proactive.dk
Questions and Answers
Thanks
![Page 42: EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On](https://reader034.vdocuments.site/reader034/viewer/2022052308/58ed4cdd1a28ab1e5e8b4671/html5/thumbnails/42.jpg)
Microsoft MCSA: 2012 Windows Server 2016,Microsoft MCSA: 2012 Windows Server 2012,Microsoft MCITP: 2008 Server and Enterprise Administrator,Microsoft MCSA: 2008 Windows Server 2008,Microsoft MCSA/MCSE : 2003 Security,Microsoft MCITP:Windows Server 2008 R2, Virtualization Administrator,Microsoft MCTS: SCOM 2007, ISA 2006, DPM,Microsoft MCTS: Forefront Protection, etc.,VMWare Certified Professional VI3/VI4/VI5,CompTIA A+, Network+,Citrix CCA: Branch Repeater (CloudBridge),EC-Council: Certified Ethical Hacker (CEH v7),And more
Peter Selch DahlSr. IT Architect, Cloud and IT InfrastructureTwitter: @PeterSelchDahlYouTube: www.youtube.com/user/PeterSelchDahlBlog : http://blog.peterdahl.netLinkedIn: https://dk.linkedin.com/in/petersdahl