Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with windows technologies
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,705
On Slideshare
666
From Embeds
2,039
Number of Embeds
4

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 2,039

http://www.nicconf.com 1,015
http://nicconf.com 641
http://2014.nicconf.com 272
http://csa.macsimum.no 111

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Bring Your Own Device Essentials with Windows Technology, Part 1 Raymond Comvalius & Sander Berkouwer
  • 2. Please take all the photos you like, but we would like to point out: Sharing is caring @NEXTXPERT @SanderBerkouwer @NICConf
  • 3. Introduction Sander Berkouwer MCSA, MCSE, MCITP Microsoft MVP since 2009 Blogger DirTeam.com/ActiveDir.org ServerCore.Net Microsoft Tech Lead OGD ict-diensten Since 2000 MVP
  • 4. Introduction Raymond Comvalius MCSA, MCSE, MCITP, MCT Microsoft MVP since 2011 Author Windows 7 for XP Professionals Updating Support Skills… Independent IT Architect Specialized in IT Infrastructure since1998 MVP
  • 5. Introducing Bring Your Own
  • 6. Fact or Fiction… Domain Join is almost Legacy Kerberos and LDAP are for trusted networks only A mobile device can be an authentication factor HTTP(S) is the Universal Firewall Bypass Protocol Exchange ActiveSync was way ahead of its time Without PKI and certificates your out
  • 7. Reality 57% 18 67 51% of employees between the age of 21 and 32 years chooses to deliberately ignore corporate policies, when they apply to: 51% • Corporte use of privately-owned devices (BYOD) • Cloud storage • Wearable devices Source: Fortinet, October 22, 2013
  • 8. Bring Your Own Employees Devices Apps Information
  • 9. Bring Your Own Employees Devices Apps Management| Access| Security Information
  • 10. Bring Your Own Facilitating access to companny IT sources with devices owned by employees and other entities
  • 11. BYO Non-corporate Bring Your Own Device Data Corporate Application s
  • 12. Solid BYO Authentication Username + Password + ? = MFA Multi-Factor Authentication Policies Device is sufficiently secured Complies to minimum security policies Health Patch levels are up-to-date Not jailbroken or hacked by Anonymous
  • 13. Bring Your Own Building Blocks AD Domain Services Solid AD Federation Authenticatio Services n Windows Azure AD Solid Azure RMS Data Protection Workplace Join Solid WebAutorisation Application Proxy System Center Solid Management Windows Intune
  • 14. Solid Authentication
  • 15. Current challenges Current protocols lack flexibility Kerberos tickets are encrypted, cannot split Kerberos tickets only contain SIDs Active Directory trusts provide too little flexibility Trusted domains share too much information Domain Trusts lack scalability Multi-Factor Authentication Verifying user identity is crucial Username and password is not good enough
  • 16. Current Authentication(Kerberos) KDC (Domain Controller) Client Resource May I acces your resources? Go get a ticket at the KDC May I have a Ticket? + Here is my TGT Here is a Service Ticket May I have access + Service Ticket Here are the resources
  • 17. Solution Authentication with AD Federation Services
  • 18. Authentication with AD FS (SAML) STS (AD FS) Client Resource May I access your resources? Go get a token at the STS (redirect) May I have a token? + credentials Here is your (SAML) token May I have access + (SAML) token Here are the resources
  • 19. AD FS benefits SAML en OAuth2 are “web ready” Transport over SSL channel Tokens are optionally encrypted Relying Party trusts are very flexible Token contents is defined per Relying Party (RP) Trust Relying Party Trusts are scalable Multi-Factor Authentication AD FS authentication is “extensible” for third parties
  • 20. Claims vs Tickets Claim Tokens in stead of Tickets More flexibility with inbound and outbound filtering Web based protocol, optional encryption Relying Parties replace Domain Members en Trusts Relying Parties have fine grained definitions Less dependent, requires little information Rich authentication scenarios Even the authentication method is a claim Anything can be a authentication factor
  • 21. Claims vs. Tokens Encryption Transport Optional HTTP (TCP80) HTTPS (TCP443) Claims in SAML Claims in Kerberos Tokens Kerberos (TCP88) Kerberos (TCP88) Contents Limits Security XML-based Signing Replay Protection XML-based MaxTokenSize Ticket Lifetime Mutual Auth PAC Validation MaxTokenSize Ticket Lifetime Mutual Auth PAC Validation Authorization data
  • 22. Demo Configuring SAML Authentication
  • 23. Solution Windows Azure Active Directory
  • 24. Introducing Azure Active Directory Modern Identity Mangement Free REST-based web service for authentication Identity and Access Managment for cloud services Cloud Identity Management Identity and Access Management for Windows Azure, Office 365, CRM Online, Windows Intune, etc. 100% interoperability Based on open standards, like SAML en WS-Fed Full support for 3rd party identity providers
  • 25. Integration options for Azure AD Scenarios for identity Portal Complexity Requirements Integration PowerShell / Graph API DirSync met Cloud identities DirSync met Password Sync DirSync met Federation Low complexity Medium complexity Low complexity Low complexity High complexity No need for extra hardware No need for extra hardware Windows Server required Windows Server required Requires extra Windows Servers Separate credentials, 2x logon Same username, other password, 2x logon Same username and password, 2x logon Same username and wachtwoord, SSO on-prem, MF Auth Separate credentials, 2x logon
  • 26. Advanced Authentication to Azure AD 8 Colleague 7 Azure Active Directory 2 Integrated Application 4 6 3 Active Directory Federation Trust 5 Active Directory Domain Services 1 Active Directory Federation Services Directory Synchronization Tool Azure Active Directory Access Control Service Azure Active Directory Azure Management API Active Directory On Premises
  • 27. Current challenges Smart Cards for MFA with Active Directory Smart Card readers never became a commodity Smart Cards require extra hardware Smart Cards require PKI Expensive with a public Certificate Authority Kerberos or Browser authentication User Friendliness Is a smart card convenient for BYOD We now have alternatives for a card
  • 28. Solution Multi-Factor Authentication
  • 29. Multi-Factor Authentication with AD FS Extensible Authentication Model API for 3rd party extensions Default support for Smart Cards Azure PhoneFactor Simple implementation Phone Call, Text Message, App or OATH passcode Not just PhoneFactor Multiple vendors support AD FS MFA
  • 30. PhoneFactor Multi-Factor Authentication On-premises Application 1 Colleague 2 9 Multi-Factor Authentication Server 3 7 8 5 4 Active Directory Domain Services On Premises 6 Multi-Factor Authentication Service
  • 31. Join us for Part 2! Part 1 and Part 2 There’s a lot to cover in terms of Bring Your Own (BYO). We’re only half way now… This Part We’ve discussed Solid Authentication You now know why Kerberos is going away. Part 2 There’s another hour of BYO Goodness coming! This afternoon from 13:40 to 14:40 ½
  • 32. Questions?
  • 33. Please evaluate our session.
  • 34. Sessions of Interest Today Adventures in Underland: What Passwords Do When No One Is Watching Paula Januszkiewicz, Auditorium 6, 12:20 - 13:20 Managing Mobile Devices with System Center 2012 R2 ConfigMgr and Windows Intune Wally Mead, Auditorium 3, 13:40 - 14:40 Identity and Directory Synchronization with Office 365 and Windows Azure AD Brian Desmond, Auditorium 1, 15:00 - 16:00
  • 35. Thank You!
  • 36. Bring Your Own Device Essentials with Windows Technology, Part 2 Raymond Comvalius & Sander Berkouwer
  • 37. Please take all the photos you like, but we would like to point out: Sharing is caring @NEXTXPERT @SanderBerkouwer @NICConf
  • 38. Introduction Sander Berkouwer MCSA, MCSE, MCITP Microsoft MVP since 2009 Blogger DirTeam.com/ActiveDir.org ServerCore.Net Microsoft Tech Lead OGD ict-diensten Since 2000 MVP
  • 39. Introduction Raymond Comvalius MCSA, MCSE, MCITP, MCT Microsoft MVP since 2011 Author Windows 7 for XP Professionals Updating Support Skills… Independent IT Architect Specialized in IT Infrastructure since1998 MVP
  • 40. Solid Authorization
  • 41. Current challenges Group membership is too strict Based on a single attribute Becomes uncontrollable very fast Token bloat A ticket with too many SIDs is not accepted Causes inconsistencies during logon Cross organization access Organizations must trust each other a lot Connections are not always stable
  • 42. Claims for rich authorization scenarios Rich authorization Claims can be based on Group Membership or on: • Any property of a user account (i.e. Department) • Or occurrence of the user the in the address list • Or the location of the computer … or combinations of the above … or external claims.
  • 43. Solution Claims
  • 44. Claims in Tokens and/or Kerberos Tickets Claims in SAML/OAuth2 and/or Kerberos Claims in SAML via Federation Services Claims in Kerberos via Dynamic Access Control Benefits of Claims in SAML/OAuth2 Kerberos and LDAP are not web based protocols Active Directory is not a web based product Benefits of Claims in Kerberos Claims can be based on any attribute Authorisation in ACLs exceeds user status
  • 45. Autorisation with Bring Your Own Claims-aware applications Active Directory Federation Services Relying Party (RP) processes the claims Windows-integrated web applications Web Application Proxy in Windows Server 2012 R2 Translate claims from SAML to Kerberos with KCD Data Work Folders allow for file server synchronisation SkyDrive Pro offers synchronisation with SharePoint
  • 46. Solution Workplace Join
  • 47. Introducing Workplace Join Claims Employees verify devices Claims provided by Active Directory Federation Services Certificates Verified devices enroll a certificate from AD FS Per device an object in the Registered Devices container Service Discovery DNS Record (enterpriseregistration) for AutoDiscover DNS Record required per user domain
  • 48. Workplace Join Internals Certificate In local User Store from MS-Organization-Access Workplace Join requires working CRL for AD FS SSL Cert Active Directory msDS-Device object in Active Directory Tied to the user/device combination Cookies Permanent Cookie enables Single Sign-on
  • 49. Demo Workplace Join
  • 50. Solid Access
  • 51. Current Challenges Server Message Block (SMB) Discloses Windows-based file servers Not optimized for the web Remote Procedure Call (RPC) Discloses remote Windows functionality Not optimized for the web HTTP for everyting HTTP (with/without SSL) to be used as the standard protocol HTTP is the universal firewall bypass protocol
  • 52. Solution Work folders
  • 53. Work Folders positioning Personal data Individual business data Team/Departe ment business data Personal devices SkyDrive Public Cloud SkyDrive Pro SharePoint and/or Office 365 Work Folders File Server Folder Redirection File Server
  • 54. Work Folders Internals HTTP-based file synchronisation DNS Record (workfolders) for AutoDiscovery Windows Authentication or AD FS (OAuth2) Standard Policies Password policy and device lock Policies cannot be customized Encryption and remote wipe Encryption based on EFS Enterprise Key Functional remote wipe initiated from Exchange / Intune
  • 55. Current Challenges TMG is End-of-Life We must have a Reverse Proxy Pre-authentication with Active Directory integration Groups are insufficient for autorization Client properties can be used for allow/deny access Existing web apps often not claims-aware Publish AD Federation Services on the Internet Disclosing Active Directory on the Internet is no option Internet accessible services in the Perimeter network
  • 56. Solution Web Application Proxy
  • 57. Introducing Web Application Proxy Edge Role 1. AD FS Proxy configuration on the AD FS Server 2. Reverse Proxy for HTTPS with pre-authentication Kerberos Constraint Delegation Web App Proxy translates SAML to Kerberos Requires Service Principal Names (SPNs) Custom claims Configurable in AD Federation Services from multiple sources
  • 58. Internal access to a claims based app Active Directory Federation Services (acting as STS) 5 6 4 Active Directory Domain Services 3 Employee 2 1 Claims-based App On Premises 7
  • 59. BYO Access to a claims based app Active Directory Federation Services (acting as STS) 5 4 Active Directory Domain Services Colleague 6 ADFS Proxy 2 Reverse Proxy Claims-based Web App Proxy App On Premises 3 1 7
  • 60. BYO Access to a non-claims aware app Active Directory Federation Services (acting as STS) 5 4 Active Directory Domain Services Colleague 9 8 6 ADFS Proxy 2 10 Kerberos App Reverse Proxy Web App Proxy On Premises 3 1 7
  • 61. Solid Management
  • 62. Managing Bring Your Own Not a single method to offer applications Organizations use multiple methods Unclear and hard to report Applications for multiple platforms Not just Windows, but also Mac OS Not just desktops, laptops, but also tablets, etc. Application distribution is hard Not all devices are connected to the network Not all devices can be connected to the network
  • 63. Solution Windows Intune
  • 64. ConfigMgr with Windows Intune Employee System Center Configuration Manager 2012 R2 Windows Intune Central Management and Reporting On Premises
  • 65. Conclusion
  • 66. BYO Non-corporate Bring Your Own Data Corporate Application s
  • 67. Bring Your Own AD Domain Services Solid AD Federation authenticatio Services n Windows Azure AD Solid Azure RMS access Workplace Join Solid Webautorization Application Proxy System Center Solid management Windows Intune
  • 68. Questions?
  • 69. Please evaluate our session.
  • 70. Thank You!