Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Ten most common mistakes
with AD FS and Hybrid Identity
Sander Berkouwer
Tweet and win an Ignite 2016 ticket #itproceed#ac...
Agenda
Federation
A small primer on the open protocols used today for
federating identity and achieving hybrid identity
Mo...
Federation
On claims, identity providers and relying party trusts
Why we need federation
NTLM and Kerberos
Kerberos (1993) was designed for ‘safe’ networks
NTLM and Kerberos have serious p...
Under the hood
4
1
Colleague
Claims-aware
App
Active Directory
Federation Services
(acting as STS)
Active Directory
Domain...
Behind the mist
On Premises
Active Directory
Domain Services
Azure
Active Directory
1
Active Directory
Federation Services...
Federation benefits
SAML and Oauth2 are Internet-ready
Transport over Universal Firewall Bypass Protocol (TCP443)
Tickets ...
Common mistakes
Some organizations need their own AD FS infrastructure
Local authentication requirements (legal, multi-factor authenticati...
2. Build upon an unhealthy Active Directory
Attribute integrity and lingering objects
Objects, attributes on some Domain C...
3. The AD FS Service Account
Password changes, security implications
AD FS is usually Internet-facing, so it benefits from...
4. Designing the right AD FS infrastructure
AD FS Server Farms
AD FS can easily be deployed highly available, if need be w...
5. Skewed Time Synchronization
Time Sync within an Active Directory environment
W32time follows Active Directory hierarchy...
6. Certificate Distrust
Certificates in use by AD FS
Token-signing and token-decryption certificates
Service communication...
7. Forget Enterprise Registration
AD FS in Windows Server 2012 R2
Many new features!
Workplace Join
Device-agnostic silent...
8. Windows Updates, anyone?
AD FS is regularly updated
Security updates, like MS15-062
Scalability and stability updates
A...
9. Best Practices Analyzers
Best Practices Analyzers
Part of Server Manager in Windows Server 2008 R2 and up
Avoid 90% of ...
10. Processes, processes, processes
Monitoring of the AD FS Service
Check the availability and/or usage of the AD FS infra...
Concluding
Avoid the mistakes and you’ll be fine
1. Don’t build AD FS when you don’t need to
2. Don’t build upon an unhealthy Active ...
Rules of thumb
AD FS is an extension to Active Directory
Make sure Active Directory is healthy
Rename, migrate or restruct...
And win a Lumia 635
Feedback form will be sent to you by email
Give me feedback
Follow Technet Belgium
@technetbelux
Subscribe to the TechNet newsletter
aka.ms/benews
Be the first to know
Thank you!
Belgiums’ biggest IT PRO Conference
Upcoming SlideShare
Loading in …5
×

ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs and hybrid identity

987 views

Published on

Active Directory Federation Services (AD FS) is the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it’s our jobs as IT Pros to make it happen. This session covers the 10 most common mistakes we see in the field In organizations that have deployed AD FS and performed a hybrid identity deployment. Learn from their mistakes, so you don’t have to make them.

Published in: Technology
  • Be the first to comment

ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs and hybrid identity

  1. 1. Ten most common mistakes with AD FS and Hybrid Identity Sander Berkouwer Tweet and win an Ignite 2016 ticket #itproceed#activedirectory #hybrididentity
  2. 2. Agenda Federation A small primer on the open protocols used today for federating identity and achieving hybrid identity Most common mistakes when planning, deploying and operating AD FS … and how to avoid them to get the most out of your hybrid identity implementation
  3. 3. Federation On claims, identity providers and relying party trusts
  4. 4. Why we need federation NTLM and Kerberos Kerberos (1993) was designed for ‘safe’ networks NTLM and Kerberos have serious problems Active Directory Active Directory domain memberships are typically Windows-only Domain trusts leak information and scale badly Granular device-agnostic authentication We need device-agnostic, open protocols, designed for the web We need multi-factor authentication
  5. 5. Under the hood 4 1 Colleague Claims-aware App Active Directory Federation Services (acting as STS) Active Directory Domain Services 3 5 6 7 2
  6. 6. Behind the mist On Premises Active Directory Domain Services Azure Active Directory 1 Active Directory Federation Services Active Directory Federation Trust 4 5 6 7 8Colleague Directory Synchronization Tool Azure Active Directory Management API Azure Active Directory integrated Application Internet 2 3
  7. 7. Federation benefits SAML and Oauth2 are Internet-ready Transport over Universal Firewall Bypass Protocol (TCP443) Tickets are compressed, optionally encrypted Relying Party trusts are very flexible Ticket content and authentication is defined per relying party trust Relying party trusts are flexible and scalable Multi-factor authentication AD FS in Windows Server 2012 R2 is extensible Extensions are configurable per relying party trust, per network
  8. 8. Common mistakes
  9. 9. Some organizations need their own AD FS infrastructure Local authentication requirements (legal, multi-factor authentication) Local authentication possibilities (claims issuance, transformation rules) Azure Active Directory with Password Sync 2488 Software-as-a-Service apps in the Azure Active Directory App Gallery Easily configure Single Sign-On and user account management Azure Active Directory Azure Active Directory Free may contain up to 500,000 accounts Federating with up to 5 apps is free. Online accounts may suffice 1. AD FS when you don’t need it
  10. 10. 2. Build upon an unhealthy Active Directory Attribute integrity and lingering objects Objects, attributes on some Domain Controllers, not on others Resulting in unpredictable AD FS authentication Private top level domains DNS Domain Name for domains ending with .local, .int User Principal Name (UPN) needs to be added and changed UPN syntax mismatches Critical for solutions with Directory Sync Tool / Azure Active Directory Sync Use the IdFix DirSync Error Remediation Tool
  11. 11. 3. The AD FS Service Account Password changes, security implications AD FS is usually Internet-facing, so it benefits from extra security We want regular password changes, host restrictions, etc. group Managed Service Accounts (gMSAs) gMSAs solve ‘the service account problem’ for farms, AD FS supported gMSAs offer Automatic SPN and password management Windows Server 2008 DFL 2008 Domain Functional Level offers automatic SPN management Windows 8 and Windows Server 2012 (and up) offer Cmdlets
  12. 12. 4. Designing the right AD FS infrastructure AD FS Server Farms AD FS can easily be deployed highly available, if need be with Windows NLB AD FS Proxies / Web App Proxies can be deployed in perimeter networks Windows Internal Database or SQL Server A WID farm has a limit of five federation servers, does not support token replay detection or artifact resolution SQL Server High Availability Take advantage of your existing SQL Server investments Take advantage of database mirroring, failover clustering, monitoring
  13. 13. 5. Skewed Time Synchronization Time Sync within an Active Directory environment W32time follows Active Directory hierarchy and sites configuration Set the time for an environment through the PDCe Time Sync within Virtual Machines Virtual machines always sync time with host on boot Continuous time sync is configured with VMware tools, Hyper-V ICs, etc. Time Sync within Perimeter Networks Could be virtual machine time sync, could be an external source Will be none, if you don’t configure it…
  14. 14. 6. Certificate Distrust Certificates in use by AD FS Token-signing and token-decryption certificates Service communication certificate Certificates with 1024bit key length Certificates under 1024bits key length are blocked Request and use certificates with 2048bits key length throughout the chain Certificates with SHA-1 hash algorithm Starting 2016, SHA-1 will be deprecated Request and use certs with SHA-2 hash algorithms throughout the chain
  15. 15. 7. Forget Enterprise Registration AD FS in Windows Server 2012 R2 Many new features! Workplace Join Device-agnostic silent Single Sign-On (SSO) Employees verify devices, enroll a certificate, get cookie EnterpriseRegistration WorkPlace Join AutoDiscover requires DNS Record per UPN Suffix Use enterpriseregistration.domain.tld as Subject Alternative Name
  16. 16. 8. Windows Updates, anyone? AD FS is regularly updated Security updates, like MS15-062 Scalability and stability updates AD FS uses Windows Update AD FS updates don’t require Microsoft Update :-) AD FS updates only light up after installing the Server Role Wait, test, then deploy updates Wait two weeks before deploying updates, or Deploy updates to a test network before production
  17. 17. 9. Best Practices Analyzers Best Practices Analyzers Part of Server Manager in Windows Server 2008 R2 and up Avoid 90% of situations with data or functionality loss AD FS Best Practices Analyzer Checks the Active Directory Federation service Will be updated with additional checks in the future Other BPAs of use: Active Directory Domain Services Best Practices Analyzer Active Directory Certificate Services Best Practices Analyzer
  18. 18. 10. Processes, processes, processes Monitoring of the AD FS Service Check the availability and/or usage of the AD FS infrastructure Use Systems Center Operations Manager with GSM, Azure Operational Insights and/or the Azure Active Directory Connect Health Service * Auditing of the AD FS Service AD FS offers built-in auditing and logging of errors, warnings, information Auditing of claims issuance Logging of success and failure audits Log suspicious or unintended activity
  19. 19. Concluding
  20. 20. Avoid the mistakes and you’ll be fine 1. Don’t build AD FS when you don’t need to 2. Don’t build upon an unhealthy Active Directory 3. Use gMSAs instead of ‘ordinary’ service acounts for AD FS 4. Design the right infrastructure 5. Take care of adequate time synchronization 6. Use certificates with 2048+bit keylength and SHA-2 algorithm 7. Don’t forget to plan for Enterprise Registration 8. Don’t forget to install Windows Update 9. Don;’t forget to use the Best Practice Analyzers 10. Monitor, audit and backup the AD FS infrastructure
  21. 21. Rules of thumb AD FS is an extension to Active Directory Make sure Active Directory is healthy Rename, migrate or restructure .local domains Plan your AD FS implementation Set requirements, plan accordingly, deploy securely Take care of adequate time synchronization Don’t forget to manage AD FS Use the Best Practices Analyzers (BPAs) Take care of information security, like monitoring, auditing, backup
  22. 22. And win a Lumia 635 Feedback form will be sent to you by email Give me feedback
  23. 23. Follow Technet Belgium @technetbelux Subscribe to the TechNet newsletter aka.ms/benews Be the first to know
  24. 24. Thank you!
  25. 25. Belgiums’ biggest IT PRO Conference

×