Brian Desmond - Identity and directory synchronization with office 365 and windows azure active directory


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • And so here we are. We have these scenarios where AD integrated auth isn’t going to get us all the way to where we want to be. We want to solve this problem. And how do you solve any problem in computer science?You add a layer of abstraction. You stick something in-between your developers and the directory, so that even if the directory changes, or you add a new forest or you start using smart cards or something, the applications can keep chugging right along.And for the cloud? Well, in that case, you add a layer of abstraction between your on-premises directory, and the applications sitting up in the cloud where there’s nothing between you and them but the great big Internet.And the way we do this, the way we create this layer of abstraction, is to use something called federation. Three big words you always hear when someone talks about ADFS, are FEDERATION, CLAIMS, and TOKENS.Role of an STS – requests in, token out. Sounds a lot like a domain controller, doesn’t it? Sounds a lot like a PKI server, doesn’t it? In a lot of ways, it’s performing a very similar function. A user wants to prove their Identity to an application – but instead of handing the application a PKI certificate that got issued by a CA, or a Kerberos Ticket that got issued by a DC, they’re presenting this TOKEN that came from an STS. What’s a token? A big bag of claims. What’s a claim? Something that the STS is asserting about the user – their email address, their age, their first name, what groups they’re in…And just like your applications need to know how to consume a Kerb token from AD, or a certificate from a CA, the applications that can make use of this new model, need to be what’s called CLAIMS-AWARE applications – which means just what it sounds like, they know how to take this TOKEN, this big bag of CLAIMS, and use that to authenticate the user.
  • Before we start, let’s talk about the players involved…
  • No Kerb secure channelNow PKI does still have a role to play here, because each of these TOKENS is going to be SIGNED by a PKI certificate, that you’ll install on each ADFS server that’s going to be issuing tokens. And the reason we do that, is so that when my ADFS server sends YOUR ADFS server a token, you can VERIFY that that token actually came from me, and not from somebody else.
  • 20 minutes.Be sure to make the deprovisioning point. “I want the integrity of your users Identities…”
  • 20 minutes.Be sure to make the deprovisioning point. “I want the integrity of your users Identities…”
  • Brian Desmond - Identity and directory synchronization with office 365 and windows azure active directory

    1. 1. Identity and Directory Synchronization in Office365 and Azure AD Brian Desmond
    2. 2. Intro • Chicago based • Active Directory & Identity consultant – Edgile, Inc – • Microsoft MVP for Active Directory since 2003 • Author of Active Directory, 5th Ed from O’Reilly – You should own a copy! e-mail: e-mail: website & blog: @brdesmond
    3. 3. Agenda • Identity Management in the Cloud • Directory Synchronization with DirSync • Federated Identity with Active Directory Federation Services
    4. 4. IDENTITY IN OFFICE 365
    5. 5. Identity Options • Identities can be mastered in – Office365 – Active Directory • Single Sign On (SSO) is optional – Keeps passwords out of O365 – Greatly improves the end user experience • DirSync and ADFS may be required to meet your goals
    6. 6. Mastering Identities in Office365 • • • • Separate Microsoft Online ID for each user Separate passwords stored in the cloud Very easy to deploy Support costs may be higher with differing passwords and password policies • Manage your users with PowerShell or the Online Services administration center
    7. 7. Mastering Identities in Active Directory • Two options – Separate Microsoft Online ID for each user – Federated identities • Requires Windows Azure Active Directory Directory Synchronization for either option – Sync Active Directory data to the cloud – Passwords can be synchronized • Without federation or password sync, users still maintain a separate password in the cloud • Enables rich coexistence scenarios
    8. 8. Federated Identity • Users are authenticated via on-premise ADFS environment • DirSync sends objects and key attributes to the cloud • Password is always maintained (and only exists) onpremise • Requires additional infrastructure for ADFS – Access to any Office 365 service requires ADFS to be available!
    9. 9. Identity Architecture Comparison Microsoft Online IDs • Pros • No servers required • Simple setup • Cons • Separate user accounts and password policies • Potentially higher support costs Microsoft Online IDs with DirSync • Pros • Coexistence possible • Provisioning / deprovisioning performed on-premise • Cons • Requires additional servers • Separate user accounts and password policies • Potentially higher support costs Federated IDs with DirSync • Pros • Coexistence possible • Provisioning / deprovisioning performed on-premise • Passwords managed on-premise • Two-factor authentication possible • Cons • Requires additional servers • Complex to implement and manage
    11. 11. What Does DirSync Enable? • Enables Identity and Application coexistence – Identities are managed on premises • • Copies users, groups, and contacts into Office 365 Enables easy identity federation – Enables application coexistence • • On-premises Microsoft Exchange and Microsoft Lync services work with their corresponding cloud services. Lync users, on-premises IM cloud users, and on-premises mail routes to the cloud (and the cloud routes back to on premises). – Enables rich coexistence features in Exchange, including write-back to the on-premises directory • Populates the Windows Azure Active Directory service – Can be used with other Microsoft cloud services, federation with third party cloud services and applications
    12. 12. What’s Under the Hood? • Shrink wrapped appliance version of Forefront Identity Manager (FIM) – Frequent updates – dows-azure-active-directory-sync-tool-version-release-history.aspx • Appliance is preconfigured to synchronize everything in your AD with Office 365 – Passwords are not synchronized to Azure AD by default • There are very few settings which can be configured in DirSync (in a supported manner)
    13. 13. DirSync Challenges • The native DirSync appliance does not support a number of potential customer scenarios – – • A custom FIM deployment with the Azure AD connector can be built to address these scenarios – – • Requires deep subject matter expertise in FIM FIM deployment now has a dependency on changes and upgrade requirements for Azure Many common Active Directory data errors will cause directory synchronization errors – • Multi-forest Active Directory topologies Authoritative data sources other than Active Directory Use IdFix toolset to identify and correct data - Tenants that require more than 100,000 synchronized objects must contact Microsoft support to have their tenant limit raised – This can take some time – plan in advance
    14. 14. User Principal Names • Users will login to Office365 with their UPN – Ideally this matches the user’s primary email address • UPN must be a routable domain that you can prove ownership of – No .local domains – No domains that you don’t own • Multiple UPN suffixes are acceptable • You may need to re-assign or scrub UPNs in your forest – Communicate UPN to your users if it doesn’t match email address
    15. 15. IdFix Toolset
    16. 16. Server Requirements • • Windows Server 2008 R2 or Windows Server 2012 Domain Joined – Cannot be a domain controller • SQL Server Express Edition – 50,000 or more objects requires full SQL Server installation – SQL Server 2008 R2 or better is supported • Virtually no advantage to increasing CPU count – The FIM Synchronization Service is a single threaded application – Memory and disk I/O will improve sync performance if you have a large environment • DirSync appliance could be installed on an Azure virtual machine – Configure a point-to-site virtual network VPN in Windows Azure
    17. 17. DirSync Installation Prerequisites • Enterprise Administrator level Active Directory permissions • Setup will perform a number of tasks – Create a service account for DirSync in the forest root domain – Delegate the service account permissions to use the DirSync LDAP control in Active Directory – Optionally delegate the service account access to write-back attributes • Once setup is complete, elevated privileges are no longer necessary
    18. 18. DirSync On-Premises Active Directory Changes Exchange Full Fidelity feature Write Back To attribute Filtering Coexistence provides on-premises filtering with cloud sourced safe/blocked sender data SafeSendersHash BlockedSendersHash SafeRecipientHash Online Archive mailbox in the cloud msExchArchiveStatus Move mailboxes back and forth between cloud and onpremises; Outlook auto-complete and calendaring fidelity proxyAddresses (Adds cloud LegacyExchangeDN value) Enable cloud based Unified Messaging (voicemail) with onpremise Lync deployment msExchUCVoiceMailSettings Cross-premises mailbox delegation publicDelegates Cross-premises litigation hold management msExchUserHoldPolicies
    19. 19. DirSync Installation
    20. 20. Password Synchronization • DirSync was updated in June 2013 to support synchronization of password hashes to the cloud – Synchronizes passwords for all users in scope of DirSync – Hash of the on-premises Active Directory password hash is sent to the cloud • Password changes are synchronized to the cloud every two minutes • Office365 Change password button is hidden for users that have a synchronized password – User is also configured such that their cloud password never expires
    21. 21. Common DirSync Tweaks • Run DirSync manually – – %ProgramFiles%Windows Azure Active Directory SyncDirSyncConfigShell.psc1 Start-OnlineCoexistenceSync • Filter objects in specific organizational units or domains – Modify container selection in “Active Directory Connector” Management Agent • Filter objects based on an attributes in AD – Create a connector filter in “Active Directory Connector” Management Agent • If you make an error and erroneously filter objects, they will be deleted from Office 365 – Deletes are “soft” and objects can be recovered for thirty days C:Program FilesWindows Azure Directory SyncSYNCBUSSynchronization ServiceUIShellmiisclient.exe
    22. 22. Container Selection in DirSync
    23. 23. Configuring a Connector Filter
    24. 24. Troubleshooting Bad Data
    26. 26. Application Authentication Before Federation • Standalone credential stores • Integrated with Active Directory via LDAP – Forms based pages – Custom code • Windows Integrated Authentication – NTLM – Kerberos • How do we extend these options into the cloud?
    27. 27. What is Federation? • Standardized (sort of) mechanism to assert identity across boundaries • Works great with web applications – all HTTP(S) • No Active Directory trusts required • No Kerberos or NTLM involved between parties • You take a federation token to the relying party and present it to access the application
    28. 28. Federation Buzzwords: Tokens and Claims • How do I use/make/get tokens? – an STS: security-token service • • • transforms one set of claims to another, issues tokens with claims aka. Identity Provider (IdP) / Claims Provider / Claims Transformer / Federation Provider (FP) What is a token? – Proof of identity for a given user – Contains a set of claims about the user • What is a claim? • • • assertion made by the STS about its users used to make authorization & personalization decisions Who & what supports them? – a “claims-aware application”
    29. 29. What’s a Claim? • Attribute Value Pairs – Role : “Marketing” • “I am a member of the Marketing group” – Email : “” • “My email address is …” – HomeTown : “Chicago” • “I am from Chicago.” • Populated using information from – – – – Active Directory AD Lightweight Directory Service (AD LDS) SQL database Custom source
    30. 30. The Cast A. DatumFabrikam Account Forest (Users) Federation Trust Contoso (Resource) Active Directory AD FS User AD FS Resource
    31. 31. The Federation Trust • The ADFS servers need to exchange information securely – Send public key for the token-signing certificate – Tokens are verified by relying party using this key • During the setup process you’ll agree on the signing keys, claims formats, etc. • Each application will trust a single ADFS server (or server farm) – the ADFS server can have many applications that trust it – the ADFS server can trust one or more ADFS/federation servers
    32. 32. The ADFS Passive Logon Process A. DatumFabrikam Account Forest (Users) Trey Office365 Federation Trust Research Resource Forest (Resource) Active Directory AD FS User AD FS SharePoint
    33. 33. ADFS with Outlook and ActiveSync A. DatumFabrikam Account Forest (Users) Trey Office365 Federation Trust Research Resource Forest (Resource) Active Directory AD FS User AD FS Exchange
    34. 34. ADFS Server Topology Options • Single internal federation server and a single federation server proxy • Load balanced servers proxies – You can use an alternative reverse proxy if you have a need or existing infrastructure • Geographically redundant ADFS servers Two important points 1. Treat your ADFS servers with the same level of security as AD Domain Controllers 2. Keep in mind that Office 365 availability depends on your ADFS service!
    35. 35. ADFS and SQL Server • ADFS requires SQL Server to store configuration information – SQL Express – Full SQL Server installation • ADFS will replicate data between servers if using SQL Express – SQL Express does not offer token replay detection or SAML artifact resolution • If using full SQL install, don’t forget to account for SQL high availability – SQL Server clustering within a given site – SQL Server mirroring between sites
    36. 36. Highly Available Single Site ADFS Deployment Enterprise Network DMZ Active Directory AD FS 2.X Server AD FS 2.X Server AD FS 2.X Server Proxy AD FS 2.X Server Proxy NLB
    37. 37. Highly Available Multi Site ADFS Deployment Site A Enterprise Network Site A DMZ Active Directory GLB NLB AD FS 2.X Server AD FS 2.X Server NLB GLB AD FS 2.X Server Proxy SQL Server Cluster SQL Mirroring AD FS 2.X Server Proxy Site B Enterprise Network Site B DMZ Active Directory AD FS 2.X Server GLB AD FS 2.X Server Proxy AD FS 2.X Server SQL Server Cluster NLB AD FS 2.X Server Proxy NLB GLB
    38. 38. Office 365 ADFS Configuration • Install ADFS servers and ADFS proxies • Run configuration scripts to configure ADFS for Office365 integration • Setup federated domains in Office 365 tenant – Use *-MsolFederated* PowerShell cmdlets • Testing – – MOSDAL tool -
    39. 39. Third Party On-Premises STS’ • Office365 supports a number of third party federation services (STS – security token service) • The list continues to evolve however these third party options are currently supported – OptimalIDM – Ping Federate – Shibboleth (common in Higher Education) • Limitations may apply to third party solutions – be sure to do your research
    40. 40. Summary • AAD DirSync will connect your AD to Office365 • Plan to spend time cleaning your AD data first • Federation is critical as applications move to the cloud
    41. 41. Questions?
    42. 42. Please evaluate the session before you leave 