Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with windows technologies
Post on 19-Oct-2014
2466 Views
Preview:
DESCRIPTION
Transcript
Bring Your Own Device Essentials with Windows Technology, Part 1Raymond Comvalius & Sander Berkouwer
Please take all the photos you like, but we would like to point out:
Sharing is caring
@NEXTXPERT@SanderBerkouwer@NICConf
Introduction
BloggerDirTeam.com/ActiveDir.orgServerCore.Net
Microsoft Tech LeadOGD ict-dienstenSince 2000
Sander BerkouwerMCSA, MCSE, MCITPMicrosoft MVP since 2009
MVP
Introduction
Author Windows 7 for XP ProfessionalsUpdating Support Skills…Independent IT Architect Specialized in IT Infrastructure since1998
Raymond ComvaliusMCSA, MCSE, MCITP, MCT Microsoft MVP since 2011
MVP
IntroducingBring Your Own
Fact or Fiction…
Domain Join is almost LegacyKerberos and LDAP are for trusted networks onlyA mobile device can be an authentication factorHTTP(S) is the Universal Firewall Bypass ProtocolExchange ActiveSync was way ahead of its timeWithout PKI and certificates your out
Reality
Nederland
51% of employees between the age of 21 and 32 years chooses to deliberately ignore corporate policies, when they apply to:
1.057%
21 - 32 years18 67 Netherlands
Worldwide
57%
51%
Source: Fortinet, October 22, 2013
• Corporte use of privately-owned devices (BYOD)
• Cloud storage• Wearable devices
Bring Your Own
Devices Apps Information
Employees
Bring Your Own
Devices AppsEmployees
Management| Access| Security
Information
Bring Your Own
Facilitating access to companny IT sources with devices owned by employees and other entities
Bring Your Own Device
BYO
Applications
Data Corp
orat
eN
on-c
orpo
rate
AuthenticationUsername + Password + ? = MFAMulti-Factor Authentication
HealthPatch levels are up-to-dateNot jailbroken or hacked by Anonymous
PoliciesDevice is sufficiently securedComplies to minimum security policies
Solid BYO
SolidManagement
Bring Your Own Building Blocks
SolidAuthentication
Solid Autorisation
SolidData Protection
Azure RMS
System CenterWindows Intune
Workplace JoinWeb Application Proxy
AD Domain ServicesAD Federation ServicesWindows Azure AD
Solid Authentication
Click icon to add picture
Current challengesCurrent protocols lack flexibilityKerberos tickets are encrypted, cannot splitKerberos tickets only contain SIDs
Active Directory trusts provide too little flexibilityTrusted domains share too much informationDomain Trusts lack scalability
Multi-Factor AuthenticationVerifying user identity is crucialUsername and password is not good enough
Current Authentication(Kerberos)ResourceKDC
(Domain Controller)Client
May I acces your resources?
Go get a ticket at the KDC
May I have a Ticket? + Here is my TGT
Here is a Service Ticket
May I have access + Service Ticket
Here are the resources
Solution
Authenticationwith AD Federation Services
Authentication with AD FS (SAML)
ResourceSTS(AD FS)
Client
May I access your resources?
Go get a token at the STS (redirect)
May I have a token? + credentials
Here is your (SAML) token
May I have access + (SAML) token
Here are the resources
AD FS benefitsSAML en OAuth2 are “web ready”Transport over SSL channelTokens are optionally encrypted
Relying Party trusts are very flexibleToken contents is defined per Relying Party (RP) TrustRelying Party Trusts are scalable
Multi-Factor AuthenticationAD FS authentication is “extensible” for third parties
Claims vs TicketsClaim Tokens in stead of TicketsMore flexibility with inbound and outbound filteringWeb based protocol, optional encryption
Relying Parties replace Domain Members en TrustsRelying Parties have fine grained definitionsLess dependent, requires little informationRich authentication scenariosEven the authentication method is a claimAnything can be a authentication factor
Claims vs. Tokens
Encryption Transport Contents Limits Security
Claimsin SAML Optional
HTTP (TCP80)HTTPS (TCP443)
Kerberos (TCP88)
XML-based
XML-based MaxTokenSize
Ticket LifetimeMutual AuthPAC Validation
Claims in Kerberos
Kerberos (TCP88)
Authorization data MaxTokenSize
Ticket LifetimeMutual AuthPAC Validation
Tokens
SigningReplay Protection
Demo
Configuring SAML Authentication
Solution
Windows Azure Active Directory
Introducing Azure Active DirectoryModern Identity MangementFree REST-based web service for authenticationIdentity and Access Managment for cloud services
Cloud Identity ManagementIdentity and Access Management for Windows Azure, Office 365, CRM Online, Windows Intune, etc.
100% interoperabilityBased on open standards, like SAML en WS-FedFull support for 3rd party identity providers
Integration options for Azure AD
PortalPowerShell / Graph API
DirSync met Cloud identities
DirSync met Password Sync
DirSync met Federation
Complexity
IntegrationSeparate credentials, 2x logon
Separate credentials, 2x logon
Same username, other password, 2x logon
Same username and password, 2x logon
Same username and wachtwoord, SSO on-prem,MF Auth
Scenarios for identity
Lowcomplexity
No need for extra hardware
Medium complexity
No need for extra hardware
Lowcomplexity
Windows Server required
Lowcomplexity
Windows Server required
Highcomplexity
Requires extra Windows ServersRequirements
Advanced Authentication to Azure AD
On Premises
Active DirectoryDomain Services
Azure Active Directory
1
2
3
Active DirectoryFederation Services
Azure Active DirectoryAccess Control Service
Active Directory Federation Trust
4
5
6
7
8Colleague
DirectorySynchronization
ToolAzure Active Directory
Management API
Azure Active DirectoryIntegrated Application
Current challengesSmart Cards for MFA with Active DirectorySmart Card readers never became a commoditySmart Cards require extra hardware
Smart Cards require PKIExpensive with a public Certificate AuthorityKerberos or Browser authentication
User FriendlinessIs a smart card convenient for BYODWe now have alternatives for a card
Solution
Multi-Factor Authentication
Multi-Factor Authentication with AD FSExtensible Authentication ModelAPI for 3rd party extensionsDefault support for Smart Cards
Azure PhoneFactorSimple implementationPhone Call, Text Message, App or OATH passcode
Not just PhoneFactorMultiple vendors support AD FS MFA
PhoneFactor Multi-Factor Authentication
On Premises
Active DirectoryDomain Services
1
2
3 4
5
67
Colleague
On-premisesApplication
Multi-FactorAuthentication
Server
Multi-FactorAuthentication
Service
8
9
Join us for Part 2!
Part 1 and Part 2There’s a lot to cover in terms of Bring Your Own (BYO). We’re only half way now…
This PartWe’ve discussed Solid AuthenticationYou now know why Kerberos is going away.
Part 2There’s another hour of BYO Goodness coming!This afternoon from 13:40 to 14:40
½
Questions?
Please evaluate our session.
Sessions of Interest TodayAdventures in Underland: What Passwords Do When No One Is Watching Paula Januszkiewicz, Auditorium 6, 12:20 - 13:20Managing Mobile Devices with System Center 2012 R2 ConfigMgr and Windows Intune Wally Mead, Auditorium 3, 13:40 - 14:40Identity and Directory Synchronization with Office 365 and Windows Azure ADBrian Desmond, Auditorium 1, 15:00 - 16:00
Thank You!
Bring Your Own Device Essentials with Windows Technology, Part 2Raymond Comvalius & Sander Berkouwer
Please take all the photos you like, but we would like to point out:
Sharing is caring
@NEXTXPERT@SanderBerkouwer@NICConf
Introduction
BloggerDirTeam.com/ActiveDir.orgServerCore.Net
Microsoft Tech LeadOGD ict-dienstenSince 2000
Sander BerkouwerMCSA, MCSE, MCITPMicrosoft MVP since 2009
MVP
Introduction
Author Windows 7 for XP ProfessionalsUpdating Support Skills…Independent IT Architect Specialized in IT Infrastructure since1998
Raymond ComvaliusMCSA, MCSE, MCITP, MCT Microsoft MVP since 2011
MVP
Solid Authorization
Current challengesGroup membership is too strictBased on a single attributeBecomes uncontrollable very fast
Cross organization accessOrganizations must trust each other a lotConnections are not always stable
Token bloatA ticket with too many SIDs is not acceptedCauses inconsistencies during logon
Claims for rich authorization scenariosRich authorizationClaims can be based on Group Membership or on: • Any property of a user account (i.e.
Department)• Or occurrence of the user the in the address
list• Or the location of the computer
… or combinations of the above
… or external claims.
Solution
Claims
Claims in Tokens and/or Kerberos Tickets
Claims in SAML/OAuth2 and/or KerberosClaims in SAML via Federation ServicesClaims in Kerberos via Dynamic Access Control
Benefits of Claims in KerberosClaims can be based on any attributeAuthorisation in ACLs exceeds user status
Benefits of Claims in SAML/OAuth2Kerberos and LDAP are not web based protocolsActive Directory is not a web based product
Autorisation with Bring Your OwnClaims-aware applicationsActive Directory Federation ServicesRelying Party (RP) processes the claims
DataWork Folders allow for file server synchronisation SkyDrive Pro offers synchronisation with SharePoint
Windows-integrated web applicationsWeb Application Proxy in Windows Server 2012 R2Translate claims from SAML to Kerberos with KCD
Solution
Workplace Join
Introducing Workplace JoinClaimsEmployees verify devicesClaims provided by Active Directory Federation Services
Service DiscoveryDNS Record (enterpriseregistration) for AutoDiscoverDNS Record required per user domain
CertificatesVerified devices enroll a certificate from AD FSPer device an object in the Registered Devices container
Workplace Join Internals
CookiesPermanent Cookie enables Single Sign-on
Active DirectorymsDS-Device object in Active DirectoryTied to the user/device combination
CertificateIn local User Store from MS-Organization-AccessWorkplace Join requires working CRL for AD FS SSL Cert
Demo
Workplace Join
Solid Access
Current ChallengesServer Message Block (SMB)Discloses Windows-based file serversNot optimized for the web
Remote Procedure Call (RPC)Discloses remote Windows functionalityNot optimized for the web
HTTP for everytingHTTP (with/without SSL) to be used as the standard protocolHTTP is the universal firewall bypass protocol
Solution
Work folders
File Server
Work Folders positioning
Personal data
Individual business data
Team/Departement business data
Personal devices
Public Cloud
SharePoint and/or Office 365
SkyDrive Pro
SkyDrive
Folder Redirection
Work Folders
File Server
Work Folders InternalsHTTP-based file synchronisationDNS Record (workfolders) for AutoDiscoveryWindows Authentication or AD FS (OAuth2)
Standard PoliciesPassword policy and device lockPolicies cannot be customized
Encryption and remote wipeEncryption based on EFS Enterprise KeyFunctional remote wipe initiated from Exchange / Intune
Current ChallengesTMG is End-of-LifeWe must have a Reverse ProxyPre-authentication with Active Directory integration
Groups are insufficient for autorizationClient properties can be used for allow/deny accessExisting web apps often not claims-aware
Publish AD Federation Services on the InternetDisclosing Active Directory on the Internet is no optionInternet accessible services in the Perimeter network
Solution
Web Application Proxy
Introducing Web Application ProxyEdge Role1. AD FS Proxy configuration on the AD FS
Server2. Reverse Proxy for HTTPS with pre-
authentication
Custom claimsConfigurable in AD Federation Services from multiple sources
Kerberos Constraint DelegationWeb App Proxy translates SAML to KerberosRequires Service Principal Names (SPNs)
4
1
Employee
Claims-basedApp
Active DirectoryFederation Services
(acting as STS)
On Premises
Active DirectoryDomain Services
Internal access to a claims based app
Relyi
ng Pa
rty Tr
ust
2
3
5 6
7
4
1
Colleague
Claims-basedApp
Active DirectoryFederation Services
(acting as STS)
On Premises
Active DirectoryDomain Services
BYO Access to a claims based app
Relying P
arty Tr
ust
5
Web App Proxy
ReverseProxy
ADFSProxy
2
367
4
1
Colleague
Active DirectoryFederation Services
(acting as STS)
On Premises
Active DirectoryDomain Services
BYO Access to a non-claims aware app
5
Web App Proxy
ReverseProxy
2
367
ADFSProxy
Delegation8
9
10
KerberosApp
Solid Management
Managing Bring Your OwnNot a single method to offer applicationsOrganizations use multiple methodsUnclear and hard to report
Applications for multiple platformsNot just Windows, but also Mac OSNot just desktops, laptops, but also tablets, etc.
Application distribution is hardNot all devices are connected to the networkNot all devices can be connected to the network
Solution
Windows Intune
ConfigMgr with Windows Intune
On Premises
Employee
System CenterConfiguration
Manager 2012 R2
WindowsIntune
Central Managementand Reporting
Conclusion
Bring Your Own
BYO
Applications
Data
Corp
orat
eN
on-c
orpo
rate
Solid management
Bring Your Own
Solid authentication
Solid autorization
Solidaccess
System CenterWindows Intune
AD Domain ServicesAD Federation ServicesWindows Azure AD
Workplace JoinWeb Application Proxy
Azure RMS
Questions?
Please evaluate our session.
Thank You!
top related