itproceed_transformthedatacenter_ten most common mistakes when deploying adfs and hybrid identity
TRANSCRIPT
Ten most common mistakes
with AD FS and Hybrid Identity
Sander Berkouwer
Tweet and win an Ignite 2016 ticket #itproceed#activedirectory #hybrididentity
AgendaFederationA small primer on the open protocols used today for
federating identity and achieving hybrid identity
Most common mistakeswhen planning, deploying and operating AD FS
… and how to avoid themto get the most out of your hybrid identity implementation
Why we need federation
NTLM and KerberosKerberos (1993) was designed for ‘safe’ networks
NTLM and Kerberos have serious problems
Active DirectoryActive Directory domain memberships are typically Windows-only
Domain trusts leak information and scale badly
Granular device-agnostic authenticationWe need device-agnostic, open protocols, designed for the web
We need multi-factor authentication
Under the hood
4
1
Colleague
Claims-aware
App
Active Directory
Federation Services
(acting as STS)
Active Directory
Domain Services
3
5 6
7
2
Behind the mist
On Premises
Active Directory
Domain Services
Azure
Active Directory
1
Active Directory
Federation Services
Active Directory Federation Trust
4
5
6
7
8Colleague
Directory
Synchronization
ToolAzure Active Directory
Management API
Azure Active Directory
integrated Application
Internet
23
Federation benefits
SAML and Oauth2 are Internet-readyTransport over Universal Firewall Bypass Protocol (TCP443)
Tickets are compressed, optionally encrypted
Relying Party trusts are very flexibleTicket content and authentication is defined per relying party trust
Relying party trusts are flexible and scalable
Multi-factor authenticationAD FS in Windows Server 2012 R2 is extensible
Extensions are configurable per relying party trust, per network
Some organizations need their own AD FS infrastructureLocal authentication requirements (legal, multi-factor authentication)
Local authentication possibilities (claims issuance, transformation rules)
Azure Active Directory with Password Sync2488 Software-as-a-Service apps in the Azure Active Directory App Gallery
Easily configure Single Sign-On and user account management
Azure Active DirectoryAzure Active Directory Free may contain up to 500,000 accounts
Federating with up to 5 apps is free. Online accounts may suffice
1. AD FS when you don’t need it
2. Build upon an unhealthy Active Directory
Attribute integrity and lingering objectsObjects, attributes on some Domain Controllers, not on others
Resulting in unpredictable AD FS authentication
Private top level domainsDNS Domain Name for domains ending with .local, .int
User Principal Name (UPN) needs to be added and changed
UPN syntax mismatchesCritical for solutions with Directory Sync Tool / Azure Active Directory Sync
Use the IdFix DirSync Error Remediation Tool
3. The AD FS Service Account
Password changes, security implicationsAD FS is usually Internet-facing, so it benefits from extra security
We want regular password changes, host restrictions, etc.
group Managed Service Accounts (gMSAs)gMSAs solve ‘the service account problem’ for farms, AD FS supported
gMSAs offer Automatic SPN and password management
Windows Server 2008 DFL2008 Domain Functional Level offers automatic SPN management
Windows 8 and Windows Server 2012 (and up) offer Cmdlets
4. Designing the right AD FS infrastructure
AD FS Server FarmsAD FS can easily be deployed highly available, if need be with Windows NLB
AD FS Proxies / Web App Proxies can be deployed in perimeter networks
Windows Internal Database or SQL ServerA WID farm has a limit of five federation servers, does not support token replay detection or artifact resolution
SQL Server High AvailabilityTake advantage of your existing SQL Server investments
Take advantage of database mirroring, failover clustering, monitoring
5. Skewed Time Synchronization
Time Sync within an Active Directory environmentW32time follows Active Directory hierarchy and sites configuration
Set the time for an environment through the PDCe
Time Sync within Virtual MachinesVirtual machines always sync time with host on boot
Continuous time sync is configured with VMware tools, Hyper-V ICs, etc.
Time Sync within Perimeter NetworksCould be virtual machine time sync, could be an external source
Will be none, if you don’t configure it…
6. Certificate Distrust
Certificates in use by AD FSToken-signing and token-decryption certificates
Service communication certificate
Certificates with 1024bit key lengthCertificates under 1024bits key length are blocked
Request and use certificates with 2048bits key length throughout the chain
Certificates with SHA-1 hash algorithmStarting 2016, SHA-1 will be deprecated
Request and use certs with SHA-2 hash algorithms throughout the chain
7. Forget Enterprise Registration
AD FS in Windows Server 2012 R2Many new features!
Workplace JoinDevice-agnostic silent Single Sign-On (SSO)
Employees verify devices, enroll a certificate, get cookie
EnterpriseRegistrationWorkPlace Join AutoDiscover requires DNS Record per UPN Suffix
Use enterpriseregistration.domain.tld as Subject Alternative Name
8. Windows Updates, anyone?
AD FS is regularly updatedSecurity updates, like MS15-062
Scalability and stability updates
AD FS uses Windows UpdateAD FS updates don’t require Microsoft Update :-)
AD FS updates only light up after installing the Server Role
Wait, test, then deploy updatesWait two weeks before deploying updates, or
Deploy updates to a test network before production
9. Best Practices Analyzers
Best Practices AnalyzersPart of Server Manager in Windows Server 2008 R2 and up
Avoid 90% of situations with data or functionality loss
AD FS Best Practices AnalyzerChecks the Active Directory Federation service
Will be updated with additional checks in the future
Other BPAs of use:Active Directory Domain Services Best Practices Analyzer
Active Directory Certificate Services Best Practices Analyzer
10. Processes, processes, processes
Monitoring of the AD FS ServiceCheck the availability and/or usage of the AD FS infrastructure
Use Systems Center Operations Manager with GSM, Azure Operational Insights and/or the Azure Active Directory Connect Health Service *
Auditing of the AD FS ServiceAD FS offers built-in auditing and logging of errors, warnings, information
Auditing of claims issuanceLogging of success and failure audits
Log suspicious or unintended activity
Avoid the mistakes and you’ll be fine
1. Don’t build AD FS when you don’t need to
2. Don’t build upon an unhealthy Active Directory
3. Use gMSAs instead of ‘ordinary’ service acounts for AD FS
4. Design the right infrastructure
5. Take care of adequate time synchronization
6. Use certificates with 2048+bit keylength and SHA-2 algorithm
7. Don’t forget to plan for Enterprise Registration
8. Don’t forget to install Windows Update
9. Don;’t forget to use the Best Practice Analyzers
10. Monitor, audit and backup the AD FS infrastructure
Rules of thumb
AD FS is an extension to Active DirectoryMake sure Active Directory is healthy
Rename, migrate or restructure .local domains
Plan your AD FS implementationSet requirements, plan accordingly, deploy securely
Take care of adequate time synchronization
Don’t forget to manage AD FSUse the Best Practices Analyzers (BPAs)
Take care of information security, like monitoring, auditing, backup
Follow Technet Belgium
@technetbelux
Subscribe to the TechNet newsletter
aka.ms/benews
Be the first to know