single sign-on showdown -...

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

Max FritzSolutions Architect

SADA Systems

Single Sign-On ShowdownADFS vs Pass-Through Authentication

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

Azure AD Identity Sync & Auth Timeline

2009

•DirSync introduced for identity synchronization

2012

•DirSync becomes Azure AD Sync

2013

•Password Hash Sync added to AAD Sync

2015

•Azure AD Sync becomes Azure AD Connect

•Introduces Health engine

2017

•msDS-ConsistencyGuidas source anchor

•Pass Through Authentication introduced

•Seamless SSO introduced


Azure AD Authentication Methods Today

Cloud Only Identity

• Identities exist only in AAD

• Authentication handled by AAD

Password Hash Synchronization

• Identities synced to AAD


Pass-through Authentication


• Authentication handled by local AD

Federated (ADFS)



3rd Party Federated


• Authentication handled by third-party









Federated (ADFS)











Federated (ADFS)



Identity Synchronization through Azure AD Connect


Sidebar: What is Azure AD Connect?

• Application installed on a Windows machine within your environment

• Integrates local Active Directory with Azure Active Directory

• Sync engine based on Microsoft Identity Manager (shared codebase)

• Uses a local SQL server for sync database (can be separate SQL server)

• Includes a monitoring component: Azure AD Connect Health

• Free for all Azure AD customers (so just free ☺)

• Can manage ADFS installations


Azure AD Connect is required for all authentication methods we will cover today

We will not demo installation or basic configuration of AADC today, however AADC will be a part of some demos


Authentication Methods: How we will rank

Ease of Implementation

Security

Customization Options

Available Features

Usability

Maintenance & Reliability


Scoreboard

Password Sync + Seamless SSO

PTA + Seamless SSO ADFS (2019)

Ease of Implementation ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Security ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Customizations ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Features ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Usability ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆


☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Score 00 00 00



Involves syncing hashed

passwords to Azure AD

Relies on Azure AD Connect

Passwords synced every 2

minutes

Authentication is completely

cloud based


Password Hash Sync Authentication

Azure AD

On Premises

Identity delta sync every 30 minutes

AADC request MD4 password hashes from DC via

MS-DRSR replication protocol (every 2 min)

DC encrypts password in an MD5 envelope and

sends to AADC

AADC Decrypts MD5 hash and expands MD4 hash to

64 bytes

AADC adds a 10-byte salt to MD4 hash, and converts

to SHA256 hash (using PBKDF2 function)

SHA256 hash is sent to Azure AD over SSL

#

#


Password Hash Sync Authentication

Azure AD

On Premises


User attempts to sign in to app

Session redirected to Azure AD for sign in

User provides credentials to Azure AD

Azure AD applies MD4+salt+PBKDF2+SHA256 process,

and validates resulting hash against stored hash

Azure AD completes sign in

If successful, user is granted access to the app

# #


Password Hash Sync Considerations

• Locked out local accounts are not properly reflected in AAD

• Disabled local accounts will not be disabled in AAD until an AADC sync cycle (can be manually triggered)

• MD4 hashes are notoriously easy to crack, and MD5 is not much harder

• Extra SHA-2 encryption makes the hash much harder to decrypt• Extra hashing technically makes this more secure than local AD

credentials

• Allows for leaked credential reports from MS if AAD P1 licensing is in place

• Remember, Microsoft does not get your passwords. They only receive a triple hashed password.

• Required for use of Azure AD Domain Services


Pass-through Authentication (PTA)

• Relies on Azure AD Connect and PTA (AuthN) Agents

• Agents can be installed on multiple servers for high availability• First agent is on the Azure AD Connect server

• Additional agents can be deployed via script or manually

• Networking: only requires outbound communication on 80, 443, and 8080 [for reporting status to AAD] (no inbound ports to open)

• Requires Server 2013 R2 or later



Azure AD

On Premises


User attempts to sign in to app

Session redirected to Azure AD for sign in

User provides credentials to Azure AD

Azure AD produces encrypted passwords (1 for each

PTA agent registered, using public key for the agent) and

places them onto the Service Bus for the tenant

PTA Agent attempts credential validation against

Domain Controller

PTA Agents

1 2

2

1PTA Agent retrieves validation request (persistent

connection) and decrypts password using private key



Azure AD

On Premises


DC provides result to PTA agent

(success/failure/expired)

PTA agent sends result to Azure AD via mutually

authenticated HTTPS channel

PTA Agents

2

1

Azure AD completes sign in



Pass-through Authentication Considerations

• Locked and Disabled local accounts are respected

• Supports alternate login IDs

• Fully supports Azure AD conditional access• Since sign in request are still process through AAD (as opposed to

redirected)

• Requires Modern Authentication*

• Supports alternate login IDs

• Supports AAD Smart Lockout (prevents brute force attacks)

• Does not support leaked credential reports

• Not available in GCC at this time


Pass-through Authentication Demo


Seamless Single Sign-on


Seamless Single Sign-On

• Provides single sign on capabilities to domain joined machines

• Compatible with Password Hash Sync or PTA

• Requirements:• OS: Windows 7+ or Mac OS X, domain joined (to local AD)

• Browsers: IE 10+, Chrome, Safari*, Firefox*• Does not support Edge at this time

• 1 URL needs to be added to Intranet Zone (via group policy)

• Ability to register non-Windows 10 devices with Azure AD


Seamless SSO Authentication(browser based)

Azure AD

On Premises

User attempts to sign in to app from domain joined

machine

Session redirected to Azure AD for sign in*

User provides username to Azure AD*

Azure AD challenges browser to provide a Kerberos

ticket

Browser requests a ticket from local AD for the

AZUREADSSOACC computer account

AD returns ticket to browser encrypted with computer

account’s secret

Browser forward Kerberos ticket to Azure AD

Azure AD decrypts ticket, identifies user, and returns

token



Seamless Single Sign-On Considerations

• Opportunistic: If Seamless SSO fails, sign-in experience falls back to regular behavior

• Sign-out supported: Allows users to sign in with other credentials if desired

• Requires Modern Authentication

• Creates a computer account in the local AD named AZUREADSSOACC

• Kerberos decryption key of this account, if compromised, could be used to generate Kerberos tickets for any user in the forest

• Recommendation is to manually rollover key every 30 days (automated method coming soon)

• Only works when devices are on the local network


Seamless Single Sign-on Demo


Active Directory Federation Services


Active Directory Federation Services (2019)

• Requires Azure AD Connect for identity sync • Also can help manage the ADFS farm

• Requires a minimum of 2 servers (1 Federation and 1 Proxy), recommended minimum of 4

• Allows for sign in with more alternative methods• samAccountName, Certificate, Smart-Card, Windows Hello for Business,

3rd party MFA, etc…

• Supports Extranet lockout & extranet smart lockout policies

• Supports banned IP lists

• Deep login screen customization

• Supports Windows Integrated Authentication


ADFS Authentication


ADFS Recommended Deployment using Azure


ADFS Considerations

• Limited support for Azure AD Conditional Access• However additional support for custom conditional access via ADFS

claim rules

• Large investment of on-premises (or cloud) infrastructure, including DMZ deployment

• Requires valid third party certificate

• Supports Alternate Login ID

• Does not support Azure AD Identity protection• Unless password hash is enabled as a backup*


Active Directory Federation ServicesDemo


Migrating from ADFS to PTA

Demo


Back to the Scoreboard!



Ease of Implementation ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Security ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Customizations ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Features ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Usability ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆


☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Score 00 00 00


Ease of Implementation


Wizard based install and configuration

GPO required for Seamless SSO

PTA + Seamless SSO

Wizard based initial install and configuration

Agent deployment manual or script based

GPO required for Seamless SSO

ADFS 2019

Minimum of 4 servers required

Wizard based configuration of basic features

Manual configuration for many items

★★★★☆ ★★★☆☆ ★☆☆☆☆


Security


Triple hashed passwords synced to the cloud

PTA + Seamless SSO

Authentication remains on premises

ADFS 2019

Authentication remains on premises

★★★★★ ★★★★★ ★★★★★


Customizations


Limited login screen customization

Intermediate rule customizations and transformations

PTA + Seamless SSO

Limited login screen customization

Intermediate rule customizations and transformations

ADFS 2019

Detailed login screen customizations available with CSS

Advanced rule customizations and transformations

★★★☆☆ ★★★☆☆ ★★★★★


Features


Supports all Azure AD features

SSO support for most clients

Lack of support for instant account lockouts and expirations

PTA + Seamless SSO

Supports most Azure AD features

SSO support for most clients

ADFS 2019

Limited support for Azure AD features

SSO support for more clients

Support for alternate login methods

★★★☆☆ ★★★★☆ ★★★★☆


Usability


Simple end user experience, consistent with other Azure AD experiences

PTA + Seamless SSO

Simple end user experience, consistent with other Azure AD experiences

ADFS 2019

End user experience depends on customizations

★★★★★ ★★★★★ ★★★★★




Can go down with minimal impact

Seamless SSO requires manual Kerberos rollover

No automated failover

PTA + Seamless SSO

At least 1 PTA agent must be available at all times

Seamless SSO requires manual Kerberos rollover

Agents can go on existing servers, avoiding additional maintenance

ADFS 2019

At least 1 Federation and 1 Proxy server must be available at all times

Requires certificate renewal

More servers required for maintenance

★★★☆☆ ★★★☆☆ ★★☆☆☆


Scoreboard Results



Ease of Implementation ★★★★☆ ★★★☆☆ ★☆☆☆☆

Security ★★★★★ ★★★★★ ★★★★★

Customizations ★★★☆☆ ★★★☆☆ ★★★★★

Features ★★★☆☆ ★★★★☆ ★★★★☆

Usability ★★★★★ ★★★★★ ★★★★★


★★★☆☆ ★★★☆☆ ★★☆☆☆

Score 21 23 22


WINNER!

Pass-through Authentication!


Taking a closer look…

• Everyone’s environment is different, and the “winner” will be different from everyone

• The takeaway is that you should carefully consider your authentication method based on your organization’s priorities

• It’s not too late to change your method


Thank you!

single sign-on showdown -...

Documents