Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with windows technologies

of 71/71
Bring Your Own Device Essentials with Windows Technology, Part 1 Raymond Comvalius & Sander Berkouwer
  • date post

    19-Oct-2014
  • Category

    Technology

  • view

    2.466
  • download

    3

Embed Size (px)

description

 

Transcript of Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with windows technologies

ActiveSync

Bring Your Own Device Essentials with Windows Technology, Part 1Raymond Comvalius & Sander BerkouwerSanderB, v1.2: Achtergrond toegevoegdSanderB, v1.2: NGN en Ngi logos toegevoegd1Please take all the photos you like, but we would like to point out:

Sharing is caring

@[email protected]@NICConf

IntroductionBloggerDirTeam.com/ActiveDir.orgServerCore.NetMicrosoft Tech LeadOGD ict-dienstenSince 2000Sander BerkouwerMCSA, MCSE, MCITPMicrosoft MVP since 2009MVP

SanderB, v1.2: Afbeelding vervangen met zakelijke variant3IntroductionAuthor Windows 7 for XP ProfessionalsUpdating Support SkillsIndependent IT Architect Specialized in IT Infrastructure since1998Raymond ComvaliusMCSA, MCSE, MCITP, MCT Microsoft MVP since 2011

MVP

SanderB, v1.1: Icons in de tiles toegevoegd4IntroducingBring Your OwnFact or FictionDomain Join is almost LegacyKerberos and LDAP are for trusted networks onlyA mobile device can be an authentication factorHTTP(S) is the Universal Firewall Bypass ProtocolExchange ActiveSync was way ahead of its timeWithout PKI and certificates your out

RealityNederland51% of employees between the age of 21 and 32 years chooses to deliberately ignore corporate policies, when they apply to:1.057%21 - 32 years1867NetherlandsWorldwide57%51%Source: Fortinet, October 22, 2013Corporte use of privately-owned devices (BYOD)Cloud storageWearable devicesSanderB, v1.3: Slide toegevoegd7Bring Your OwnDevices

AppsInformation

Employees8Bring Your OwnDevices

AppsEmployeesManagement| Access| SecurityInformation

Bring Your OwnFacilitating access to companny IT sources with devices owned by employees and other entities

Bring Your Own DeviceCorporateNon-corporate

11AuthenticationUsername + Password + ? = MFAMulti-Factor AuthenticationHealthPatch levels are up-to-dateNot jailbroken or hacked by AnonymousPoliciesDevice is sufficiently securedComplies to minimum security policiesSolid BYOSolidManagementBring Your Own Building BlocksSolidAuthenticationSolid AutorisationSolidData Protection

Azure RMSSystem CenterWindows IntuneWorkplace JoinWeb Application ProxyAD Domain ServicesAD Federation ServicesWindows Azure ADSolid Authentication

Current challengesCurrent protocols lack flexibilityKerberos tickets are encrypted, cannot splitKerberos tickets only contain SIDsActive Directory trusts provide too little flexibilityTrusted domains share too much informationDomain Trusts lack scalabilityMulti-Factor AuthenticationVerifying user identity is crucialUsername and password is not good enoughSanderB, v1.2: Laatste blok tekst aangepast naar Multi-Factor authenticatie15Current Authentication(Kerberos)ResourceKDC(Domain Controller)ClientMay I acces your resources?Go get a ticket at the KDCMay I have a Ticket? + Here is my TGTHere is a Service TicketMay I have access + Service TicketHere are the resourcesSolutionAuthenticationwith AD Federation ServicesAuthentication with AD FS (SAML)ResourceSTS(AD FS)ClientMay I access your resources?Go get a token at the STS (redirect)May I have a token? + credentialsHere is your (SAML) tokenMay I have access + (SAML) tokenHere are the resourcesAD FS benefitsSAML en OAuth2 are web readyTransport over SSL channelTokens are optionally encryptedRelying Party trusts are very flexibleToken contents is defined per Relying Party (RP) TrustRelying Party Trusts are scalableMulti-Factor AuthenticationAD FS authentication is extensible for third parties

SanderB, v1.2: Laatste blok tekst aangepast naar Multi-Factor authenticatie19Claims vs TicketsClaim Tokens in stead of TicketsMore flexibility with inbound and outbound filteringWeb based protocol, optional encryptionRelying Parties replace Domain Members en TrustsRelying Parties have fine grained definitionsLess dependent, requires little informationRich authentication scenariosEven the authentication method is a claimAnything can be a authentication factorRayC: voor de laatste regel zoek ik nog een beter statement

20Claims vs. TokensEncryptionTransportContentsLimitsSecurityClaimsin SAMLOptionalHTTP (TCP80)HTTPS (TCP443)Kerberos (TCP88)XML-basedXML-basedMaxTokenSizeTicket LifetimeMutual AuthPAC ValidationClaims in KerberosKerberos (TCP88)Authorization dataMaxTokenSizeTicket LifetimeMutual AuthPAC ValidationTokensSigningReplay ProtectionClaimsOptioneel versleuteldReplay ProtectionXMLHTTP(S), poort 80 / 443XML defintions

KerberosVersleuteldPAC, sIDHistoryPoort 88Max Token Size

21DemoConfiguring SAML Authentication

22SolutionWindows Azure Active Directory

23Introducing Azure Active DirectoryModern Identity MangementFree REST-based web service for authenticationIdentity and Access Managment for cloud services

Cloud Identity ManagementIdentity and Access Management for Windows Azure, Office 365, CRM Online, Windows Intune, etc.100% interoperabilityBased on open standards, like SAML en WS-FedFull support for 3rd party identity providers

Integration options for Azure ADPortalPowerShell / Graph APIDirSync met Cloud identitiesDirSync met Password SyncDirSync met Federation ComplexityIntegrationSeparate credentials, 2x logonSeparate credentials, 2x logonSame username, other password, 2x logonSame username and password, 2x logonSame username and wachtwoord, SSO on-prem,MF AuthScenarios for identityLowcomplexityNo need for extra hardwareMedium complexityNo need for extra hardwareLowcomplexityWindows Server requiredLowcomplexityWindows Server requiredHighcomplexityRequires extra Windows ServersRequirementsSanderB, v1.2: slide met zon, bloem, etc. verwijderd25Simple authentication to Azure ADAzure Active DirectoryAzure Active DirectoryIntegrated Application1234567ColleagueAzure Active DirectoryAccess Control Service26Advanced Authentication to Azure ADOn PremisesActive DirectoryDomain ServicesAzure Active Directory123Active DirectoryFederation ServicesAzure Active DirectoryAccess Control ServiceActive Directory Federation Trust45678ColleagueDirectorySynchronizationToolAzure Active DirectoryManagement APIAzure Active DirectoryIntegrated Application27Current challengesSmart Cards for MFA with Active DirectorySmart Card readers never became a commoditySmart Cards require extra hardwareSmart Cards require PKIExpensive with a public Certificate AuthorityKerberos or Browser authenticationUser FriendlinessIs a smart card convenient for BYODWe now have alternatives for a cardSanderB, v1.2: Laatste blok tekst aangepast naar Multi-Factor authenticatie28SolutionMulti-Factor Authentication

SanderB, v1.3: Slide toegevoegd29Multi-Factor Authentication with AD FSExtensible Authentication ModelAPI for 3rd party extensionsDefault support for Smart CardsAzure PhoneFactorSimple implementationPhone Call, Text Message, App or OATH passcodeNot just PhoneFactorMultiple vendors support AD FS MFA

SanderB, v1.2: Laatste blok tekst aangepast naar Multi-Factor authenticatie30PhoneFactor Multi-Factor AuthenticationOn PremisesActive DirectoryDomain Services1234567ColleagueOn-premisesApplication

Multi-FactorAuthenticationServer

Multi-FactorAuthenticationService

89SanderB, v1.4: laptop als factor verwijderd31Join us for Part 2!Part 1 and Part 2Theres a lot to cover in terms of Bring Your Own (BYO). Were only half way nowThis PartWeve discussed Solid AuthenticationYou now know why Kerberos is going away.Part 2Theres another hour of BYO Goodness coming!This afternoon from 13:40 to 14:40 Questions?Please evaluate our session.Sessions of Interest TodayAdventures in Underland: What Passwords Do When No One Is Watching Paula Januszkiewicz, Auditorium 6, 12:20 - 13:20Managing Mobile Devices with System Center 2012 R2 ConfigMgr and Windows Intune Wally Mead, Auditorium 3, 13:40 - 14:40Identity and Directory Synchronization with Office 365 and Windows Azure ADBrian Desmond, Auditorium 1, 15:00 - 16:00

Thank You!Bring Your Own Device Essentials with Windows Technology, Part 2Raymond Comvalius & Sander BerkouwerSanderB, v1.2: Achtergrond toegevoegdSanderB, v1.2: NGN en Ngi logos toegevoegd38Please take all the photos you like, but we would like to point out:

Sharing is caring

@[email protected]@NICConf

IntroductionBloggerDirTeam.com/ActiveDir.orgServerCore.NetMicrosoft Tech LeadOGD ict-dienstenSince 2000Sander BerkouwerMCSA, MCSE, MCITPMicrosoft MVP since 2009MVP

SanderB, v1.2: Afbeelding vervangen met zakelijke variant40IntroductionAuthor Windows 7 for XP ProfessionalsUpdating Support SkillsIndependent IT Architect Specialized in IT Infrastructure since1998Raymond ComvaliusMCSA, MCSE, MCITP, MCT Microsoft MVP since 2011

MVP

SanderB, v1.1: Icons in de tiles toegevoegd41Solid Authorization

42Current challengesGroup membership is too strictBased on a single attributeBecomes uncontrollable very fastCross organization accessOrganizations must trust each other a lotConnections are not always stableToken bloatA ticket with too many SIDs is not acceptedCauses inconsistencies during logon

SanderB, v1.2 Token Bloat uit eerste box gehaald en vervangen met Snel onoverzichtelijk43Claims for rich authorization scenariosRich authorizationClaims can be based on Group Membership or on: Any property of a user account (i.e. Department)Or occurrence of the user the in the address listOr the location of the computer

or combinations of the above

or external claims.

SanderB, v1.2: Afbeelding toegevoegd44SolutionClaims

Claims in Tokens and/or Kerberos TicketsClaims in SAML/OAuth2 and/or KerberosClaims in SAML via Federation ServicesClaims in Kerberos via Dynamic Access ControlBenefits of Claims in KerberosClaims can be based on any attributeAuthorisation in ACLs exceeds user statusBenefits of Claims in SAML/OAuth2Kerberos and LDAP are not web based protocolsActive Directory is not a web based product46Autorisation with Bring Your OwnClaims-aware applicationsActive Directory Federation ServicesRelying Party (RP) processes the claimsDataWork Folders allow for file server synchronisation SkyDrive Pro offers synchronisation with SharePointWindows-integrated web applicationsWeb Application Proxy in Windows Server 2012 R2Translate claims from SAML to Kerberos with KCD

SolutionWorkplace Join

Introducing Workplace JoinClaimsEmployees verify devicesClaims provided by Active Directory Federation Services

Service DiscoveryDNS Record (enterpriseregistration) for AutoDiscoverDNS Record required per user domain CertificatesVerified devices enroll a certificate from AD FSPer device an object in the Registered Devices containerClaims InseptionSanderB, v1.3: Laatste blok vervangen49Workplace Join InternalsCookiesPermanent Cookie enables Single Sign-on

Active DirectorymsDS-Device object in Active DirectoryTied to the user/device combinationCertificateIn local User Store from MS-Organization-AccessWorkplace Join requires working CRL for AD FS SSL Cert

Claims InseptionSanderB, v1.2: SSO in laatste box vervangen door Single Sign-on50DemoWorkplace Join

Solid Access

Current ChallengesServer Message Block (SMB)Discloses Windows-based file serversNot optimized for the webRemote Procedure Call (RPC)Discloses remote Windows functionalityNot optimized for the webHTTP for everytingHTTP (with/without SSL) to be used as the standard protocolHTTP is the universal firewall bypass protocol

EOL van TMGRMSBehoefte aan meer robuuste toegang voor bestaande apps die niet claims based zijn53SolutionWork foldersFile ServerWork Folders positioningPersonal dataIndividual business dataTeam/Departement business dataPersonal devicesPublic CloudSharePoint and/or Office 365SkyDrive ProSkyDriveFolder RedirectionWork FoldersFile ServerSanderB, v1.2: Slide vervangen55

Work Folders InternalsHTTP-based file synchronisationDNS Record (workfolders) for AutoDiscoveryWindows Authentication or AD FS (OAuth2)Standard PoliciesPassword policy and device lockPolicies cannot be customizedEncryption and remote wipeEncryption based on EFS Enterprise KeyFunctional remote wipe initiated from Exchange / IntuneSanderB, v1.3: slide toegevoegd56Current ChallengesTMG is End-of-LifeWe must have a Reverse ProxyPre-authentication with Active Directory integrationGroups are insufficient for autorizationClient properties can be used for allow/deny accessExisting web apps often not claims-awarePublish AD Federation Services on the InternetDisclosing Active Directory on the Internet is no optionInternet accessible services in the Perimeter network

SanderB, v1.2: End-of-Live vervangen met End-of-LifeSanderB, v1.2: Laatste box gepimpt.

57SolutionWeb Application ProxyIntroducing Web Application ProxyEdge RoleAD FS Proxy configuration on the AD FS ServerReverse Proxy for HTTPS with pre-authentication

Custom claimsConfigurable in AD Federation Services from multiple sourcesKerberos Constraint DelegationWeb App Proxy translates SAML to KerberosRequires Service Principal Names (SPNs)5941EmployeeClaims-basedAppActive DirectoryFederation Services(acting as STS)On PremisesActive DirectoryDomain ServicesInternal access to a claims based appRelying Party Trust2356741ColleagueClaims-basedAppActive DirectoryFederation Services(acting as STS)On PremisesActive DirectoryDomain ServicesBYO Access to a claims based appRelying Party Trust5Web App ProxyReverseProxyADFSProxy236741ColleagueActive DirectoryFederation Services(acting as STS)On PremisesActive DirectoryDomain ServicesBYO Access to a non-claims aware app5Web App ProxyReverseProxy2367ADFSProxyDelegation8910KerberosAppSanderB, v1.4: Claims-based App veranderd naar Kerberos App62Solid Management

Managing Bring Your OwnNot a single method to offer applicationsOrganizations use multiple methodsUnclear and hard to reportApplications for multiple platformsNot just Windows, but also Mac OSNot just desktops, laptops, but also tablets, etc.Application distribution is hardNot all devices are connected to the networkNot all devices can be connected to the network

SolutionWindows Intune

ConfigMgr with Windows IntuneOn PremisesEmployeeSystem CenterConfigurationManager 2012 R2WindowsIntune

Central Managementand ReportingSanderB, v1.4: Slide toegevoegd ter vervanging van slide uit MSFT presentatie66ConclusionBring Your OwnCorporateNon-corporate

Solid managementBring Your OwnSolid authenticationSolid autorizationSolidaccessSystem CenterWindows IntuneAD Domain ServicesAD Federation ServicesWindows Azure ADWorkplace JoinWeb Application ProxyAzure RMS

Questions?Please evaluate our session.Thank You!