Bring Your Own Device Essentials with Windows Technology, Part 1Raymond Comvalius & Sander Berkouwer

Please take all the photos you like, but we would like to point out:

Sharing is caring

@NEXTXPERT@SanderBerkouwer@NICConf

Introduction

BloggerDirTeam.com/ActiveDir.orgServerCore.Net

Microsoft Tech LeadOGD ict-dienstenSince 2000

Sander BerkouwerMCSA, MCSE, MCITPMicrosoft MVP since 2009

MVP

Introduction

Author Windows 7 for XP ProfessionalsUpdating Support Skills…Independent IT Architect Specialized in IT Infrastructure since1998

Raymond ComvaliusMCSA, MCSE, MCITP, MCT Microsoft MVP since 2011

MVP

IntroducingBring Your Own

Fact or Fiction…

Domain Join is almost LegacyKerberos and LDAP are for trusted networks onlyA mobile device can be an authentication factorHTTP(S) is the Universal Firewall Bypass ProtocolExchange ActiveSync was way ahead of its timeWithout PKI and certificates your out

Reality

Nederland

51% of employees between the age of 21 and 32 years chooses to deliberately ignore corporate policies, when they apply to:

1.057%

21 - 32 years18 67 Netherlands

Worldwide

57%

51%

Source: Fortinet, October 22, 2013

• Corporte use of privately-owned devices (BYOD)

• Cloud storage• Wearable devices

Bring Your Own

Devices Apps Information

Employees

Bring Your Own

Devices AppsEmployees

Management| Access| Security

Information

Bring Your Own

Facilitating access to companny IT sources with devices owned by employees and other entities

Bring Your Own Device

BYO

Applications

Data Corp

orat

eN

on-c

orpo

rate

AuthenticationUsername + Password + ? = MFAMulti-Factor Authentication

HealthPatch levels are up-to-dateNot jailbroken or hacked by Anonymous

PoliciesDevice is sufficiently securedComplies to minimum security policies

Solid BYO

SolidManagement

Bring Your Own Building Blocks

SolidAuthentication

Solid Autorisation

SolidData Protection

Azure RMS

System CenterWindows Intune

Workplace JoinWeb Application Proxy

AD Domain ServicesAD Federation ServicesWindows Azure AD

Solid Authentication

Click icon to add picture

Current challengesCurrent protocols lack flexibilityKerberos tickets are encrypted, cannot splitKerberos tickets only contain SIDs

Active Directory trusts provide too little flexibilityTrusted domains share too much informationDomain Trusts lack scalability

Multi-Factor AuthenticationVerifying user identity is crucialUsername and password is not good enough

Current Authentication(Kerberos)ResourceKDC

(Domain Controller)Client

May I acces your resources?

Go get a ticket at the KDC

May I have a Ticket? + Here is my TGT

Here is a Service Ticket

May I have access + Service Ticket

Here are the resources

Solution

Authenticationwith AD Federation Services

Authentication with AD FS (SAML)

ResourceSTS(AD FS)

Client

May I access your resources?

Go get a token at the STS (redirect)

May I have a token? + credentials

Here is your (SAML) token

May I have access + (SAML) token

Here are the resources

AD FS benefitsSAML en OAuth2 are “web ready”Transport over SSL channelTokens are optionally encrypted

Relying Party trusts are very flexibleToken contents is defined per Relying Party (RP) TrustRelying Party Trusts are scalable

Multi-Factor AuthenticationAD FS authentication is “extensible” for third parties

Claims vs TicketsClaim Tokens in stead of TicketsMore flexibility with inbound and outbound filteringWeb based protocol, optional encryption

Relying Parties replace Domain Members en TrustsRelying Parties have fine grained definitionsLess dependent, requires little informationRich authentication scenariosEven the authentication method is a claimAnything can be a authentication factor

Claims vs. Tokens

Encryption Transport Contents Limits Security

Claimsin SAML Optional

HTTP (TCP80)HTTPS (TCP443)

Kerberos (TCP88)

XML-based

XML-based MaxTokenSize

Ticket LifetimeMutual AuthPAC Validation

Claims in Kerberos

Kerberos (TCP88)

Authorization data MaxTokenSize

Ticket LifetimeMutual AuthPAC Validation

Tokens

SigningReplay Protection

Demo

Configuring SAML Authentication

Solution

Windows Azure Active Directory

Introducing Azure Active DirectoryModern Identity MangementFree REST-based web service for authenticationIdentity and Access Managment for cloud services

Cloud Identity ManagementIdentity and Access Management for Windows Azure, Office 365, CRM Online, Windows Intune, etc.

100% interoperabilityBased on open standards, like SAML en WS-FedFull support for 3rd party identity providers

Integration options for Azure AD

PortalPowerShell / Graph API

DirSync met Cloud identities

DirSync met Password Sync

DirSync met Federation

Complexity

IntegrationSeparate credentials, 2x logon

Separate credentials, 2x logon

Same username, other password, 2x logon

Same username and password, 2x logon

Same username and wachtwoord, SSO on-prem,MF Auth

Scenarios for identity

Lowcomplexity

No need for extra hardware

Medium complexity

No need for extra hardware

Lowcomplexity

Windows Server required

Lowcomplexity

Windows Server required

Highcomplexity

Requires extra Windows ServersRequirements

Advanced Authentication to Azure AD

On Premises

Active DirectoryDomain Services

Azure Active Directory

1

2

3

Active DirectoryFederation Services

Azure Active DirectoryAccess Control Service

Active Directory Federation Trust

4

5

6

7

8Colleague

DirectorySynchronization

ToolAzure Active Directory

Management API

Azure Active DirectoryIntegrated Application

Current challengesSmart Cards for MFA with Active DirectorySmart Card readers never became a commoditySmart Cards require extra hardware

Smart Cards require PKIExpensive with a public Certificate AuthorityKerberos or Browser authentication

User FriendlinessIs a smart card convenient for BYODWe now have alternatives for a card

Solution

Multi-Factor Authentication

Multi-Factor Authentication with AD FSExtensible Authentication ModelAPI for 3rd party extensionsDefault support for Smart Cards

Azure PhoneFactorSimple implementationPhone Call, Text Message, App or OATH passcode

Not just PhoneFactorMultiple vendors support AD FS MFA

PhoneFactor Multi-Factor Authentication

On Premises

Active DirectoryDomain Services

1

2

3 4

5

67

Colleague

On-premisesApplication

Multi-FactorAuthentication

Server

Multi-FactorAuthentication

Service

8

9

Join us for Part 2!

Part 1 and Part 2There’s a lot to cover in terms of Bring Your Own (BYO). We’re only half way now…

This PartWe’ve discussed Solid AuthenticationYou now know why Kerberos is going away.

Part 2There’s another hour of BYO Goodness coming!This afternoon from 13:40 to 14:40

½

Questions?

Please evaluate our session.

Sessions of Interest TodayAdventures in Underland: What Passwords Do When No One Is Watching Paula Januszkiewicz, Auditorium 6, 12:20 - 13:20Managing Mobile Devices with System Center 2012 R2 ConfigMgr and Windows Intune Wally Mead, Auditorium 3, 13:40 - 14:40Identity and Directory Synchronization with Office 365 and Windows Azure ADBrian Desmond, Auditorium 1, 15:00 - 16:00

Thank You!

Bring Your Own Device Essentials with Windows Technology, Part 2Raymond Comvalius & Sander Berkouwer

Please take all the photos you like, but we would like to point out:

Sharing is caring

@NEXTXPERT@SanderBerkouwer@NICConf

Introduction

BloggerDirTeam.com/ActiveDir.orgServerCore.Net

Microsoft Tech LeadOGD ict-dienstenSince 2000

Sander BerkouwerMCSA, MCSE, MCITPMicrosoft MVP since 2009

MVP

Introduction

Author Windows 7 for XP ProfessionalsUpdating Support Skills…Independent IT Architect Specialized in IT Infrastructure since1998

Raymond ComvaliusMCSA, MCSE, MCITP, MCT Microsoft MVP since 2011

MVP

Solid Authorization

Current challengesGroup membership is too strictBased on a single attributeBecomes uncontrollable very fast

Cross organization accessOrganizations must trust each other a lotConnections are not always stable

Token bloatA ticket with too many SIDs is not acceptedCauses inconsistencies during logon

Claims for rich authorization scenariosRich authorizationClaims can be based on Group Membership or on: • Any property of a user account (i.e.

Department)• Or occurrence of the user the in the address

list• Or the location of the computer

… or combinations of the above

… or external claims.

Solution

Claims

Claims in Tokens and/or Kerberos Tickets

Claims in SAML/OAuth2 and/or KerberosClaims in SAML via Federation ServicesClaims in Kerberos via Dynamic Access Control

Benefits of Claims in KerberosClaims can be based on any attributeAuthorisation in ACLs exceeds user status

Benefits of Claims in SAML/OAuth2Kerberos and LDAP are not web based protocolsActive Directory is not a web based product

Autorisation with Bring Your OwnClaims-aware applicationsActive Directory Federation ServicesRelying Party (RP) processes the claims

DataWork Folders allow for file server synchronisation SkyDrive Pro offers synchronisation with SharePoint

Windows-integrated web applicationsWeb Application Proxy in Windows Server 2012 R2Translate claims from SAML to Kerberos with KCD

Solution

Workplace Join

Introducing Workplace JoinClaimsEmployees verify devicesClaims provided by Active Directory Federation Services

Service DiscoveryDNS Record (enterpriseregistration) for AutoDiscoverDNS Record required per user domain

CertificatesVerified devices enroll a certificate from AD FSPer device an object in the Registered Devices container

Workplace Join Internals

CookiesPermanent Cookie enables Single Sign-on

Active DirectorymsDS-Device object in Active DirectoryTied to the user/device combination

CertificateIn local User Store from MS-Organization-AccessWorkplace Join requires working CRL for AD FS SSL Cert

Demo

Workplace Join

Solid Access

Current ChallengesServer Message Block (SMB)Discloses Windows-based file serversNot optimized for the web

Remote Procedure Call (RPC)Discloses remote Windows functionalityNot optimized for the web

HTTP for everytingHTTP (with/without SSL) to be used as the standard protocolHTTP is the universal firewall bypass protocol

Solution

Work folders

File Server

Work Folders positioning

Personal data

Individual business data

Team/Departement business data

Personal devices

Public Cloud

SharePoint and/or Office 365

SkyDrive Pro

SkyDrive

Folder Redirection

Work Folders

File Server

Work Folders InternalsHTTP-based file synchronisationDNS Record (workfolders) for AutoDiscoveryWindows Authentication or AD FS (OAuth2)

Standard PoliciesPassword policy and device lockPolicies cannot be customized

Encryption and remote wipeEncryption based on EFS Enterprise KeyFunctional remote wipe initiated from Exchange / Intune

Current ChallengesTMG is End-of-LifeWe must have a Reverse ProxyPre-authentication with Active Directory integration

Groups are insufficient for autorizationClient properties can be used for allow/deny accessExisting web apps often not claims-aware

Publish AD Federation Services on the InternetDisclosing Active Directory on the Internet is no optionInternet accessible services in the Perimeter network

Solution

Web Application Proxy

Introducing Web Application ProxyEdge Role1. AD FS Proxy configuration on the AD FS

Server2. Reverse Proxy for HTTPS with pre-

authentication

Custom claimsConfigurable in AD Federation Services from multiple sources

Kerberos Constraint DelegationWeb App Proxy translates SAML to KerberosRequires Service Principal Names (SPNs)

4

1

Employee

Claims-basedApp

Active DirectoryFederation Services

(acting as STS)

On Premises

Active DirectoryDomain Services

Internal access to a claims based app

Relyi

ng Pa

rty Tr

ust

2

3

5 6

7

4

1

Colleague

Claims-basedApp

Active DirectoryFederation Services

(acting as STS)

On Premises

Active DirectoryDomain Services

BYO Access to a claims based app

Relying P

arty Tr

ust

5

Web App Proxy

ReverseProxy

ADFSProxy

2

367

4

1

Colleague

Active DirectoryFederation Services

(acting as STS)

On Premises

Active DirectoryDomain Services

BYO Access to a non-claims aware app

5

Web App Proxy

ReverseProxy

2

367

ADFSProxy

Delegation8

9

10

KerberosApp

Solid Management

Managing Bring Your OwnNot a single method to offer applicationsOrganizations use multiple methodsUnclear and hard to report

Applications for multiple platformsNot just Windows, but also Mac OSNot just desktops, laptops, but also tablets, etc.

Application distribution is hardNot all devices are connected to the networkNot all devices can be connected to the network

Solution

Windows Intune

ConfigMgr with Windows Intune

On Premises

Employee

System CenterConfiguration

Manager 2012 R2

WindowsIntune

Central Managementand Reporting

Conclusion

Bring Your Own

BYO

Applications

Data

Corp

orat

eN

on-c

orpo

rate

Solid management

Bring Your Own

Solid authentication

Solid autorization

Solidaccess

System CenterWindows Intune

AD Domain ServicesAD Federation ServicesWindows Azure AD

Workplace JoinWeb Application Proxy

Azure RMS

Questions?

Please evaluate our session.

Thank You!