Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with windows technologies

download Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with windows technologies

of 72

  • date post

    19-Oct-2014
  • Category

    Technology

  • view

    2.461
  • download

    3

Embed Size (px)

description

 

Transcript of Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with windows technologies

ActiveSync

Bring Your Own Device Essentials with Windows Technology, Part 1Raymond Comvalius & Sander BerkouwerSanderB, v1.2: Achtergrond toegevoegdSanderB, v1.2: NGN en Ngi logos toegevoegd1Please take all the photos you like, but we would like to point out:

Sharing is caring

@NEXTXPERT@SanderBerkouwer@NICConf

IntroductionBloggerDirTeam.com/ActiveDir.orgServerCore.NetMicrosoft Tech LeadOGD ict-dienstenSince 2000Sander BerkouwerMCSA, MCSE, MCITPMicrosoft MVP since 2009MVP

SanderB, v1.2: Afbeelding vervangen met zakelijke variant3IntroductionAuthor Windows 7 for XP ProfessionalsUpdating Support SkillsIndependent IT Architect Specialized in IT Infrastructure since1998Raymond ComvaliusMCSA, MCSE, MCITP, MCT Microsoft MVP since 2011

MVP

SanderB, v1.1: Icons in de tiles toegevoegd4IntroducingBring Your OwnFact or FictionDomain Join is almost LegacyKerberos and LDAP are for trusted networks onlyA mobile device can be an authentication factorHTTP(S) is the Universal Firewall Bypass ProtocolExchange ActiveSync was way ahead of its timeWithout PKI and certificates your out

RealityNederland51% of employees between the age of 21 and 32 years chooses to deliberately ignore corporate policies, when they apply to:1.057%21 - 32 years1867NetherlandsWorldwide57%51%Source: Fortinet, October 22, 2013Corporte use of privately-owned devices (BYOD)Cloud storageWearable devicesSanderB, v1.3: Slide toegevoegd7Bring Your OwnDevices

AppsInformation

Employees8Bring Your OwnDevices

AppsEmployeesManagement| Access| SecurityInformation

Bring Your OwnFacilitating access to companny IT sources with devices owned by employees and other entities

Bring Your Own DeviceCorporateNon-corporate

11AuthenticationUsername + Password + ? = MFAMulti-Factor AuthenticationHealthPatch levels are up-to-dateNot jailbroken or hacked by AnonymousPoliciesDevice is sufficiently securedComplies to minimum security policiesSolid BYOSolidManagementBring Your Own Building BlocksSolidAuthenticationSolid AutorisationSolidData Protection

Azure RMSSystem CenterWindows IntuneWorkplace JoinWeb Application ProxyAD Domain ServicesAD Federation ServicesWindows Azure ADSolid Authentication

Current challengesCurrent protocols lack flexibilityKerberos tickets are encrypted, cannot splitKerberos tickets only contain SIDsActive Directory trusts provide too little flexibilityTrusted domains share too much informationDomain Trusts lack scalabilityMulti-Factor AuthenticationVerifying user identity is crucialUsername and password is not good enoughSanderB, v1.2: Laatste blok tekst aangepast naar Multi-Factor authenticatie15Current Authentication(Kerberos)ResourceKDC(Domain Controller)ClientMay I acces your resources?Go get a ticket at the KDCMay I have a Ticket? + Here is my TGTHere is a Service TicketMay I have access + Service TicketHere are the resourcesSolutionAuthenticationwith AD Federation ServicesAuthentication with AD FS (SAML)ResourceSTS(AD FS)ClientMay I access your resources?Go get a token at the STS (redirect)May I have a token? + credentialsHere is your (SAML) tokenMay I have access + (SAML) tokenHere are the resourcesAD FS benefitsSAML en OAuth2 are web readyTransport over SSL channelTokens are optionally encryptedRelying Party trusts are very flexibleToken contents is defined per Relying Party (RP) TrustRelying Party Trusts are scalableMulti-Factor AuthenticationAD FS authentication is extensible for third parties

SanderB, v1.2: Laatste blok tekst aangepast naar Multi-Factor authenticatie19Claims vs TicketsClaim Tokens in stead of TicketsMore flexibility with inbound and outbound filteringWeb based protocol, optional encryptionRelying Parties replace Domain Members en TrustsRelying Parties have fine grained definitionsLess dependent, requires little informationRich authentication scenariosEven the authentication method is a claimAnything can be a authentication factorRayC: voor de laatste regel zoek ik nog een beter statement

20Claims vs. TokensEncryptionTransportContentsLimitsSecurityClaimsin SAMLOptionalHTTP (TCP80)HTTPS (TCP443)Kerberos (TCP88)XML-basedXML-basedMaxTokenSizeTicket LifetimeMutual AuthPAC ValidationClaims in KerberosKerberos (TCP88)Authorization dataMaxTokenSizeTicket LifetimeMutual AuthPAC ValidationTokensSigningReplay ProtectionClaimsOptioneel versleuteldReplay ProtectionXMLHTTP(S), poort 80 / 443XML defintions

KerberosVersleuteldPAC, sIDHistoryPoort 88Max Token Size

21DemoConfiguring SAML Authentication

22SolutionWindows Azure Active Directory

23Introducing Azure Active DirectoryModern Identity MangementFree REST-based web service for authenticationIdentity and Access Managment for cloud services

Cloud Identity ManagementIdentity and Access Management for Windows Azure, Office 365, CRM Online, Windows Intune, etc.100% interoperabilityBased on open standards, like SAML en WS-FedFull support for 3rd party identity providers

Integration options for Azure ADPortalPowerShell / Graph APIDirSync met Cloud identitiesDirSync met Password SyncDirSync met Federation ComplexityIntegrationSeparate credentials, 2x logonSeparate credentials, 2x logonSame username, other password, 2x logonSame username and password, 2x logonSame username and wachtwoord, SSO on-prem,MF AuthScenarios for identityLowcomplexityNo need for extra hardwareMedium complexityNo need for extra hardwareLowcomplexityWindows Server requiredLowcomplexityWindows Server requiredHighcomplexityRequires extra Windows ServersRequirementsSanderB, v1.2: slide met zon, bloem, etc. verwijderd25Simple authentication to Azure ADAzure Active DirectoryAzure Active DirectoryIntegrated Application1234567ColleagueAzure Active DirectoryAccess Control Service26Advanced Authentication to Azure ADOn PremisesActive DirectoryDomain ServicesAzure Active Directory123Active DirectoryFederation ServicesAzure Active DirectoryAccess Control ServiceActive Directory Federation Trust45678ColleagueDirectorySynchronizationToolAzure Active DirectoryManagement APIAzure Active DirectoryIntegrated Application27Current challengesSmart Cards for MFA with Active DirectorySmart Card readers never became a commoditySmart Cards require extra hardwareSmart Cards require PKIExpensive with a public Certificate AuthorityKerberos or Browser authenticationUser FriendlinessIs a smart card convenient for BYODWe now have alternatives for a cardSanderB, v1.2: Laatste blok tekst aangepast naar Multi-Factor authenticatie28SolutionMulti-Factor Authentication

SanderB, v1.3: Slide toegevoegd29Multi-Factor Authentication with AD FSExtensible Authentication ModelAPI for 3rd party extensionsDefault support for Smart CardsAzure PhoneFactorSimple implementationPhone Call, Text Message, App or OATH passcodeNot just PhoneFactorMultiple vendors support AD FS MFA

SanderB, v1.2: Laatste blok tekst aangepast naar Multi-Factor authenticatie30PhoneFactor Multi-Factor AuthenticationOn PremisesActive DirectoryDomain Services1234567ColleagueOn-premisesApplication

Multi-FactorAuthenticationServer

Multi-FactorAuthenticationService

89SanderB, v1.4: laptop als factor verwijderd31Join us for Part 2!Part 1 and Part 2Theres a lot to cover in terms of Bring Your Own (BYO). Were only half way nowThis PartWeve discussed Solid AuthenticationYou now know why Kerberos is going away.Part 2Theres another hour of BYO Goodness coming!This afternoon from 13:40 to 14:40 Questions?Please evaluate our session.Sessions of Interest TodayAdventures in Underland: What Passwords Do When No One Is Watching Paula Januszkiewicz, Auditorium 6, 12:20 - 13:20Managing Mobile Devices with System Center 2012 R2 ConfigMgr and Windows Intune Wally Mead, Auditorium 3, 13:40 - 14:40Identity and Directory Synchronization with Office 365 and Windows Azure ADBrian Desmond, Auditorium 1, 15:00 - 16:00

Thank You!Bring Your Own Device Essentials with Windows Technology, Part 2Raymond Comvalius & Sander BerkouwerSanderB, v1.2: Achtergrond toegevoegdSanderB, v1.2: NGN en Ngi logos toegevoegd38Please take all the photos you like, but we would like to point out:

Sharing is caring

@NEXTXPERT@SanderBerkouwer@NICConf

IntroductionBloggerDirTeam.com/ActiveDir.orgServerCore.NetMicrosoft Tech LeadOGD ict-dienstenSince 2000Sander BerkouwerMCSA, MCSE, MCITPMicrosoft MVP since 2009MVP

SanderB, v1.2: Afbeelding vervangen met zakelijke variant40IntroductionAuthor Windows 7 for XP ProfessionalsUpdating Support SkillsIndependent IT Architect Specialized in IT Infrastructure since1998Raymond ComvaliusMCSA, MCSE, MCITP, MCT Microsoft MVP since 2011

MVP

SanderB, v1.1: Icons in de tiles toegevoegd41Solid Authorization

42Current challengesGroup membership is too strictBased on a single attributeBecomes uncontrollable very fastCross organization accessOrganizations must trust each other a lotConnections are not always stableToken bloatA ticket with too many SIDs is not acceptedCauses inconsistencies during logon

SanderB, v1.2 Token Bloat uit eerste box gehaald en vervangen met Snel onoverzichtelijk43Claims for rich authorization scenariosRich authorizationClaims can be based on Group Membership or on: Any property of a user account (i.e. Department)Or occurrence of the user the in the address listOr the location of the computer

or combinations of the above

or external claims.

SanderB, v1.2: Afbeelding toegevoegd44SolutionClaims

Claims in Tokens and/or Kerberos TicketsClaims in SAML/OAuth2 and/or KerberosClaims in SAML via Federation ServicesClaims in Kerberos via Dynamic Access ControlBenefits of Claims in KerberosClaims can be based on any attributeAuthorisation in ACLs exceeds user statusBenefits of Claims in SAML/OAuth2Kerberos and LDAP are not web based protocolsActive Directory is not a w