"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with windows technologies
1. Bring Your Own Device Essentials
with Windows Technology, Part 1
Raymond Comvalius & Sander Berkouwer
2. Please take all the photos you
like, but we would like to point out:
Sharing is caring
@NEXTXPERT
@SanderBerkouwer
@NICConf
3. Introduction
Sander Berkouwer
MCSA, MCSE, MCITP
Microsoft MVP since 2009
Blogger
DirTeam.com/ActiveDir.org
ServerCore.Net
Microsoft Tech Lead
OGD ict-diensten
Since 2000
MVP
4. Introduction
Raymond Comvalius
MCSA, MCSE, MCITP, MCT
Microsoft MVP since 2011
Author
Windows 7 for XP Professionals
Updating Support Skills…
Independent IT Architect
Specialized in IT Infrastructure
since1998
MVP
6. Fact or Fiction…
Domain Join is almost Legacy
Kerberos and LDAP are for trusted networks only
A mobile device can be an authentication factor
HTTP(S) is the Universal Firewall Bypass Protocol
Exchange ActiveSync was way ahead of its time
Without PKI and certificates your out
7. Reality
57%
18
67
51% of employees between the age of
21 and 32 years chooses to
deliberately ignore corporate policies,
when they apply to:
51%
• Corporte use of privately-owned devices
(BYOD)
• Cloud storage
• Wearable devices
Source: Fortinet, October 22, 2013
12. Solid BYO
Authentication
Username + Password + ? = MFA
Multi-Factor Authentication
Policies
Device is sufficiently secured
Complies to minimum security policies
Health
Patch levels are up-to-date
Not jailbroken or hacked by Anonymous
13. Bring Your Own Building Blocks
AD Domain Services
Solid
AD Federation
Authenticatio
Services
n
Windows Azure AD
Solid
Azure RMS
Data
Protection
Workplace Join
Solid
WebAutorisation
Application
Proxy
System Center
Solid
Management
Windows Intune
15. Current challenges
Current protocols lack flexibility
Kerberos tickets are encrypted, cannot split
Kerberos tickets only contain SIDs
Active Directory trusts provide too little flexibility
Trusted domains share too much information
Domain Trusts lack scalability
Multi-Factor Authentication
Verifying user identity is crucial
Username and password is not good enough
18. Authentication with AD FS (SAML)
STS
(AD FS)
Client
Resource
May I access your resources?
Go get a token at the STS (redirect)
May I have a token? + credentials
Here is your (SAML) token
May I have access + (SAML) token
Here are the resources
19. AD FS benefits
SAML en OAuth2 are “web ready”
Transport over SSL channel
Tokens are optionally encrypted
Relying Party trusts are very flexible
Token contents is defined per Relying Party (RP) Trust
Relying Party Trusts are scalable
Multi-Factor Authentication
AD FS authentication is “extensible” for third parties
20. Claims vs Tickets
Claim Tokens in stead of Tickets
More flexibility with inbound and outbound filtering
Web based protocol, optional encryption
Relying Parties replace Domain Members en
Trusts
Relying Parties have fine grained definitions
Less dependent, requires little information
Rich authentication scenarios
Even the authentication method is a claim
Anything can be a authentication factor
21. Claims vs. Tokens
Encryption
Transport
Optional
HTTP (TCP80)
HTTPS (TCP443)
Claims
in SAML
Claims
in Kerberos
Tokens
Kerberos
(TCP88)
Kerberos
(TCP88)
Contents
Limits
Security
XML-based
Signing
Replay Protection
XML-based
MaxTokenSize
Ticket Lifetime
Mutual Auth
PAC Validation
MaxTokenSize
Ticket Lifetime
Mutual Auth
PAC Validation
Authorization
data
24. Introducing Azure Active Directory
Modern Identity Mangement
Free REST-based web service for authentication
Identity and Access Managment for cloud services
Cloud Identity Management
Identity and Access Management for Windows Azure,
Office 365, CRM Online, Windows Intune, etc.
100% interoperability
Based on open standards, like SAML en WS-Fed
Full support for 3rd party identity providers
25. Integration options for Azure AD
Scenarios
for identity
Portal
Complexity
Requirements
Integration
PowerShell /
Graph API
DirSync met
Cloud
identities
DirSync met
Password Sync
DirSync met
Federation
Low
complexity
Medium
complexity
Low
complexity
Low
complexity
High
complexity
No need for
extra hardware
No need for
extra hardware
Windows Server
required
Windows Server
required
Requires extra
Windows Servers
Separate
credentials,
2x logon
Same
username,
other
password, 2x
logon
Same
username and
password, 2x
logon
Same
username and
wachtwoord,
SSO on-prem,
MF Auth
Separate
credentials,
2x logon
26. Advanced Authentication to Azure AD
8
Colleague
7
Azure Active Directory
2 Integrated Application
4
6
3
Active Directory Federation Trust
5
Active Directory
Domain Services
1
Active Directory
Federation Services
Directory
Synchronization
Tool
Azure Active Directory
Access Control Service
Azure Active Directory
Azure
Management API
Active Directory
On Premises
27. Current challenges
Smart Cards for MFA with Active Directory
Smart Card readers never became a commodity
Smart Cards require extra hardware
Smart Cards require PKI
Expensive with a public Certificate Authority
Kerberos or Browser authentication
User Friendliness
Is a smart card convenient for BYOD
We now have alternatives for a card
29. Multi-Factor Authentication with AD
FS
Extensible Authentication Model
API for 3rd party extensions
Default support for Smart Cards
Azure PhoneFactor
Simple implementation
Phone Call, Text Message, App or OATH passcode
Not just PhoneFactor
Multiple vendors support AD FS MFA
32. Join us for Part 2!
Part 1 and Part 2
There’s a lot to cover in terms of Bring Your Own (BYO).
We’re only half way now…
This Part
We’ve discussed Solid Authentication
You now know why Kerberos is going away.
Part 2
There’s another hour of BYO Goodness coming!
This afternoon from 13:40 to 14:40
½
35. Sessions of Interest Today
Adventures in Underland: What Passwords
Do When No One Is Watching
Paula Januszkiewicz, Auditorium 6, 12:20 - 13:20
Managing Mobile Devices with System
Center 2012 R2 ConfigMgr and Windows
Intune
Wally Mead, Auditorium 3, 13:40 - 14:40
Identity and Directory Synchronization with
Office 365 and Windows Azure AD
Brian Desmond, Auditorium 1, 15:00 - 16:00
37. Bring Your Own Device Essentials
with Windows Technology, Part 2
Raymond Comvalius & Sander Berkouwer
38. Please take all the photos you
like, but we would like to point out:
Sharing is caring
@NEXTXPERT
@SanderBerkouwer
@NICConf
39. Introduction
Sander Berkouwer
MCSA, MCSE, MCITP
Microsoft MVP since 2009
Blogger
DirTeam.com/ActiveDir.org
ServerCore.Net
Microsoft Tech Lead
OGD ict-diensten
Since 2000
MVP
40. Introduction
Raymond Comvalius
MCSA, MCSE, MCITP, MCT
Microsoft MVP since 2011
Author
Windows 7 for XP Professionals
Updating Support Skills…
Independent IT Architect
Specialized in IT Infrastructure
since1998
MVP
42. Current challenges
Group membership is too strict
Based on a single attribute
Becomes uncontrollable very fast
Token bloat
A ticket with too many SIDs is not accepted
Causes inconsistencies during logon
Cross organization access
Organizations must trust each other a lot
Connections are not always stable
43. Claims for rich authorization scenarios
Rich authorization
Claims can be based on Group Membership or on:
• Any property of a user account (i.e. Department)
• Or occurrence of the user the in the address list
• Or the location of the computer
… or combinations of the above
… or external claims.
45. Claims in Tokens and/or Kerberos Tickets
Claims in SAML/OAuth2 and/or Kerberos
Claims in SAML via Federation Services
Claims in Kerberos via Dynamic Access Control
Benefits of Claims in SAML/OAuth2
Kerberos and LDAP are not web based protocols
Active Directory is not a web based product
Benefits of Claims in Kerberos
Claims can be based on any attribute
Authorisation in ACLs exceeds user status
46. Autorisation with Bring Your Own
Claims-aware applications
Active Directory Federation Services
Relying Party (RP) processes the claims
Windows-integrated web applications
Web Application Proxy in Windows Server 2012 R2
Translate claims from SAML to Kerberos with KCD
Data
Work Folders allow for file server synchronisation
SkyDrive Pro offers synchronisation with SharePoint
48. Introducing Workplace Join
Claims
Employees verify devices
Claims provided by Active Directory Federation Services
Certificates
Verified devices enroll a certificate from AD FS
Per device an object in the Registered Devices container
Service Discovery
DNS Record (enterpriseregistration) for AutoDiscover
DNS Record required per user domain
49. Workplace Join Internals
Certificate
In local User Store from MS-Organization-Access
Workplace Join requires working CRL for AD FS SSL Cert
Active Directory
msDS-Device object in Active Directory
Tied to the user/device combination
Cookies
Permanent Cookie enables Single Sign-on
52. Current Challenges
Server Message Block (SMB)
Discloses Windows-based file servers
Not optimized for the web
Remote Procedure Call (RPC)
Discloses remote Windows functionality
Not optimized for the web
HTTP for everyting
HTTP (with/without SSL) to be used as the standard protocol
HTTP is the universal firewall bypass protocol
54. Work Folders positioning
Personal data
Individual
business data
Team/Departe
ment business
data
Personal
devices
SkyDrive
Public Cloud
SkyDrive Pro
SharePoint
and/or Office
365
Work Folders
File Server
Folder
Redirection
File Server
55. Work Folders Internals
HTTP-based file synchronisation
DNS Record (workfolders) for AutoDiscovery
Windows Authentication or AD FS (OAuth2)
Standard Policies
Password policy and device lock
Policies cannot be customized
Encryption and remote wipe
Encryption based on EFS Enterprise Key
Functional remote wipe initiated from Exchange / Intune
56. Current Challenges
TMG is End-of-Life
We must have a Reverse Proxy
Pre-authentication with Active Directory integration
Groups are insufficient for autorization
Client properties can be used for allow/deny access
Existing web apps often not claims-aware
Publish AD Federation Services on the Internet
Disclosing Active Directory on the Internet is no option
Internet accessible services in the Perimeter network
58. Introducing Web Application Proxy
Edge Role
1. AD FS Proxy configuration on the AD FS Server
2. Reverse Proxy for HTTPS with pre-authentication
Kerberos Constraint Delegation
Web App Proxy translates SAML to Kerberos
Requires Service Principal Names (SPNs)
Custom claims
Configurable in AD Federation Services from multiple
sources
59. Internal access to a claims based app
Active Directory
Federation Services
(acting as STS)
5
6
4
Active Directory
Domain Services
3
Employee
2
1
Claims-based
App
On Premises
7
60. BYO Access to a claims based app
Active Directory
Federation Services
(acting as STS)
5
4
Active Directory
Domain Services
Colleague
6
ADFS
Proxy
2
Reverse
Proxy
Claims-based
Web App Proxy
App
On Premises
3
1
7
61. BYO Access to a non-claims aware
app
Active Directory
Federation Services
(acting as STS)
5
4
Active Directory
Domain Services
Colleague
9
8
6
ADFS
Proxy
2
10
Kerberos
App
Reverse
Proxy
Web App Proxy
On Premises
3
1
7
63. Managing Bring Your Own
Not a single method to offer applications
Organizations use multiple methods
Unclear and hard to report
Applications for multiple platforms
Not just Windows, but also Mac OS
Not just desktops, laptops, but also tablets, etc.
Application distribution is hard
Not all devices are connected to the network
Not all devices can be connected to the network
68. Bring Your Own
AD Domain Services
Solid
AD Federation
authenticatio
Services
n
Windows Azure AD
Solid
Azure RMS
access
Workplace Join
Solid
Webautorization
Application
Proxy
System Center
Solid
management
Windows Intune