The Who, What, Why and How of Active Directory Federation Services (AD FS)
Download as PPTX, PDF3 likes1,939 views
The document provides an overview of Active Directory Federation Services (ADFS) by discussing who benefits from ADFS, what ADFS is, how it works, and best practices for implementation. It explains that ADFS allows secure sharing of identity information and single sign-on access across applications. The key components of ADFS include the SharePoint Security Token Service, token-signing certificate, Identity Provider, identity and group claims, and relying party security token service.
The Who, What, Why and How of Active Directory Federation Services (AD FS)
- 1. THE WHO, WHAT AND WHY OF ACTIVE DIRECTORY FEDERATION SERVICES (ADFS)
- 2. Be Sure To Thank Our Awesome Sponsors!
- 3. ABOUT ME • Co-author, SharePoint 2013 Administrators Pocket Guide • MCT, MCTIP: SharePoint 2010, MCTS: Project Server 2010 • 12 years working on the SharePoint platform in a variety of positions. • 7 years of instructional/training delivery experience. • My blogs: • http://summit7systems.com/author/jay.simcox/ • http://www.sharepointmechanic.com/ • Contact Me: • Email: [email protected] • Twitter: @jaysimcox/@SPHoneyBadger Senior Consultant/Instructor, Summit 7 Systems/Mindsharp Huntsville, AL
- 4. Work performed in 31 States Employees in 6 States 100% CSAT Satisfaction 2 Microsoft MVPs 30+ Published Books 1 Office Dog About Summit 7 Systems
- 5. AGENDA
- 6. AGENDA
- 7. THE FIRST QUESTION YOU SHOULD BE ASKING!Is AD FS the right solution for my requirement?
- 9. • Reverse-proxy? • Hybrid? • Access from outside the corporate network? • Access for partners or vendors? • Device or role-based access? • Single sign on (SSO) IT DEPENDS….
- 11. WHO BENEFITS FROM ADFS - I? • Implementing Organizations – Easily share internal resources with external users. – Create a role based security model. – Possible to reduce overall licensing costs with additional servers roles like Web Application Proxy (WA-P). • Partner Organizations – Easy access to external organization resources
- 12. WHO BENEFITS FROM ADFS - II? • IT Staff – Administrators • No longer have to manage external user accounts or passwords. • Centralized federated partner management. • Extensible architecture allows for adding, modifying or creating custom claims to support specific business processes. – Developers • Leveraging Windows Identity Foundation developers can build .NET applications that rely on ADFS instead of an internal authentication mechanism. These are known as “Claims-Aware” applications.
- 13. WHO BENEFITS FROM ADFS - III? • End Users – SSO experience across multiple applications and platforms. – Reduced need for multiple logons – Simplified password management (single password across multiple platforms and applications).
- 15. WHAT IS ADFS? • Not new, ADFS has been around since Windows Server 2003 R2. • Windows Server 2012 R2 role. • Allows for the secure sharing of identity information. • Provides secure authentication to multiple systems (SharePoint, Dynamics, Exchange, O365, etc…) • Reduces administrative overhead involved with managing “guest” or external AD account.
- 16. WHAT ARE THE BENEFITS OF ADFS? • Allows us to “easily” open applications to external partners. • Web based Single Sign On (SSO). • Reduced administrative overhead managing guest accounts and passwords. • Supports the WS-Federation protocol. • Partner or guest user account management by local resources is not required.
- 17. WHAT ARE THE BENEFITS OF ADFS? (CONTD.) • Claim mapping defines claims in terms that each partner organization understands. • Claim mappings can be different for each partner organization. • Can leverage multiple claim types – Identity Claims – Group Claims – Custom Claims – Device Claims
- 18. ADFS LIMITATIONS • Not an overly simple implementation. • No support for on-premises Exchange. • No access to Windows NT token based applications. – No access to file shares or print servers. – No access to AD resources. – No access to Exchange (on-premises only). – No connections to servers via RDP. – No authentication to “older” web based applications.
- 20. HOW DOES ADFS WORK? • Defines how applications acquire identity information about a user. • Designed to specifically overcome limitations in other protocols. • Designed to cross boundaries such as security realms, firewalls and different platforms. • Takes the burden of authentication off of applications. • Requires configuration of multiple components – SharePoint Security Token Service (STS) – Token-signing certificate – Identity Provider (IdP) – Identity claim – Realm – SPTrustedIdentityTokenIssuer – Relying party security token service – Identity provider security token service
- 21. AUTHENTICATION IN SHAREPOINT • Authentication is NOT Authorization – Authentication – the process of verifying the identity of a user requesting access to a SharePoint resource. – Authorization – the process of identifying an authenticated users permission to access the SharePoint resource. • Authentication protocols – NTLM – Kerberos – Claims-based – Open Authorization 2.0 (OAuth) • Server to Server Authentication • App authentication
- 22. NTLM PROCESS 1. The user requests a SharePoint site. 2. SharePoint sends a request for Windows Credentials to the user in the form of a login box asking for a username and password. 3. The end user enters their Windows credentials and submits them to SharePoint. 4. SharePoint validates the users account with AD. 5. SharePoint requests and receives the users group membership from AD. 6. SharePoint creates a SharePoint security token and sends the authorization code and requested web page to the end user. AD DS 5 1 2 3 6 Users 4
- 23. KERBEROS PROCESS 1. The Client sends an HTTP (GET) request as an anonymous user. 2. The WFE responds with a 401.2 (unauthorized: Login failed) and with a WWW-Authenticate: Negotiate or WWW-Authenticate: Kerberos header. 3. The client contacts the KDC on the domain controller requesting a Kerberos ticket for the SPN (service-principal-name) referenced by the client browser. 4. If the KDC finds a matching SPN it creates and encrypts a ticket and returns it to the client. 5. The client creates the authenticator and returns it with the ticket to the WFE. The WFE decrypts the ticket and determines identity and checks permissions on the SharePoint server to see what access, if any, is to be granted. 6. If access is permitted IIS contacts the SQL server through the Web Application service. 7. The Web Application service requests a ticket for the SQL server from the KDC. 8. If an SPN is found the KDC returns the ticket which the web application uses to impersonate the user. 9. SQL Server checks the ticket from the Web Application service and validates it and sends the data back to the WFE. 10. .NET compiles the .aspx page and sends it to the users browser. Client 1 2 3 4 5 6 7 8 9 10 AD DS
- 24. CLAIMS PROCESS 1. The end user hits the SharePoint site generating an HTTP (GET) request. 2. SharePoint redirects the user to the Identity Provider to get a security token. 3. The end user is prompted for credentials by the Identity Provider. 4. The Identity Provider validates the provided credentials with the authentication provider (in this case AD DS) and if successful provides the client a security token. 5. The Identity Provider sends the end user a SAML security token. 6. The end user submits a new request to SharePoint with the SAML token. 7. The SharePoint STS generates the SharePoint security token, the FedAuth cookie and the requested SharePoint site. 2 6 1 AD DS 4 AD FS 3 5 Claim Claim Claim Signature7 7 7
- 25. CLAIMS IN A NUTSHELL • Claim: an assertion or statement of something as a fact. • Could be any piece of data or information about a user. • Digitally signed at creation. • Claims must have an attribute to be used with SharePoint • Do not rely on applications for authentication. • Rely on security token services (STSs). • Not just for identities, can also be used for roles and access rights. • Commonly defined with Security Assertion Markup Language (SAML)
- 26. THE TOKEN
- 28. WHAT WOULD AN ADFS IMPLEMENTATION LOOK LIKE?
- 31. WHAT SHOULD I WORRY ABOUT? • Search • User Profile Service • End user experience • People-Picker • Unique Identifier • Authentication method (username/password, smart card, RSASecureId).
- 32. BEST PRACTICES • Use SAN certificates on the WA-P servers. • Protect your ADFS servers as if they are Domain Controllers. • High availability should always be a part of the design. Especially hybrid deployments.
- 34. Be Sure To Thank Our Awesome Sponsors!
- 35. THANK YOU FOR ATTENDING!
Editor's Notes
- #17: Ws-fed makes it possible to federate identities with do not use Windows identities (OpenId, Siteminder, etc…)
- #18: •Identity claims (User Principal name, E-mail and a Common Name) •Group claims (a user’s membership of a group or a role in the organization) •Custom claim (contains a custom attribute about a user, such as phone number or badge number).
- #22: Remember, we’re speaking in terms of SharePoint. There are many other authentication methods CHAP (challenge handshake auth prot), EAP (extensible authentication prot), HIP (host identity prot), OpenID, RADIUS
- #23: Provides authentication, integrity and confidentiality services within the Windows Security Support Provider (SSPI) framework Default network authentication in Windows NT 4.0 “Replaced” by Kerberos as the preferred authentication protocol in Windows 2000. Challenge/response authentication mechanism. Does not support recent cryptographic methods such as AES or SHA-256.
- #24: Provides authenticated access for users and services on a network. Default authentication protocol for Windows 2000 and later. Does not require that a users password cross the network. Does not require that a users password ever be stored in memory. Works for both password-based and smart card enabled authentication. Requires Domain Administrator privileges to manage.