#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Max FritzSolutions Architect
SADA Systems
Single Sign-On ShowdownADFS vs Pass-Through Authentication
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD Identity Sync & Auth Timeline
2009
•DirSync introduced for identity synchronization
2012
•DirSync becomes Azure AD Sync
2013
•Password Hash Sync added to AAD Sync
2015
•Azure AD Sync becomes Azure AD Connect
•Introduces Health engine
2017
•msDS-ConsistencyGuidas source anchor
•Pass Through Authentication introduced
•Seamless SSO introduced
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD Authentication Methods Today
Cloud Only Identity
• Identities exist only in AAD
• Authentication handled by AAD
Password Hash Synchronization
• Identities synced to AAD
• Authentication handled by AAD
Pass-through Authentication
• Identities synced to AAD
• Authentication handled by local AD
Federated (ADFS)
• Identities synced to AAD
• Authentication handled by local AD
3rd Party Federated
• Identities synced to AAD
• Authentication handled by third-party
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD Authentication Methods Today
Password Hash Synchronization
• Identities synced to AAD
• Authentication handled by AAD
Pass-through Authentication
• Identities synced to AAD
• Authentication handled by local AD
Federated (ADFS)
• Identities synced to AAD
• Authentication handled by local AD
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD Authentication Methods Today
Password Hash Synchronization
• Identities synced to AAD
• Authentication handled by AAD
Pass-through Authentication
• Identities synced to AAD
• Authentication handled by local AD
Federated (ADFS)
• Identities synced to AAD
• Authentication handled by local AD
Identity Synchronization through Azure AD Connect
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Sidebar: What is Azure AD Connect?
• Application installed on a Windows machine within your environment
• Integrates local Active Directory with Azure Active Directory
• Sync engine based on Microsoft Identity Manager (shared codebase)
• Uses a local SQL server for sync database (can be separate SQL server)
• Includes a monitoring component: Azure AD Connect Health
• Free for all Azure AD customers (so just free ☺)
• Can manage ADFS installations
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD Connect is required for all authentication methods we will cover today
We will not demo installation or basic configuration of AADC today, however AADC will be a part of some demos
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Authentication Methods: How we will rank
Ease of Implementation
Security
Customization Options
Available Features
Usability
Maintenance & Reliability
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Scoreboard
Password Sync + Seamless SSO
PTA + Seamless SSO ADFS (2019)
Ease of Implementation ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Security ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Customizations ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Features ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Usability ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Maintenance & Reliability
☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Score 00 00 00
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Password Hash Synchronization
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Password Hash Synchronization
Involves syncing hashed
passwords to Azure AD
Relies on Azure AD Connect
Passwords synced every 2
minutes
Authentication is completely
cloud based
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Password Hash Sync Authentication
Azure AD
On Premises
Identity delta sync every 30 minutes
AADC request MD4 password hashes from DC via
MS-DRSR replication protocol (every 2 min)
DC encrypts password in an MD5 envelope and
sends to AADC
AADC Decrypts MD5 hash and expands MD4 hash to
64 bytes
AADC adds a 10-byte salt to MD4 hash, and converts
to SHA256 hash (using PBKDF2 function)
SHA256 hash is sent to Azure AD over SSL
#
#
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Password Hash Sync Authentication
Azure AD
On Premises
Identity delta sync every 30 minutes
User attempts to sign in to app
Session redirected to Azure AD for sign in
User provides credentials to Azure AD
Azure AD applies MD4+salt+PBKDF2+SHA256 process,
and validates resulting hash against stored hash
Azure AD completes sign in
If successful, user is granted access to the app
# #
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Password Hash Sync Considerations
• Locked out local accounts are not properly reflected in AAD
• Disabled local accounts will not be disabled in AAD until an AADC sync cycle (can be manually triggered)
• MD4 hashes are notoriously easy to crack, and MD5 is not much harder
• Extra SHA-2 encryption makes the hash much harder to decrypt• Extra hashing technically makes this more secure than local AD
credentials
• Allows for leaked credential reports from MS if AAD P1 licensing is in place
• Remember, Microsoft does not get your passwords. They only receive a triple hashed password.
• Required for use of Azure AD Domain Services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through Authentication
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through Authentication (PTA)
• Relies on Azure AD Connect and PTA (AuthN) Agents
• Agents can be installed on multiple servers for high availability• First agent is on the Azure AD Connect server
• Additional agents can be deployed via script or manually
• Networking: only requires outbound communication on 80, 443, and 8080 [for reporting status to AAD] (no inbound ports to open)
• Requires Server 2013 R2 or later
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through Authentication
Azure AD
On Premises
Identity delta sync every 30 minutes
User attempts to sign in to app
Session redirected to Azure AD for sign in
User provides credentials to Azure AD
Azure AD produces encrypted passwords (1 for each
PTA agent registered, using public key for the agent) and
places them onto the Service Bus for the tenant
PTA Agent attempts credential validation against
Domain Controller
PTA Agents
1 2
2
1PTA Agent retrieves validation request (persistent
connection) and decrypts password using private key
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through Authentication
Azure AD
On Premises
Identity delta sync every 30 minutes
DC provides result to PTA agent
(success/failure/expired)
PTA agent sends result to Azure AD via mutually
authenticated HTTPS channel
PTA Agents
2
1
Azure AD completes sign in
If successful, user is granted access to the app
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through Authentication Considerations
• Locked and Disabled local accounts are respected
• Supports alternate login IDs
• Fully supports Azure AD conditional access• Since sign in request are still process through AAD (as opposed to
redirected)
• Requires Modern Authentication*
• Supports alternate login IDs
• Supports AAD Smart Lockout (prevents brute force attacks)
• Does not support leaked credential reports
• Not available in GCC at this time
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through Authentication Demo
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Seamless Single Sign-on
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Seamless Single Sign-On
• Provides single sign on capabilities to domain joined machines
• Compatible with Password Hash Sync or PTA
• Requirements:• OS: Windows 7+ or Mac OS X, domain joined (to local AD)
• Browsers: IE 10+, Chrome, Safari*, Firefox*• Does not support Edge at this time
• 1 URL needs to be added to Intranet Zone (via group policy)
• Ability to register non-Windows 10 devices with Azure AD
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Seamless SSO Authentication(browser based)
Azure AD
On Premises
User attempts to sign in to app from domain joined
machine
Session redirected to Azure AD for sign in*
User provides username to Azure AD*
Azure AD challenges browser to provide a Kerberos
ticket
Browser requests a ticket from local AD for the
AZUREADSSOACC computer account
AD returns ticket to browser encrypted with computer
account’s secret
Browser forward Kerberos ticket to Azure AD
Azure AD decrypts ticket, identifies user, and returns
token
If successful, user is granted access to the app
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Seamless Single Sign-On Considerations
• Opportunistic: If Seamless SSO fails, sign-in experience falls back to regular behavior
• Sign-out supported: Allows users to sign in with other credentials if desired
• Requires Modern Authentication
• Creates a computer account in the local AD named AZUREADSSOACC
• Kerberos decryption key of this account, if compromised, could be used to generate Kerberos tickets for any user in the forest
• Recommendation is to manually rollover key every 30 days (automated method coming soon)
• Only works when devices are on the local network
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Seamless Single Sign-on Demo
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Active Directory Federation Services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Active Directory Federation Services (2019)
• Requires Azure AD Connect for identity sync • Also can help manage the ADFS farm
• Requires a minimum of 2 servers (1 Federation and 1 Proxy), recommended minimum of 4
• Allows for sign in with more alternative methods• samAccountName, Certificate, Smart-Card, Windows Hello for Business,
3rd party MFA, etc…
• Supports Extranet lockout & extranet smart lockout policies
• Supports banned IP lists
• Deep login screen customization
• Supports Windows Integrated Authentication
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
ADFS Considerations
• Limited support for Azure AD Conditional Access• However additional support for custom conditional access via ADFS
claim rules
• Large investment of on-premises (or cloud) infrastructure, including DMZ deployment
• Requires valid third party certificate
• Supports Alternate Login ID
• Does not support Azure AD Identity protection• Unless password hash is enabled as a backup*
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Active Directory Federation ServicesDemo
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Migrating from ADFS to PTA
Demo
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Back to the Scoreboard!
Password Sync + Seamless SSO
PTA + Seamless SSO ADFS (2019)
Ease of Implementation ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Security ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Customizations ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Features ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Usability ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Maintenance & Reliability
☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Score 00 00 00
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Ease of Implementation
Password Sync + Seamless SSO
Wizard based install and configuration
GPO required for Seamless SSO
PTA + Seamless SSO
Wizard based initial install and configuration
Agent deployment manual or script based
GPO required for Seamless SSO
ADFS 2019
Minimum of 4 servers required
Wizard based configuration of basic features
Manual configuration for many items
★★★★☆ ★★★☆☆ ★☆☆☆☆
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Security
Password Sync + Seamless SSO
Triple hashed passwords synced to the cloud
PTA + Seamless SSO
Authentication remains on premises
ADFS 2019
Authentication remains on premises
★★★★★ ★★★★★ ★★★★★
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Customizations
Password Sync + Seamless SSO
Limited login screen customization
Intermediate rule customizations and transformations
PTA + Seamless SSO
Limited login screen customization
Intermediate rule customizations and transformations
ADFS 2019
Detailed login screen customizations available with CSS
Advanced rule customizations and transformations
★★★☆☆ ★★★☆☆ ★★★★★
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Features
Password Sync + Seamless SSO
Supports all Azure AD features
SSO support for most clients
Lack of support for instant account lockouts and expirations
PTA + Seamless SSO
Supports most Azure AD features
SSO support for most clients
ADFS 2019
Limited support for Azure AD features
SSO support for more clients
Support for alternate login methods
★★★☆☆ ★★★★☆ ★★★★☆
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Usability
Password Sync + Seamless SSO
Simple end user experience, consistent with other Azure AD experiences
PTA + Seamless SSO
Simple end user experience, consistent with other Azure AD experiences
ADFS 2019
End user experience depends on customizations
★★★★★ ★★★★★ ★★★★★
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Maintenance & Reliability
Password Sync + Seamless SSO
Can go down with minimal impact
Seamless SSO requires manual Kerberos rollover
No automated failover
PTA + Seamless SSO
At least 1 PTA agent must be available at all times
Seamless SSO requires manual Kerberos rollover
Agents can go on existing servers, avoiding additional maintenance
ADFS 2019
At least 1 Federation and 1 Proxy server must be available at all times
Requires certificate renewal
More servers required for maintenance
★★★☆☆ ★★★☆☆ ★★☆☆☆
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Scoreboard Results
Password Sync + Seamless SSO
PTA + Seamless SSO ADFS (2019)
Ease of Implementation ★★★★☆ ★★★☆☆ ★☆☆☆☆
Security ★★★★★ ★★★★★ ★★★★★
Customizations ★★★☆☆ ★★★☆☆ ★★★★★
Features ★★★☆☆ ★★★★☆ ★★★★☆
Usability ★★★★★ ★★★★★ ★★★★★
Maintenance & Reliability
★★★☆☆ ★★★☆☆ ★★☆☆☆
Score 21 23 22
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
WINNER!
Pass-through Authentication!
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Taking a closer look…
• Everyone’s environment is different, and the “winner” will be different from everyone
• The takeaway is that you should carefully consider your authentication method based on your organization’s priorities
• It’s not too late to change your method