Microsoft Azure AZ-800 — Section 7: Implement and manage hybrid identities Part 3

Microsoft Azure AZ-800 — Section 7: Implement and manage hybrid identities Part 3

56. Understanding Directory Sync Designs

I’d like to now take a look at some of the different designs that we have involving the different Azure Ad Connect hybrid deployment scenarios, so this first scenario is, again, this sort of the one that Microsoft recommends. This what they call the hash based password hash based synchronization model. And if you look here, you’ll notice that we’ve got on this side, we’ve got our on-premise environment running ads. That’s Active Directory domain services and we have Azure Connect, which is going to be installed on a server that’s going to support hash based synchronization.

So our Azure 80 Connect is going to esTablish a connection with Azure AD, which is out on the cloud, right? That’s Microsoft’s cloud environment. That’s their Azure instance, their directory service. And the great thing about Azure Eddie Connect is you can speak the different languages between the on-premise and the Azure cloud services.

So on-premise, you know, Active Directory is speaking with LDAP Kerberos. Those are your protocols that are being used by Azure. It doesn’t use those protocols. Azure, it uses something called Samal security search and markup language. It uses what’s called OpenID and OAuth, which is open authorization, open authentication, and it uses the rest API, which is representational state transfer, which is essentially going to allow HTTP s communication as the transmission communication for authentication.

So, it’s different languages. Essentially, it’s basically different languages. Azure EDI Connect can speak both of those languages.

So from there, the great thing about that is, you know, it’s going to be able to communicate all your azure. Any connect can communicate with Azure 80 Azure A can allow the authentication to happen from your on Prem out there to Azure ad, which can then give access to the cloud services right? And your password hashes are going to be synchronized.

So these password hashes are going to be synchronized in the Azure ad they’re going to match and the users are good to go. They can sign in and all that.

Now the other beautiful thing about this, of course, if you have users who are on the outside, maybe you got a user who’s working from home or they’re in the hotel or they’re on a plane, on a train, you know, whatever they this person can actually go and they can authenticate with Azure ID without this domain even being present.

So again, if something was to happen and this connection was down, there was no connectivity between Azure A.D. and the on-premise domain. This guy right here is going to be happy because he can still authenticate right? And so, you know, everything’s good to go there, and that’s one of your big benefits about this. The other thing being, of course, Microsoft monitors the password hashes to make sure they haven’t been leaked into like hackers databases and things like that.

OK, so that’s a look at a password hash synchronization. Let’s take a look now at the way that pass through authentication works PTA.

Now, with passive authentication, this another solution, of course, again for supporting your hybrid deployment authentication.

Now there’s a little bit more setup to this not much, but a little bit more setup that will be involved here to make this work.

OK? You’re still going to have you’ll notice your on prem environment here.

So you’re on-premise Active Directory Environment AIDS and then from there you’ll have Azure 80 Connect, right? And what you’ll end up having to do with Azure to connect is if you choose pitas, you’re going to have to install these little P.T.A. agents.

OK? And it’s recommended that you install the pastor authentication agent on two different servers.

Now the good news is you do not have to have dedicated servers for the pass through authentication agent. These could be file servers or whatever. These can be virtual machines, but you can install those on a couple machines and they will handle the authentication request that are coming in from the outside world.

Now the other thing that’s interesting about this your authentication agents. What they’re going to do is they’re going to it’s going to pull Azure ad constantly.

So you’ll have a steady stream of connections that are actually happening from there. The agents going out there to Azure ad. Nothing is actually coming in from Azure. Any you don’t have to actually open up any ports or anything like that.

So, we don’t have to put these machines on our DMZ, the Demilitarized Zone or perimeter network or any of that, OK. They can be on the inside of our network, OK? They’re just going to keep pulling, know what they’re waiting on is for somebody on the outside to have to authenticate.

So, it’s fine for somebody on the inside to authenticate, you know, with a on-premise and then of course, authenticate with Azure ID. But what if you got somebody who’s on the outside world wanting to log in will remember with Pitazure, 80, does not know your password hashes.

OK.

So, if it doesn’t know your password hashes, how in the world is this guy right here who’s on the outside? How is he going to log on? Well, remember, this polling.

So what’ll happen is this guy right here? He goes to authenticate, he communicates with Azure ID to authenticate, and this poll happens. It’s polling right over and over and over, sending out little packets, and then it notices that there is authentication request waiting in the queue. And so, it dynamically pulls that request and brings it back again. You’re not having to open up any ports. It’s just going to be the standard HD https dynamic ports going out and coming back in. That authentication agent will pass the request over to a domain controller on-premise. The domain controller will authenticate you and it’ll generate a little authentication token that will be passed back and then passed on to the user.

So the user is now successfully authenticated and the user can access the other cloud services.

So this the benefit you’re going to get out of P.T.A.. Again, the password hashes are not being stored out there in the cloud. They stay on-premise.

So, if you’re in a compliance situation where you can’t have the password hashes out there for people to get to, this a great solution for you.

OK. All right now, let’s pop in and look at the final method here, which is the federated method. As for hybrid identity with federated authentication, now, this the most complex of all the models, and originally this was the only other model you could go with besides hash based authentication when in the early days of Azure 80 Connect.

So, if you were in a situation where you had, you know, compliance problem or something with password hashes and all that, you kind of had to go with this federated authentication.

So there’s still a lot of companies out there that are using it because of that. But setting up the federated authentication is a little bit more of a headache, and it’s also going to cause you to have to have a lot more servers in order to accomplish it.

So first thing and foremost, we got our on-premise Active Directory domain. Just like the others, Azrieli Connect is all there. Set that up, but you’ve got to have if you want redundancy for your federated connection, you’re going to have to have. They tell you for servers, you’re going to need to aids servers on-premise. ADF’s is Active Directory Federated Services, which you can install through Microsoft’s server manager tool. On a Windows server. You can go to manage our roles and features, and it’s going to be one of the very first roles that shows up, and you can install that on a server doesn’t cost any money to set up the federated server.

OK, so you’re going to install that on two servers, OK? You will need to tell Azure 80 Connect. You have to run Azure, EDI Connect and Point Azure 80 connect to the two federated servers now. The other thing that’s got to happen is you don’t want these federated servers to be exposed because of course, hackers could get access to them and all that.

So, instead of putting these making these available out to the internet, you’re going to be setting up federated proxies and you’re going to need two of those as well, OK? So these are also going to be a couple of servers that you can you can set up a federated proxy web application proxy on the servers and you’ll be exposing basically Port 443 out to the internet.

So you need to make sure your firewall is has a set up.

So this a perimeter network, so this line right here would represent there would there would be a firewall here and there would be a firewall here.

OK, so you’d have to firewalls usually with this and of course, this being the internal firewall right here in this being the external firewall right here.

OK.

So you would expose the STPs port coming in and you would allow you would have rules on your firewall that would allow the federated proxies to talk to the federated servers, but you would not allow anything coming in to talk directly to these guys that would not be allowed. They have two things have to go to the federal a proxy proxy, then talk to the federated server.

OK.

So what happens then is, you know, everything’s fine. Going out, going out is not a problem.

So you got, you know, you’re on from its users and stuff. They’re they’re going to do fine authenticating on-premise and then being able to access Access Azure ad and all that good stuff. They’ll they’ll essentially automatically they’ll talk to Active Directory, they’ll talk to the Federated Server, the Federated Server. With your on-premise, users will automatically generate what is known as an access token. The token will be passed over to the user. The user can then authenticate with Azure. Remember that just like a P.T.A. Azure, it does not have a copy of your password hash.

So that’s why this trust relationship between Azure 80 and the federal aid server gets gets set up with the help of Azure EDI Connect. And at that point, Azure 80 Connect will trust any token that digitally sign and created by your federated server, so users inside will get their token from the federated server happens in the background. It’s transparent to the user, and then they’re able to basically log on.

OK, now the issues, of course, arise for people that are on the outside, this guy right here who’s not on our network at this time, but he would like to access the cloud services so he’s got to authenticate with Azure ID. Right? So what ends up happening is he tries to talk to Azure EDI Azure. It does not know his password.

So Azure, it says, Hey, you need to go back and talk to your federated server.

So Azure, it is going to appoint him to the federated proxy.

So the client computer is going to communicate with the Federated Proxy. The Federated Proxy is going to say one moment, please. And it’s actually going to go and talk to the federated server. The Federated Server will talk to Active Directory. Active Directory will verify the credentials that the user put in and then communicate that with the federated server. He will say to the federated server, OK. Yes, the person did put in the correct credentials or no, they did it right, and then at that point, if the person did put in correct credentials, Federated Server talks back to the Federated Proxy Federated Proxy would then get back in touch with the client. Again, if the client did put in the correct information, the federated server generates an access token that’s digitally signed, passed over to the Federated Server. Federated Server is going to pass that back to the client at that point. The client is authenticated by Azure. Idy Azure ad generates an access token for the user. And at that point, the user can access their cloud service and the user is a happy camper, right? OK, that’s kind of a crappy smiley face, but as you can see, there’s a lot of going on here now. One of the big problems that we run into here is what happens if for some reason, there’s no connectivity with this on-premise world. This why you have so much redundancy here. This why they say you want to have, you know, two of the federated servers, two of the federated proxies.

So, if one of these goes down, you’re still good. One of these goes down. You’re still good.

OK? That’s the idea, right? If you were for some reason, if you were, if this user tried to connect in and something happened and he was not able to get through to talk to Federated Server, well, then the guy is going to be unhappy. He’s not going to be able to log on. He’s not going to be able to authenticate, right? And so that’s one of the issues you run into. And of course, finally, probably I would have to say the number one benefit to this one is, of course, you can use the third party authentication systems with federated services.

So, if the company is using third party MFA or smart cards or any of that stuff, then good news, Federated Services is going to use it. To me, that’s really about the only like good reason for using federated authentication these days. And that is if you got third party MFA, third party, you know, some kind of third party authentication system. Other than that hashed authentication and PTAre usually going to be the go to solutions for doing this. Azure Eddy hybrid identity authentication.

57. Cleaning up AD DS using Idfix before installing Azure AD Connect

Now, if we are going to move in the direction of getting Azure A, the Kinect installed to start synchronizing our on-premise environment out to the cloud, something we need to be thinking about is making sure that Active Directory is cleaned up with any issues. One of the issues you’ll run into, of course, with Active Directory is Active Directory on-premise aids. Allow certain things that Azure AD is not going to allow essentially invalid characters, for example, things that are not allowed, for example, on-premise. Active Directory will allow you to have a space in user usernames, account names where, as you know, Active Directory Azure ID does not. That will violate support for fact. If you try to synchronize it without cleaning up things like that, it just won’t synchronize any account that has spaces in it like that.

So, or any other kinds of invalid, non web supported character so supported characters that aren’t supported by the web web standards, I should say.

So, if the first thing I’m going to do is start here in my domain controller, in my CDK1 and I’m going to go into server manager and we’re going to go to ols and we’ll pull up Active Directory users and computers. All right, so one SEC director user Peters comes up, let’s create a user that’s going to be a problem for us.

OK, so, I’m going to right click it. I’m going to click new and I’m going to click user, all right? And I’m going to create a user who is going to going to be an issue. We’re going to call this user Sam Jones. All right. And here’s where we’re going to introduce the problem. We’re going to put a space in his username, Sam Jones. Notice I put a space there now. Crazy thing is on-premise. Active Directory will allow that, but again, Azure, it will not.

So click next will give the user a password. All right. And then we’re going to go ahead and click next and finish.

OK, so now we’ve got this user Sam Jones, if we click on Sam Jones and we look at his account name. He’s got a space right there, So, we’re going to leave that space in there.

So Microsoft has a tool called the I.D. Fixed all this I.D. fix tool. You can download this tool. You can run this tool against the domain. And from there you will be able to clean up any Active Directory issues.

So, in order to do this, though, we’re going to install the ID tool on a Windows 10 computer as opposed to the server. The server is going to try to stop you from installing applications and things like that on it by default, because the fix tool is actually what’s known as a Microsoft Universal Platform app, and the server is going to try to stop you from doing that. You have to jump through a bunch of hoops to get it to work on server.

So, we’re just going to do it on the Windows 10 computer.

So, we’re going to jump over to my Windows 10 computer here, which is NYC Client one or NYC SEAL one. I’m going to open up a web browser here, and probably easiest thing to do is just, you know, go to Google or being or whatever and then just search these keywords. Download Idee fixe, OK? And then they’re going to be hosting it fix on GitHub.

So just look for GitHub here, and then we’re just going to click that. That first link here for GitHub and then from there, we’re going to be able to download it.

So just going to scroll down to the bottom here and you’ll see an option here that says Click Wants launch.

So, we’re going to we’re going to do that right there. We’re going to click the launch here. It’s going to download the setup file. At that point, we’re going to run that setup file and it’s going to pop a message up here for running it.

So, it’s kind of taking its time. Popping up here and then there it goes.

So, it’s actually pulling the application now, and we’re going to go ahead and say install. And it’s installing, you see, it’s not very big, so, it doesn’t it shouldn’t take too long here. All right. And looks like it’s now preparing the application. And OK, so now you get this little message here, it’s just kind of warning you privacy statement, all that good stuff, and we’re just going to click OK to that and now we are in the I.D. fix all.

So our next step is going to be to query, so as long as our Windows 10 computer here is authenticated with our Microsoft domain, we should be able to click query and it should locate any problem users. All right.

So, we’re now clicking query and as you can see it, located Sam Jones.

Now, of course, if you were doing this in a real environment that like a real domain that’s been around for a long time, maybe even 20 years, you might run across a lot more issues here. But as you can see, it’s telling me that there is an error. There’s a character problem here shows the value space, and it’s saying that if you let the tool update this problem, it will change it to this right here.

So, it’ll go from Sam with the space Jones to just Sam Jones, right? OK, so. We dropped this little action down, and we want to go ahead and click, edit, not remove that or delete it, complete it, saying you’re done, so edit means go ahead and perform this action, right? So, I’m going to apply this and it’s going to apply it.

OK? And then I’m going to go ahead and accept the changes, which means it’s official now. And now let’s run a query to see if it’s clean.

OK, I just ran a query and you notice it did not show up again, so that means it should be good.

So, if it’s if it is good that I now should be able to jump back over to my domain controller and go back in here now this the display name of the user, not the user name.

So the display name is not a problem, it’s the username. That’s the problem.

So let’s double click on Sam Jones, go to account and lookie, there there’s no space.

So, it did successfully clean this up and that is how you can run it fixe to make sure that your domain is all cleaned up before you start running Azure Connect.