530 likes | 833 Views
Mod 3: DirSync , Single Sign-On & ADFS. Version 2.0 for Office 365. Chris Oakman | Managing Partner Infrastructure Team | Eastridge Technology Stephen Hall | CEO & SMB Technologist | District Computers. Jump Start Schedule – Target Agenda. Module 3 : DirSync , Single Sign-On & ADFS.
E N D
Mod 3: DirSync, Single Sign-On & ADFS Version 2.0 for Office 365 Chris Oakman | Managing Partner Infrastructure Team | Eastridge Technology Stephen Hall | CEO & SMB Technologist | District Computers
Module 3: DirSync, Single Sign-On & ADFS For Midsize Businesses and Enterprises • Reviewing Identities • Understanding DirSync • DirSync Requirements • Understanding Single Sign-On & ADFS • Windows Azure & ADFS
What is identity management? • Identity management deals with identifying individuals in a system and controlling access to the resources in that system Integral components of identity and access management Authentication Authorization Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be. Determining which actions an authenticated entity is authorized to perform on the network
Core identity scenarios with Office 365 CloudIdentity Directory & Password Synchronization* Federated Identity Windows Azure Active Directory Windows Azure Active Directory Windows Azure Active Directory Dirsync & Password Sync* Federation Directory Sync On-Premises Identity On-Premises Identity • Single identity in the cloud Suitable for small organizations with no integration to on-premises directories Single identitysuitable for medium and large organizations without federation* Single federated identity and credentials suitable for medium and large organizations * Password Synchronization may not be available at GA, the target is to update the service by 1HCY2013
Cloud identity Rich experience with Office Apps Ease of deployment, management and support Lower cost as no additional servers are required On-Premises High availability and reliability as all Identities and Services are managed in the cloud Windows Azure Active Directory Cloud Identity Ex: alice@contoso.com User
Directory & Password Synchronization* Rich experience with Office Apps Directory synchronization between on-premises and online Identities are created and managed on-premises and synchronized to the cloud Single identity and credentials but no single Sign-On for on-premises and office 365 services Password synchronization enables single sign-on at lower cost than federation Reuse existing directory implementation on-premises Windows Azure Active Directory Directory Synchronization Password Synchronization AD Non-AD (LDAP) On-Premises Identity Ex: Domain\Alice Cloud Identity Ex: alice@contoso.com User * Password Synchronization may not be available at GA, the target is to update the service in 1H CY2013
Federated identity Single identity and sign-on for on-premises and office 365 services Identities mastered on-premises with single point of management Directory synchronization to synchronize directory objects into Office 365 Secure Token based authentication Client access control based on IP address with ADFS Strong factor authentication optionsfor additional security with ADFS Windows Azure Active Directory Directory Synchronization Federation AD Non-AD (LDAP) On-Premises Identity Ex: Domain\Alice User
Module 3: DirSync, Single Sign-On & ADFS For Midsize Businesses and Enterprises • Reviewing Identities • Understanding DirSync • DirSync Requirements • Understanding Single Sign-On & ADFS • Windows Azure & ADFS
What is DirSync? • An application that synchronizes on-premises Active Directory Objects with Office365 • Users, Contacts and Groups • Initially designed as a software based “appliance” • “Set it and forget it” • Multi Forest Support now available • Now called the Windows Azure Active Directory Sync Tool
DirSync | Enables Coexistence • Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment • Provides a unified Global Address List experience between on-premises and Office 365 • Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365 • Enables coexistence for Exchange • Works in both simple and hybrid deployment scenarios • Enabler for mail routing between on-premises and Office 365 with a shared domain namespace • Enables coexistence for Microsoft Lync
DirSync | Enables Single Sign-On • Enables “run-State” administration and management of users, groups and contacts • Synchronizes adds/deletes/modifications of users, groups and contacts from on-premise to Office 365 • Enabler for Single Sign-On • Not intended as a single use bulk upload tool
Directory Synchronization Options DirSync Office 365 Connector PowerShell & Graph API • Suitable for Organizations using Active Directory (AD) • Provides best experience to most customers using AD Supports Exchange Co-existence scenarios Coupled with ADFS, provides best option for federation and synchronization Supports Password Synchronization with no additional cost • Does not require any additional software licenses Suitable for large organizations with certain AD and Non-AD scenarios • Complex multi-forest AD scenarios • Non-AD synchronization through Microsoft premier deployment support • Requires Forefront Identity Manager and additional software licenses Suitable for small/medium size organizations with AD or Non-AD Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)
Single Forest Dirsync • X64 FIM Appliance (set and forget) • X86 MIIS Appliance now unsupported • If you call into support with they will make you upgrade first before helping • Scoping of object sync within Forest now supported • AD GUID used as SourceAnchor (Link between AD and Office 365 Object) • Password Synchronization for DirSync coming 1H CY2013 • Password Sync Early On-Boarding program underway
DirSync Synchronization • Entire Active Directory Forest is scoped for synchronization by default • Ability to modify what gets synced has been added • What is synchronized? • All user objects • All group objects • Mail-enabled contact objects • Synchronization is from on-premises to Office 365 only (unless “write-back” is enabled • Synchronization occurs every 3 hours • Use “Start-OnlineCoexistenceSync” cmdlet to force a sync
DirSync Synchronization | User Objects • Mail-enabled/mailbox-enabled users are synchronized as mail-enabled users (not mailbox-enabled users) • Visible in the Office 365 GAL (unless explicitly hidden from GAL) • Logon enabled, but not automatically licensed to use services • Target address is synchronized for mail-enabled users • Regular NT users are synchronized as regular NT users • Not automatically provisioned as mail-enabled in Office 365 • Resource mailboxes are synchronized as resource mailboxes • Synchronized users are not automatically assigned a license
DirSync Synchronization • Group Objects • Mail-enabled groups are synchronized as mail-enabled • Group memberships are synchronized • Security groups are synchronized as security groups • Contacts Objects • Only mail-enabled contacts are synchronized • Target address is synchronized to Office 365
DirSync Synchronization • New user, group, and contact objects that are added to on-premises are added to Office 365 • Existing user, group, and contact objects that are deleted from on-premises are deleted from Office 365 • Existing user objects that are disabled on-premises are disabled in Office 365 • Existing user, group, or contact objects attributes (those that are synchronized) that are modified on-premises are modified in Office 365 • Objects are recoverable within 30 days of deletion
DirSync Synchronization • First synchronization cycle after installation is a full synchronization • Time-consuming process relative to number of objects synchronized • ~5000 objects per hour • Subsequent synchronization cycles are deltas only • Much faster • Not all on-premises attributes synchronized for each object type, but 100+ attributes are synchronized
DirSync Synchronization • Once implemented, on-premises AD becomes the “source of authority” for synchronized objects • Modifications to synchronized objects must occur in the on-premises AD • Synchronized objects cannot be modified or deleted via the portal unless DirSync is disabled for the tenant • Scoping/Filtering • Customers can exclude objects from synchronizing to Office 365 • Scoping can be done at the following levels: • AD Domain-based • Organizational Unit-based • User Attribute based
DirSync Synchronization • On-premises objectGuid AD attribute assigned value for sourceAnchor attribute during initial object synchronization • Referred to as a “hard match” • DirSync knows which Office 365 objects it is the “source of authority” for by examining sourceAnchor attribute • DirSync can also match user objects created via the portal with on-premises objects if there is a match using the primary SMTP address • Referred to as a “soft match”
DirSync Synchronization • Synchronization errors are emailed to the Technical Contact for the subscription • Recommend using distribution group as Technical Contact email address • Example errors include: • Synchronization health status • Sent once a day if a synchronization cycle has not registered 24 hours after last successful synchronization • Objects whose attributes contain invalid characters • Objects with duplicate/conflicting email addresses • Sync quota limit exceeded • List of attributes that are synchronized • http://support.microsoft.com/default.aspx?scid=kb;en-US;2256198&wa=wsignin1.0
Module 3: DirSync, Single Sign-On & ADFS For Midsize Businesses and Enterprises • Reviewing Identities • Understanding DirSync • DirSync Requirements • Understanding Single Sign-On & ADFS • Windows Azure & ADFS
DirSync Prerequisite Remediation • Run the Microsoft Office 365 Deployment Rediness Tool – http://community.office365.com/en-us/forums/183/p/2285/8155.aspx • Analyze on-premise environment • Domains • User Identity and Account Provisioning • Exchange Online • Lync Online • SharePoint Online • Client • Network
DirSync Requirements • DirSync (Single Forest) must be joined to a domain with the same forest that will be synchronized • DirSync Server should never be installed on a domain controller • DirSync Server should be Windows Server 2008 (x64) or better • By default SQL Server 2008 R2 Express is installed • 10GB Database limit (approx. 50,000 objects) • Full SQL Option available • X64 Single\Multi Forest Appliance available (O365 connector also available for complex scenarios
DirSync | AD Requirements • Only routable domains can be used with DirSync deployment • Non-routable domains include .local OR .loc OR .internal. • If organization has AD w/ only internal namespace, must: • Add a routable UPN suffix in Active Directory Forests and Trusts. • Configure each user with that routable UserPrincipalName suffix • user@domain.local must be changed do user@domain.com • If this is not done, once DirSync runs, users will appear in Office365 as user@domain.onmicrosoft.com instead of user@domain.com
Hardware Recommendations • Recommend a system that exceeds the minimum OS requirements
DirSync | Network Requirements • Synchronization with Office 365 occurs over SSL • Internal network communication will use typical Active Directory related ports • DirSync server must be able to contact all DC’s in the Forest
DirSync | Permission Requirements • Account used to install DirSync must have • local machine administrator permissions • If using full SQL, rights within SQL to create the DirSync database, and to setup the SQL service account with the role of db_owner • Account used to configure DirSync must reside in the local machine MIISAdmins group • Account used to install DirSync is automatically added • Administrator permission in the Office 365 tenant • DirSync uses an administrator account in the tenant to provision and update/modify objects
DirSync | Permission Requirements • Enterprise Administrator permission in the on-premise Active Directory • Credential is not stored/saved by the configuration wizard • Used to create the “MSOL_AD_Sync” domain account in the “CN=Users” container of the root domain of the forest • Used to delegate the following permissions on each domain partition in the forest • Replicating Directory Changes • Replicating Directory Changes all • Replication Synchronization
Module 3: DirSync, Single Sign-On & ADFS For Midsize Businesses and Enterprises • Reviewing Identities • Understanding DirSync • DirSync Requirements • Understanding Single Sign-On & ADFS • Windows Azure & ADFS
Single Sign-On | Purpose • Enables users to access both the on-premises and cloud-based organizations with a single user name and password • Provides users with a familiar sign-on experience • Allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools.
Single Sign-On | Benefits • Policy Control • Access Control • Reduced Support Calls • Security
Single Sign-On | Server Requirements • Windows Server 2008 or Windows Server 2008 R2 (2012 not currently supported) • ADFS 2.0 Setup installs: Web Server (IIS), .Net 3.5 SP1, Windows Identity Foundation • Publicly registered, routable domain name • SSL Certificate(s), *Wild Card Supported • Microsoft Online Services Module for Windows PowerShell • Microsoft Online Sign In Assistant • High Availability Design, Dual-Site, Load Balanced • Choice between Windows Internal Database(WID) and SQL • WID supports a maximum of 5 Federation Servers • SQL supports SAML Replay Detection, Artifact Store Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.
Single Sign-On | Client Requirements • Browser • Internet Explorer 8.0 or later, Firefox 10.0, Chrome 17.0 or later, Safari 5.0 or later • Office Client • Microsoft Office 2010/2007 (Latest Service Pack) • Microsoft Office for Mac 2011 (Latest Service Pack) • Note: Support for Microsoft Office 2008 for Mac version 12.2.9 ended 4/9/2013 • Office 365 Desktop Setup (Suggested) • Microsoft Online Sign In Assistant
Single Sign-On | Client Endpoints • Active Federation (MEX) • Applies to rich clients supporting ADFS • Used by Lync and Office Subscription client • Clients will negotiate authentication directly with on-premises ADFS server • Basic Authentication (Active Profile) • Applies to clients authenticating with basic authentication • Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web Services • Clients send “basic authentication” credentials to Exchange Online via SSL. Exchange Online proxies the request to the on-premises ADFS server on behalf of the client • Passive Federation (Passive Profile) • Applies to web browsers and documents opened via SharePoint Online • Used by the Microsoft Online Portal, OWA, and SharePoint Portal • Web clients (browsers) will authenticate directly with on-premises ADFS server When working through the firewall considerations ensure that MSO Datacenter IP ranges have been granted access to port 443 to the ADFS Proxy Server located in the DMZ.
Client access control Limit access to Office 365 based on network connectivity (internet versus intranet) Block all external access to Office 365 based on the IP address of the external client Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default log all denied authorizations and the values it based the denial upon.
Deployment Considerations for UPN • User objects must have a value for UPN in on-premises Active Directory • UPN domain suffix must match a verified domain in Office 365 • Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified domain and is used if UPN does not match a verified domain • Users must switch to using UPN to logon to Office 365 • Not domain\username • UPN must have valid characters • Office 365 Deployment Readiness Tool will verify that on-premises objects have valid characters If the customer does not have a valid and routable UPN suffix then one can be added via Active Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix.
Single Sign-On | Requirements • Office 365 Desktop Setup • Automatically detects necessary updates for a computer • Installs Microsoft Online Sign In Assistant • Installs operating system and client software updates required for connectivity with Office 365 • Automatically configures Internet Explorer and rich clients for use with Office 365 • Office 365 Desktop Setup is not an authentication or sign-in service and should not be confused with single sign-on
Single Sign-On | Requirements • Microsoft Online Sign-In Assistant • Can be installed automatically by Office 365 Desktop Setup or manually • Enables authentication support by obtaining a service token from Office 365 and returning it to a rich client (e.g. Lync) • Not required for web kiosk scenarios (e.g. OWA) • Required for on-premises computers connecting to Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)
Single Sign-On | ADFS 2.x Components • AD FS 2.x Server • AD FS 2.x Proxy Server • Default topology for Office 365 is an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service • Recommend using at least two federation servers in a load-balanced configuration • Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm • Federation server proxies should be deployed in the DMZ
Single Sign-On | ADFS 2.x Deployment Options • Single server configuration • AD FS 2.x Server Farm and load-balancer • AD FS 2.x Proxy Server or UAG/TMG • (External Users, Active Sync, Down-level Clients with Outlook)
AD FS 2.0 Deployment Options Single server configuration AD FS 2.0 Server Farm and load-balancer AD FS 2.0 Proxy Server or UAG/TMG (External Users, Active Sync, Down-level Clients with Outlook) Active Directory AD FS 2.0 Server Proxy AD FS 2.0 Server AD FS 2.0 Server AD FS 2.0 Server Proxy Internal user External user Perimeter Enterprise
Deployment Architecture AD FS 2.0 Capacity Planning Sizing Spreadsheet http://www.microsoft.com/en-us/download/details.aspx?id=2278
Module 3: DirSync, Single Sign-On & ADFS For Midsize Businesses and Enterprises • Reviewing Identities • Understanding DirSync • DirSync Requirements • Understanding Single Sign-On & ADFS • Windows Azure & ADFS
Windows Azure & ADFS • Virtual Network Support – Site to Site VPN • Computing: 99.95% SLA Uptime for High Available System • 99.9% SLA Uptime for Single System • Storage: 99.9% • Full Control over your Virtual Machines • Pay as you Go, OPEX vs CAPEX
Why Windows Azure for ADFS? VPN Active Directory AD FS 2.0 Server AD FS 2.0 Server Active Directory IaaS Enterprise
Windows Azure: Terminology • Cloud Service: Role which several VM’s take upon themselves to execute. E.G. ADFS. Cloud services need to have two instances or more to quality for the SLA of 99,95%. 1 External Virtual IP Address per Cloud Service • Availability Group
Windows Azure: Terminology • EndPoints: You need to add an endpoint to a machine for other resources on the Internet or other virtual networks to communicate with it. You can associate specific ports and a protocol to endpoints. Resources can connect to an endpoint by using a protocol of TCP or UDP. The TCP protocol includes HTTP and HTTPS communication. • Virtual Network enables you to create secure site-to-site connectivity, as well as protected private virtual networks in the cloud.