1 / 53

Mod 3: DirSync , Single Sign-On & ADFS

Mod 3: DirSync , Single Sign-On & ADFS. Version 2.0 for Office 365. Chris Oakman | Managing Partner Infrastructure Team | Eastridge Technology Stephen Hall | CEO & SMB Technologist | District Computers. Jump Start Schedule – Target Agenda. Module 3 : DirSync , Single Sign-On & ADFS.

natane
Download Presentation

Mod 3: DirSync , Single Sign-On & ADFS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mod 3: DirSync, Single Sign-On & ADFS Version 2.0 for Office 365 Chris Oakman | Managing Partner Infrastructure Team | Eastridge Technology Stephen Hall | CEO & SMB Technologist | District Computers

  2. Jump Start Schedule – Target Agenda

  3. Module 3: DirSync, Single Sign-On & ADFS For Midsize Businesses and Enterprises • Reviewing Identities • Understanding DirSync • DirSync Requirements • Understanding Single Sign-On & ADFS • Windows Azure & ADFS

  4. What is identity management? • Identity management deals with identifying individuals in a system and controlling access to the resources in that system Integral components of identity and access management Authentication Authorization Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be. Determining which actions an authenticated entity is authorized to perform on the network

  5. Core identity scenarios with Office 365 CloudIdentity Directory & Password Synchronization*  Federated Identity Windows Azure Active Directory Windows Azure Active Directory Windows Azure Active Directory Dirsync & Password Sync* Federation Directory Sync On-Premises Identity On-Premises Identity • Single identity in the cloud Suitable for small organizations with no integration to on-premises directories Single identitysuitable for medium and large organizations without federation* Single federated identity and credentials suitable for medium and large organizations * Password Synchronization may not be available at GA, the target is to update the service by 1HCY2013

  6. Cloud identity Rich experience with Office Apps Ease of deployment, management and support Lower cost as no additional servers are required On-Premises High availability and reliability as all Identities and Services are managed in the cloud Windows Azure Active Directory Cloud Identity Ex: alice@contoso.com User

  7. Directory & Password Synchronization* Rich experience with Office Apps Directory synchronization between on-premises and online Identities are created and managed on-premises and synchronized to the cloud Single identity and credentials but no single Sign-On for on-premises and office 365 services Password synchronization enables single sign-on at lower cost than federation Reuse existing directory implementation on-premises Windows Azure Active Directory Directory Synchronization Password Synchronization AD Non-AD (LDAP) On-Premises Identity Ex: Domain\Alice Cloud Identity Ex: alice@contoso.com User * Password Synchronization may not be available at GA, the target is to update the service in 1H CY2013

  8. Federated identity Single identity and sign-on for on-premises and office 365 services Identities mastered on-premises with single point of management Directory synchronization to synchronize directory objects into Office 365 Secure Token based authentication Client access control based on IP address with ADFS Strong factor authentication optionsfor additional security with ADFS Windows Azure Active Directory Directory Synchronization Federation AD Non-AD (LDAP) On-Premises Identity Ex: Domain\Alice User

  9. Module 3: DirSync, Single Sign-On & ADFS For Midsize Businesses and Enterprises • Reviewing Identities • Understanding DirSync • DirSync Requirements • Understanding Single Sign-On & ADFS • Windows Azure & ADFS

  10. What is DirSync? • An application that synchronizes on-premises Active Directory Objects with Office365 • Users, Contacts and Groups • Initially designed as a software based “appliance” • “Set it and forget it” • Multi Forest Support now available • Now called the Windows Azure Active Directory Sync Tool

  11. DirSync | Enables Coexistence • Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment • Provides a unified Global Address List experience between on-premises and Office 365 • Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365 • Enables coexistence for Exchange • Works in both simple and hybrid deployment scenarios • Enabler for mail routing between on-premises and Office 365 with a shared domain namespace • Enables coexistence for Microsoft Lync

  12. DirSync | Enables Single Sign-On • Enables “run-State” administration and management of users, groups and contacts • Synchronizes adds/deletes/modifications of users, groups and contacts from on-premise to Office 365 • Enabler for Single Sign-On • Not intended as a single use bulk upload tool

  13. Directory Synchronization Options DirSync Office 365 Connector PowerShell & Graph API • Suitable for Organizations using Active Directory (AD) • Provides best experience to most customers using AD Supports Exchange Co-existence scenarios Coupled with ADFS, provides best option for federation and synchronization Supports Password Synchronization with no additional cost • Does not require any additional software licenses Suitable for large organizations with certain AD and Non-AD scenarios • Complex multi-forest AD scenarios • Non-AD synchronization through Microsoft premier deployment support • Requires Forefront Identity Manager and additional software licenses Suitable for small/medium size organizations with AD or Non-AD Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)

  14. Single Forest Dirsync • X64 FIM Appliance (set and forget) • X86 MIIS Appliance now unsupported • If you call into support with they will make you upgrade first before helping • Scoping of object sync within Forest now supported • AD GUID used as SourceAnchor (Link between AD and Office 365 Object) • Password Synchronization for DirSync coming 1H CY2013 • Password Sync Early On-Boarding program underway

  15. DirSync Synchronization • Entire Active Directory Forest is scoped for synchronization by default • Ability to modify what gets synced has been added • What is synchronized? • All user objects • All group objects • Mail-enabled contact objects • Synchronization is from on-premises to Office 365 only (unless “write-back” is enabled • Synchronization occurs every 3 hours • Use “Start-OnlineCoexistenceSync” cmdlet to force a sync

  16. DirSync Synchronization | User Objects • Mail-enabled/mailbox-enabled users are synchronized as mail-enabled users (not mailbox-enabled users) • Visible in the Office 365 GAL (unless explicitly hidden from GAL) • Logon enabled, but not automatically licensed to use services • Target address is synchronized for mail-enabled users • Regular NT users are synchronized as regular NT users • Not automatically provisioned as mail-enabled in Office 365 • Resource mailboxes are synchronized as resource mailboxes • Synchronized users are not automatically assigned a license

  17. DirSync Synchronization • Group Objects • Mail-enabled groups are synchronized as mail-enabled • Group memberships are synchronized • Security groups are synchronized as security groups • Contacts Objects • Only mail-enabled contacts are synchronized • Target address is synchronized to Office 365

  18. DirSync Synchronization • New user, group, and contact objects that are added to on-premises are added to Office 365 • Existing user, group, and contact objects that are deleted from on-premises are deleted from Office 365 • Existing user objects that are disabled on-premises are disabled in Office 365 • Existing user, group, or contact objects attributes (those that are synchronized) that are modified on-premises are modified in Office 365 • Objects are recoverable within 30 days of deletion

  19. DirSync Synchronization • First synchronization cycle after installation is a full synchronization • Time-consuming process relative to number of objects synchronized • ~5000 objects per hour • Subsequent synchronization cycles are deltas only • Much faster • Not all on-premises attributes synchronized for each object type, but 100+ attributes are synchronized

  20. DirSync Synchronization • Once implemented, on-premises AD becomes the “source of authority” for synchronized objects • Modifications to synchronized objects must occur in the on-premises AD • Synchronized objects cannot be modified or deleted via the portal unless DirSync is disabled for the tenant • Scoping/Filtering • Customers can exclude objects from synchronizing to Office 365 • Scoping can be done at the following levels: • AD Domain-based • Organizational Unit-based • User Attribute based

  21. DirSync Synchronization • On-premises objectGuid AD attribute assigned value for sourceAnchor attribute during initial object synchronization • Referred to as a “hard match” • DirSync knows which Office 365 objects it is the “source of authority” for by examining sourceAnchor attribute • DirSync can also match user objects created via the portal with on-premises objects if there is a match using the primary SMTP address • Referred to as a “soft match”

  22. DirSync Synchronization • Synchronization errors are emailed to the Technical Contact for the subscription • Recommend using distribution group as Technical Contact email address • Example errors include: • Synchronization health status • Sent once a day if a synchronization cycle has not registered 24 hours after last successful synchronization • Objects whose attributes contain invalid characters • Objects with duplicate/conflicting email addresses • Sync quota limit exceeded • List of attributes that are synchronized • http://support.microsoft.com/default.aspx?scid=kb;en-US;2256198&wa=wsignin1.0

  23. Module 3: DirSync, Single Sign-On & ADFS For Midsize Businesses and Enterprises • Reviewing Identities • Understanding DirSync • DirSync Requirements • Understanding Single Sign-On & ADFS • Windows Azure & ADFS

  24. DirSync Prerequisite Remediation • Run the Microsoft Office 365 Deployment Rediness Tool – http://community.office365.com/en-us/forums/183/p/2285/8155.aspx • Analyze on-premise environment • Domains • User Identity and Account Provisioning • Exchange Online • Lync Online • SharePoint Online • Client • Network

  25. DirSync Requirements • DirSync (Single Forest) must be joined to a domain with the same forest that will be synchronized • DirSync Server should never be installed on a domain controller • DirSync Server should be Windows Server 2008 (x64) or better • By default SQL Server 2008 R2 Express is installed • 10GB Database limit (approx. 50,000 objects) • Full SQL Option available • X64 Single\Multi Forest Appliance available (O365 connector also available for complex scenarios

  26. DirSync | AD Requirements • Only routable domains can be used with DirSync deployment • Non-routable domains include .local OR .loc OR .internal. • If organization has AD w/ only internal namespace, must: • Add a routable UPN suffix in Active Directory Forests and Trusts. • Configure each user with that routable UserPrincipalName suffix • user@domain.local must be changed do user@domain.com • If this is not done, once DirSync runs, users will appear in Office365 as user@domain.onmicrosoft.com instead of user@domain.com

  27. Hardware Recommendations • Recommend a system that exceeds the minimum OS requirements

  28. DirSync | Network Requirements • Synchronization with Office 365 occurs over SSL • Internal network communication will use typical Active Directory related ports • DirSync server must be able to contact all DC’s in the Forest

  29. DirSync | Permission Requirements • Account used to install DirSync must have • local machine administrator permissions • If using full SQL, rights within SQL to create the DirSync database, and to setup the SQL service account with the role of db_owner • Account used to configure DirSync must reside in the local machine MIISAdmins group • Account used to install DirSync is automatically added • Administrator permission in the Office 365 tenant • DirSync uses an administrator account in the tenant to provision and update/modify objects

  30. DirSync | Permission Requirements • Enterprise Administrator permission in the on-premise Active Directory • Credential is not stored/saved by the configuration wizard • Used to create the “MSOL_AD_Sync” domain account in the “CN=Users” container of the root domain of the forest • Used to delegate the following permissions on each domain partition in the forest • Replicating Directory Changes • Replicating Directory Changes all • Replication Synchronization

  31. Module 3: DirSync, Single Sign-On & ADFS For Midsize Businesses and Enterprises • Reviewing Identities • Understanding DirSync • DirSync Requirements • Understanding Single Sign-On & ADFS • Windows Azure & ADFS

  32. Single Sign-On | Purpose • Enables users to access both the on-premises and cloud-based organizations with a single user name and password • Provides users with a familiar sign-on experience • Allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools.

  33. Single Sign-On | Benefits • Policy Control • Access Control • Reduced Support Calls • Security

  34. Single Sign-On | Server Requirements • Windows Server 2008 or Windows Server 2008 R2 (2012 not currently supported) • ADFS 2.0 Setup installs: Web Server (IIS), .Net 3.5 SP1, Windows Identity Foundation • Publicly registered, routable domain name • SSL Certificate(s), *Wild Card Supported • Microsoft Online Services Module for Windows PowerShell • Microsoft Online Sign In Assistant • High Availability Design, Dual-Site, Load Balanced • Choice between Windows Internal Database(WID) and SQL • WID supports a maximum of 5 Federation Servers • SQL supports SAML Replay Detection, Artifact Store Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.

  35. Single Sign-On | Client Requirements • Browser • Internet Explorer 8.0 or later, Firefox 10.0, Chrome 17.0 or later, Safari 5.0 or later • Office Client • Microsoft Office 2010/2007 (Latest Service Pack) • Microsoft Office for Mac 2011 (Latest Service Pack) • Note: Support for Microsoft Office 2008 for Mac version 12.2.9 ended 4/9/2013 • Office 365 Desktop Setup (Suggested) • Microsoft Online Sign In Assistant

  36. Single Sign-On | Client Endpoints • Active Federation (MEX) • Applies to rich clients supporting ADFS • Used by Lync and Office Subscription client • Clients will negotiate authentication directly with on-premises ADFS server • Basic Authentication (Active Profile) • Applies to clients authenticating with basic authentication • Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web Services • Clients send “basic authentication” credentials to Exchange Online via SSL. Exchange Online proxies the request to the on-premises ADFS server on behalf of the client • Passive Federation (Passive Profile) • Applies to web browsers and documents opened via SharePoint Online • Used by the Microsoft Online Portal, OWA, and SharePoint Portal • Web clients (browsers) will authenticate directly with on-premises ADFS server When working through the firewall considerations ensure that MSO Datacenter IP ranges have been granted access to port 443 to the ADFS Proxy Server located in the DMZ.

  37. Client access control Limit access to Office 365 based on network connectivity (internet versus intranet) Block all external access to Office 365 based on the IP address of the external client Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default log all denied authorizations and the values it based the denial upon.

  38. Deployment Considerations for UPN • User objects must have a value for UPN in on-premises Active Directory • UPN domain suffix must match a verified domain in Office 365 • Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified domain and is used if UPN does not match a verified domain • Users must switch to using UPN to logon to Office 365 • Not domain\username • UPN must have valid characters • Office 365 Deployment Readiness Tool will verify that on-premises objects have valid characters If the customer does not have a valid and routable UPN suffix then one can be added via Active Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix.

  39. Single Sign-On | Requirements • Office 365 Desktop Setup • Automatically detects necessary updates for a computer • Installs Microsoft Online Sign In Assistant • Installs operating system and client software updates required for connectivity with Office 365 • Automatically configures Internet Explorer and rich clients for use with Office 365 • Office 365 Desktop Setup is not an authentication or sign-in service and should not be confused with single sign-on

  40. Single Sign-On | Requirements • Microsoft Online Sign-In Assistant • Can be installed automatically by Office 365 Desktop Setup or manually • Enables authentication support by obtaining a service token from Office 365 and returning it to a rich client (e.g. Lync) • Not required for web kiosk scenarios (e.g. OWA) • Required for on-premises computers connecting to Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)

  41. Single Sign-On | ADFS 2.x Components • AD FS 2.x Server • AD FS 2.x Proxy Server • Default topology for Office 365 is an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service • Recommend using at least two federation servers in a load-balanced configuration • Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm • Federation server proxies should be deployed in the DMZ

  42. Single Sign-On | ADFS 2.x Deployment Options • Single server configuration • AD FS 2.x Server Farm and load-balancer • AD FS 2.x Proxy Server or UAG/TMG • (External Users, Active Sync, Down-level Clients with Outlook)

  43. AD FS 2.0 Deployment Options Single server configuration AD FS 2.0 Server Farm and load-balancer AD FS 2.0 Proxy Server or UAG/TMG (External Users, Active Sync, Down-level Clients with Outlook) Active Directory AD FS 2.0 Server Proxy AD FS 2.0 Server AD FS 2.0 Server AD FS 2.0 Server Proxy Internal user External user Perimeter Enterprise

  44. Deployment Architecture AD FS 2.0 Capacity Planning Sizing Spreadsheet http://www.microsoft.com/en-us/download/details.aspx?id=2278

  45. Understanding client authentication path

  46. Module 3: DirSync, Single Sign-On & ADFS For Midsize Businesses and Enterprises • Reviewing Identities • Understanding DirSync • DirSync Requirements • Understanding Single Sign-On & ADFS • Windows Azure & ADFS

  47. Windows Azure & ADFS • Virtual Network Support – Site to Site VPN • Computing: 99.95% SLA Uptime for High Available System • 99.9% SLA Uptime for Single System • Storage: 99.9% • Full Control over your Virtual Machines • Pay as you Go, OPEX vs CAPEX

  48. Why Windows Azure for ADFS? VPN Active Directory AD FS 2.0 Server AD FS 2.0 Server Active Directory IaaS Enterprise

  49. Windows Azure: Terminology • Cloud Service: Role which several VM’s take upon themselves to execute. E.G. ADFS. Cloud services need to have two instances or more to quality for the SLA of 99,95%. 1 External Virtual IP Address per Cloud Service • Availability Group

  50. Windows Azure: Terminology • EndPoints: You need to add an endpoint to a machine for other resources on the Internet or other virtual networks to communicate with it. You can associate specific ports and a protocol to endpoints. Resources can connect to an endpoint by using a protocol of TCP or UDP. The TCP protocol includes HTTP and HTTPS communication. • Virtual Network enables you to create secure site-to-site connectivity, as well as protected private virtual networks in the cloud.

More Related