Identity Synchronization Part 4: Federated Identities
6 hours 59 minutes
welcome back. Submarines
actually. Welcome back. Enthusiastic Siberians.
Welcome back Submarines that are enthusiastic about security administration in M s 3 60 files. Very. Oh, yes, that's it. That's the welcome.
My name is Jim Daniels, and I again welcome you back
to the M s 3 65 Security Administration course.
We're still a model to identity and access lesson to identity synchronization part for
objectives. In this lesson,
we're going to talk a little bit about a DFS.
We'll talk about the differences between a DFS and Azure 80 connect with passwords. Sink.
We're also going to discuss some of the single sign on options with M s Racist E five
claims based authentication.
The claim is a statement that one subject makes about itself for another subject.
My name is Jim. That's a coin.
Simple was that
coins are issued by provider
are given warning more values and then packaged in a token buying issuer
that's known as a security token service.
It's better right to trust expands your issuers capabilities to accept tokens from another issuer.
So you have this issue and trust. Is this issuer
now set off
Ron on one issue or
you're gonna rely on to
bring one below
at MK 11 from super bad
all time greatest movies.
the false I D.
So he gives a false i D, which is a coin that says, Hey,
my name is Nick Warren.
It's a statement.
Just because someone gives your client doesn't mean you should trust it, right?
The claim is just a statement. There's no truth to know authenticity. It's just a statement.
Inner 80 ifthis.
So a DFS workflow
is this follows.
the user requests access to a service.
The service has to request a token because it's like I don't know who you are.
You just requested something,
and he's any something more.
All right. I need additional verification of who you are before I give you access to this.
So the user
then request a token
from their federation service. A DFs
A DFS is okay.
We have this user. This is Bitcoins to be your some information.
I'm going to request authentication from the active directory server
at a directory. Takes all of the information says Oh, yes, it checks out.
This user is in fact McLovin
it authentic case. Yes,
McLovin? Yes. Check
Dady Server. After doing that
after passing Authentication tells 88 this. Hey, yet it's Mick 11. All right. Yep, it's him. We verified it a DFS, and then
issues a token to the user. As McLovin. The token says, Hey,
we verify you are Mick Lovins,
the user. Then since it's so come back to the service.
But this time he is back up instead of just a clean.
It's a national token that's been authenticated
by trusted federation service. 80 ifthis.
So now a server says Okay,
you said just saying who you are. Now you have proof. You have this token,
that authentication that says you are who you say you're. So now we're going to grant you access
authentication for within a DSS
basic authentication servers request the client authenticates credentials of sent clear attacks over the Internet.
Any time you see the worker dance was in clear text.
Not good. Not recommended
This is when authenticating the mystery. 65 browsers will still connect to your ADF s infrastructure to request the tokens.
That's all my browser.
Modern authentication allows office Corrine application to engage in browser based authentication with the own prim server.
It's a modern authentication just goes straight to the source.
Modern authentication is an authentication stack. Use about office 3 65 and 2016 and above client applications against M s Racist E five.
Right now, a lot of
authentication methods are being phased out in favour of modern authentication.
All right, let's take a look at as our 80 connect with password hash sink
password. Hash synchronization is one the sign and methods used to accomplish a Harvard identity
As we're 80 Connect synchronizes a hash
off the hash. It's not just in the main house has of hash
of a users password from one premise out of directory
to a cloud based as your 80 instance,
Password has Synchronization is an extension to the director's synchronization feature that's implemented within as radio connect. It is a advanced options.
You can use this feature to sign in the azure 80 services like Office 3 65.
You sign into the service by utilizing the same password you used to sign into your own premise at a director. Instance.
Every two minutes,
the password hash sink Asian
one. The Azure 80 Connect Sarver request store password hashes
from a domain controller
before sending the domain controller encrypts.
The ND four password has a using a key as Indy five. Half of the
key An assault. So it's not only
is it is incredible
after I'm pregnant,
credited of a hash, and then you have another key, and then it's added
It then sends the result to the password hash. Think agent
The D. C. Also passes salt to the synchronization by using the D. C Replication protocol, which we talked about earlier So the agent will be able to decrypt
why they received
after the password. Hash Sink Agent has received the encrypted
on board. It uses MD five Crypto Service
and the Salt to generate a key to decrypt the received data back into its original Indy four format.
The password Hash. Think Agent
never has access to nuclear tax Password.
The Sink agent
use of Indy five. It's strictly for replication protocol compatibility with the D. C.
It's only used
on premises between the D. C and the password hash. Think Asian
password has seek agent expands a 16 byte binary password hash
to 64 bites.
First converting the hash
to a 32 byte x a decimal strain.
Then it converse this string back in a binary with UTF 16 coating
password half sink agent as a small
per user salt consisting of a 10 bite length
to the 64 byte. Binary to father. Protect the original house
password. Hash stink Asian. They combines Indy four hash,
plus the per user soul
inclusive into a function does 1000 iterations of the keyed hash algorithm,
and that's what's used.
Password casting agent
takes a resulting 32 byte hash
in Canton eights. Both the user assault and a number of shots. 56 federations to it.
This is used by as Radi
and transmits the string from Azure 80 Connect to as Grady over T. O S.
When a user attempt to sign in tow as Radi
enters the password, password is run through the same process at the resulting hash. After all of that matches the hash of stored in azure a. D.
It's a correct password and user was authenticated.
So the reason why we went down this rabbit hole
is to let you know how serious
with the security and the majors in place to protect your passwords.
People have the misconceptions that when you do,
password has think that they're easily
decoded. You can easily decrypt one day, or, if you understand that that's not the case.
But the key take away from this
and in general,
extra things were done. Know the password? Isn't sending cortex
know that the same standard replication protocol that the DC's uses replicate to each other is also used?
There's there's nothing that sticks out about this.
There's nothing that I give you that should give you a security headache
when you actually look at the process that is done.
All right. Now, let's do some comparison
for 80 ifthis
compared to as Grady Connect Passport house.
So a DFS infrastructure.
You have to have a small investment.
You gotta have a 2016 plus edifice feature. Idiot. This proxy, you know
well, that proxy server you have to have
you have to have a investment infrastructure.
You for a passport. State cash. All you gotta do is have a azure 80 connects over
Single. Sign on with the idea of this
same sound along with as ready connect.
So a lot of times, people say, SSL uh, don't differentiate between the two single sign on you Sound on one time
in your granted access to everything in this session.
Same sign once you're signed one.
But then you also will sign one again. Sometimes that second sign one
Sometimes it is. The token automatically grants it, but there's most of authentication off
the exact same user name and password. That's what you get with as Radio Connect Passwords Inc
Use Idea fest. If you do not want to sink passwords as radi,
maybe there is
a compliance reason. A legal reason. Whatever that reason is,
use idea fest. In that case, if you want to
have a single implementation for one Borden Industry 65
use as ready Connect passwords. Think
when you have an advanced authentication models like Smart card off the Mystery 65. Guess what a smart card off
a DFS, so you have to use it. In that case,
most of the environment said I've deployed a mystery 65 in
They haven't had a DFS already stood up,
so my question is, if you've not had to have a DFS up to this point.
What about M s racist? E five makes you think you need 80th us.
What really makes you have to have it as organization,
I think is more secure than just
whatever the reason.
I mean, that's a serious question you should ask.
So they're almost to be specific circumstances, Not typical circumstances. When you go into an environment that does not already have a DFS stood up
and they stand up a DFS exclusively because they want to own board in industry 65.
I'm not saying that doesn't happen.
I'm saying that for it to happen,
there needs to be a specific
reason whether small car authentication,
whatever be you need to make for that specific reason warrants the actual complexity and the extra investment organization is going to do an infrastructure for 80th us.
We talked about same sign on one single sign on Here comes another SS, sir.
Actually, s S s o
seamless single sign on.
All right, that's
it's weird, right? Seamless single sign on
automatically signs users and corporate devices connected to your network.
Users don't need a type passwords to as Radian Associated APS.
So once they
this is single sign on. They don't need to re time that
combined with password, half sink or pastor authentication signing methods so seamless. Single sign one requires
as we're 80 Connect
password, hash sink or pastor authentication.
The vice needs to be domain. Join
as directed the right during or hybrid join
some of the key benefits of seamless single sign. One
is a great user experience.
Users are automatically signed into both on premise and cloud applications.
Users don't have to enter their passwords repeatedly.
It's easy to deploy the minister.
No components are needed on print to make this work
works with either method a client authentication. Remember, password, hash, sink or passed through authentication could be rolled out to some or all of your users
using out of the right jury for policy
The same list. Single sign will require devices to be hybrid domain. Join
yes or no.
If you said
you were wrong.
The answer is no.
Devices must be domain. Join, not hybrid domain. Join
seamless single sound on Remember,
SS SA is one prim domain.
So, to recap, today's lesson
active director in Federation Service, also known as Ideas s enables Federated Identity and Access and Management
M. S 3 60 Filed authentication can be performed Ideas US
as your 80 Connect with password hash is a sign and method that allows one premise. Users
just sign in the AMS Tracy C. Five with the same password.
Same password on from same password as your a d
single sign on automatically sizing users and corporate devices connected to corporate network A K domain joined devices.
Thank you for joining me for this lesson. Hopeful. You learn something about federation's offices
over to see you back for the next one.