Identity Synchronization Part 4: Federated Identities

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
6 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
welcome back. Submarines
00:02
actually. Welcome back. Enthusiastic Siberians.
00:06
Welcome back Submarines that are enthusiastic about security administration in M s 3 60 files. Very. Oh, yes, that's it. That's the welcome.
00:16
My name is Jim Daniels, and I again welcome you back
00:20
to the M s 3 65 Security Administration course.
00:24
We're still a model to identity and access lesson to identity synchronization part for
00:30
Federated Identities
00:32
objectives. In this lesson,
00:35
we're going to talk a little bit about a DFS.
00:38
We'll talk about the differences between a DFS and Azure 80 connect with passwords. Sink.
00:43
We're also going to discuss some of the single sign on options with M s Racist E five
00:49
claims based authentication.
00:51
The claim is a statement that one subject makes about itself for another subject.
00:57
My name is Jim. That's a coin.
00:59
Simple was that
01:00
coins are issued by provider
01:03
are given warning more values and then packaged in a token buying issuer
01:08
that's known as a security token service.
01:12
It's better right to trust expands your issuers capabilities to accept tokens from another issuer.
01:19
So you have this issue and trust. Is this issuer
01:23
now set off
01:25
Ron on one issue or
01:26
you're gonna rely on to
01:27
bring one below
01:30
at MK 11 from super bad
01:33
all time greatest movies.
01:34
The claim
01:38
is
01:38
the false I D.
01:41
Right.
01:42
So he gives a false i D, which is a coin that says, Hey,
01:47
my name is Nick Warren.
01:49
It's a statement.
01:49
Just because someone gives your client doesn't mean you should trust it, right?
01:56
The claim is just a statement. There's no truth to know authenticity. It's just a statement.
02:01
Inner 80 ifthis.
02:04
So a DFS workflow
02:07
is this follows.
02:07
First,
02:09
the user requests access to a service.
02:14
The service has to request a token because it's like I don't know who you are.
02:17
You just requested something,
02:20
and he's any something more.
02:22
All right. I need additional verification of who you are before I give you access to this.
02:28
So the user
02:29
then request a token
02:31
from their federation service. A DFs
02:36
A DFS is okay.
02:38
We have this user. This is Bitcoins to be your some information.
02:40
I'm going to request authentication from the active directory server
02:46
at a directory. Takes all of the information says Oh, yes, it checks out.
02:50
This user is in fact McLovin
02:52
it authentic case. Yes,
02:53
McLovin? Yes. Check
02:57
Dady Server. After doing that
02:59
after passing Authentication tells 88 this. Hey, yet it's Mick 11. All right. Yep, it's him. We verified it a DFS, and then
03:07
issues a token to the user. As McLovin. The token says, Hey,
03:12
we verify you are Mick Lovins,
03:15
the user. Then since it's so come back to the service.
03:19
But this time he is back up instead of just a clean.
03:22
It's a national token that's been authenticated
03:25
by trusted federation service. 80 ifthis.
03:30
So now a server says Okay,
03:31
you said just saying who you are. Now you have proof. You have this token,
03:36
that authentication that says you are who you say you're. So now we're going to grant you access
03:43
authentication for within a DSS
03:46
basic authentication servers request the client authenticates credentials of sent clear attacks over the Internet.
03:53
Not good.
03:53
Any time you see the worker dance was in clear text.
03:57
Not good. Not recommended
04:00
passive authentication.
04:01
This is when authenticating the mystery. 65 browsers will still connect to your ADF s infrastructure to request the tokens.
04:09
That's all my browser.
04:11
Modern authentication allows office Corrine application to engage in browser based authentication with the own prim server.
04:17
It's a modern authentication just goes straight to the source.
04:23
Modern authentication is an authentication stack. Use about office 3 65 and 2016 and above client applications against M s Racist E five.
04:33
Right now, a lot of
04:35
authentication methods are being phased out in favour of modern authentication.
04:42
All right, let's take a look at as our 80 connect with password hash sink
04:47
password. Hash synchronization is one the sign and methods used to accomplish a Harvard identity
04:54
As we're 80 Connect synchronizes a hash
04:57
off the hash. It's not just in the main house has of hash
05:00
of a users password from one premise out of directory
05:03
to a cloud based as your 80 instance,
05:06
Password has Synchronization is an extension to the director's synchronization feature that's implemented within as radio connect. It is a advanced options.
05:15
You can use this feature to sign in the azure 80 services like Office 3 65.
05:21
You sign into the service by utilizing the same password you used to sign into your own premise at a director. Instance.
05:28
Every two minutes,
05:30
the password hash sink Asian
05:31
one. The Azure 80 Connect Sarver request store password hashes
05:35
from a domain controller
05:38
before sending the domain controller encrypts.
05:42
The ND four password has a using a key as Indy five. Half of the
05:46
RPC session
05:48
key An assault. So it's not only
05:51
is it is incredible
05:55
after I'm pregnant,
05:56
it's also
05:57
credited of a hash, and then you have another key, and then it's added
06:01
and assaulted.
06:03
It then sends the result to the password hash. Think agent
06:06
over RPC.
06:08
The D. C. Also passes salt to the synchronization by using the D. C Replication protocol, which we talked about earlier So the agent will be able to decrypt
06:17
why they received
06:18
after the password. Hash Sink Agent has received the encrypted
06:23
on board. It uses MD five Crypto Service
06:27
and the Salt to generate a key to decrypt the received data back into its original Indy four format.
06:34
The password Hash. Think Agent
06:36
never has access to nuclear tax Password.
06:40
The Sink agent
06:41
use of Indy five. It's strictly for replication protocol compatibility with the D. C.
06:46
It's only used
06:47
on premises between the D. C and the password hash. Think Asian
06:53
password has seek agent expands a 16 byte binary password hash
06:57
to 64 bites.
06:59
First converting the hash
07:00
to a 32 byte x a decimal strain.
07:03
Then it converse this string back in a binary with UTF 16 coating
07:10
password half sink agent as a small
07:13
per user salt consisting of a 10 bite length
07:16
to the 64 byte. Binary to father. Protect the original house
07:21
password. Hash stink Asian. They combines Indy four hash,
07:26
plus the per user soul
07:28
inclusive into a function does 1000 iterations of the keyed hash algorithm,
07:34
and that's what's used.
07:36
Password casting agent
07:39
takes a resulting 32 byte hash
07:42
in Canton eights. Both the user assault and a number of shots. 56 federations to it.
07:46
This is used by as Radi
07:48
and transmits the string from Azure 80 Connect to as Grady over T. O S.
07:56
When a user attempt to sign in tow as Radi
07:59
enters the password, password is run through the same process at the resulting hash. After all of that matches the hash of stored in azure a. D.
08:09
It's a correct password and user was authenticated.
08:11
So the reason why we went down this rabbit hole
08:15
is to let you know how serious
08:18
Microsoft is
08:18
with the security and the majors in place to protect your passwords.
08:24
People have the misconceptions that when you do,
08:28
password has think that they're easily
08:31
decoded. You can easily decrypt one day, or, if you understand that that's not the case.
08:37
But the key take away from this
08:39
for exams
08:41
and in general,
08:43
is no
08:45
extra things were done. Know the password? Isn't sending cortex
08:48
know that the same standard replication protocol that the DC's uses replicate to each other is also used?
08:56
There's there's nothing that sticks out about this.
09:00
There's nothing that I give you that should give you a security headache
09:03
when you actually look at the process that is done.
09:07
All right. Now, let's do some comparison
09:09
for 80 ifthis
09:11
compared to as Grady Connect Passport house.
09:15
So a DFS infrastructure.
09:16
You have to have a small investment.
09:20
You gotta have a 2016 plus edifice feature. Idiot. This proxy, you know
09:24
well, that proxy server you have to have
09:26
you have to have a investment infrastructure.
09:30
You for a passport. State cash. All you gotta do is have a azure 80 connects over
09:35
he's airfares.
09:35
Single. Sign on with the idea of this
09:39
same sound along with as ready connect.
09:41
So a lot of times, people say, SSL uh, don't differentiate between the two single sign on you Sound on one time
09:48
in your granted access to everything in this session.
09:50
Same sign once you're signed one.
09:54
But then you also will sign one again. Sometimes that second sign one
10:00
is automatic.
10:01
Sometimes it is. The token automatically grants it, but there's most of authentication off
10:07
the exact same user name and password. That's what you get with as Radio Connect Passwords Inc
10:13
Use Idea fest. If you do not want to sink passwords as radi,
10:18
maybe there is
10:20
a compliance reason. A legal reason. Whatever that reason is,
10:24
use idea fest. In that case, if you want to
10:26
have a single implementation for one Borden Industry 65
10:30
use as ready Connect passwords. Think
10:33
when you have an advanced authentication models like Smart card off the Mystery 65. Guess what a smart card off
10:39
requires
10:41
a DFS, so you have to use it. In that case,
10:45
most of the environment said I've deployed a mystery 65 in
10:48
They haven't had a DFS already stood up,
10:52
so my question is, if you've not had to have a DFS up to this point.
10:56
What about M s racist? E five makes you think you need 80th us.
11:01
What really makes you have to have it as organization,
11:05
I think is more secure than just
11:09
whatever the reason.
11:09
I mean, that's a serious question you should ask.
11:13
So they're almost to be specific circumstances, Not typical circumstances. When you go into an environment that does not already have a DFS stood up
11:22
and they stand up a DFS exclusively because they want to own board in industry 65.
11:28
I'm not saying that doesn't happen.
11:31
I'm saying that for it to happen,
11:33
there needs to be a specific
11:35
reason whether small car authentication,
11:39
whatever be you need to make for that specific reason warrants the actual complexity and the extra investment organization is going to do an infrastructure for 80th us.
11:50
We talked about same sign on one single sign on Here comes another SS, sir.
11:56
Actually, s S s o
11:58
seamless single sign on.
12:00
All right, that's
12:01
it's weird, right? Seamless single sign on
12:05
automatically signs users and corporate devices connected to your network.
12:09
Users don't need a type passwords to as Radian Associated APS.
12:13
So once they
12:13
well again,
12:16
this is single sign on. They don't need to re time that
12:20
combined with password, half sink or pastor authentication signing methods so seamless. Single sign one requires
12:28
as we're 80 Connect
12:30
password, hash sink or pastor authentication.
12:33
The vice needs to be domain. Join
12:35
not
12:37
as directed the right during or hybrid join
12:39
some of the key benefits of seamless single sign. One
12:43
is a great user experience.
12:45
Users are automatically signed into both on premise and cloud applications.
12:50
Users don't have to enter their passwords repeatedly.
12:52
It's easy to deploy the minister.
12:54
No components are needed on print to make this work
12:58
works with either method a client authentication. Remember, password, hash, sink or passed through authentication could be rolled out to some or all of your users
13:07
using out of the right jury for policy
13:09
quiz.
13:11
The same list. Single sign will require devices to be hybrid domain. Join
13:16
yes or no.
13:18
If you said
13:20
yes,
13:20
you were wrong.
13:22
The answer is no.
13:24
Devices must be domain. Join, not hybrid domain. Join
13:28
seamless single sound on Remember,
13:31
SS SA is one prim domain.
13:35
So, to recap, today's lesson
13:37
active director in Federation Service, also known as Ideas s enables Federated Identity and Access and Management
13:46
M. S 3 60 Filed authentication can be performed Ideas US
13:50
as your 80 Connect with password hash is a sign and method that allows one premise. Users
13:56
just sign in the AMS Tracy C. Five with the same password.
14:00
Same password on from same password as your a d
14:03
seamless
14:05
single sign on automatically sizing users and corporate devices connected to corporate network A K domain joined devices.
14:13
Thank you for joining me for this lesson. Hopeful. You learn something about federation's offices
14:18
over to see you back for the next one.
14:20
Thank you.
Up Next