Single SignOn Showdown ADFS Vs PassThrough Authentication MaxFritz

Single Sign-On Showdown
ADFS vs Pass-Through Authentication
Max Fritz
Solutions Architect
SADA Systems
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD Identity Sync & Auth
Timeline
2017
2015 •msDS-
ConsistencyGuid
•Azure AD Sync as source anchor
2013 becomes Azure •Pass Through
AD Connect Authentication
•Password Hash •Introduces introduced
Sync added to Health engine
AAD Sync •Seamless SSO
2012 introduced
•DirSync
becomes
Azure AD
2009 Sync
•DirSync
introduced
for identity
synchronizat
ion
Azure AD Authentication
Methods Today
Cloud Only Password Hash Pass-through Federated 3rd Party

Identity Synchronization Authentication (ADFS) Federated
• Identities exist • Identities • Identities • Identities • Identities
only in AAD synced to AAD synced to AAD synced to AAD synced to AAD
• Authentication • Authentication • Authentication • Authentication • Authentication
handled by handled by handled by handled by handled by
AAD AAD local AD local AD third-party
Methods Today
Password Hash Pass-through Federated
Synchronization Authentication (ADFS)
• Identities • Identities • Identities
synced to AAD synced to AAD synced to AAD
• Authentication • Authentication • Authentication
handled by handled by handled by
AAD local AD local AD
Methods Today
Password Hash Pass-through Federated
Synchronization Authentication (ADFS)
• Identities • Identities • Identities
synced to AAD synced to AAD synced to AAD
• Authentication • Authentication • Authentication
handled by handled by handled by
AAD local AD local AD
Identity Synchronization through Azure AD Connect
Sidebar: What is
Azure AD Connect?
• Application installed on a Windows machine within
your environment
• Integrates local Active Directory with Azure Active
Directory
• Sync engine based on Microsoft Identity Manager
(shared codebase)
• Uses a local SQL server for sync database (can be
separate SQL server)
• Includes a monitoring component: Azure AD Connect
Health
• Free for all Azure AD customers (so just free ☺)
• Can manage ADFS installations
Azure AD
Connect is
required for all
authentication
methods we will
cover today
We will not demo installation or basic configuration of AADC today, however AADC will be a part of some demos
Ease of Implementation
Authentication
Methods: How Security
we will rank
Customization Options
Available Features
Usability
Maintenance & Reliability
Scoreboard
Password Sync + PTA + Seamless SSO ADFS (2019)
Seamless SSO
Ease of Implementation ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Security ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Customizations ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Features ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Usability ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Maintenance & ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Reliability
Score 00 00 00
Password Hash
Synchronization
Password Hash
Synchronization
Involves syncing
hashed Relies on Azure
passwords to AD Connect
Azure AD
Passwords Authentication is
synced every 2 completely
minutes cloud based
Password Hash Sync Authentication
Identity delta sync every 30 minutes
#
Azure AD
AADC request MD4 password hashes from DC via

MS-DRSR replication protocol (every 2 min)
DC encrypts password in an MD5 envelope and
sends to AADC #
AADC Decrypts MD5 hash and expands MD4 hash to
64 bytes
AADC adds a 10-byte salt to MD4 hash, and converts
to SHA256 hash (using PBKDF2 function)
SHA256 hash is sent to Azure AD over SSL

On Premises
Password Hash Sync Authentication
# #
Azure AD
User attempts to sign in to app
Session redirected to Azure AD for sign in

User provides credentials to Azure AD
Azure AD applies MD4+salt+PBKDF2+SHA256 process,

and validates resulting hash against stored hash
Azure AD completes sign in
If successful, user is granted access to the app
On Premises
Password Hash Sync
Considerations
• Locked out local accounts are not properly reflected in AAD
• Disabled local accounts will not be disabled in AAD until an AADC
sync cycle (can be manually triggered)
• MD4 hashes are notoriously easy to crack, and MD5 is not much
harder
• Extra SHA-2 encryption makes the hash much harder to decrypt
• Extra hashing technically makes this more secure than local AD
credentials
• Allows for leaked credential reports from MS if AAD P1 licensing is
in place
• Remember, Microsoft does not get your passwords. They only
receive a triple hashed password.
• Required for use of Azure AD Domain Services
Pass-through
Authentication
Pass-through Authentication
(PTA)
• Relies on Azure AD Connect and PTA (AuthN) Agents
• Agents can be installed on multiple servers for high availability
• First agent is on the Azure AD Connect server
• Additional agents can be deployed via script or manually
• Networking: only requires outbound communication on 80,
443, and 8080 [for reporting status to AAD] (no inbound ports
to open)
• Requires Server 2013 R2 or later
1 2
Azure AD
User attempts to sign in to app
Session redirected to Azure AD for sign in

User provides credentials to Azure AD
Azure AD produces encrypted passwords (1 for each
PTA agent registered, using public key for the agent) and 2
places them onto the Service Bus for the tenant
PTA Agent retrieves validation request (persistent 1
connection) and decrypts password using private key PTA Agents
PTA Agent attempts credential validation against
Domain Controller On Premises
Azure AD
DC provides result to PTA agent

(success/failure/expired)
PTA agent sends result to Azure AD via mutually
authenticated HTTPS channel
Azure AD completes sign in
2
1
PTA Agents
On Premises
Considerations
• Locked and Disabled local accounts are respected
• Supports alternate login IDs
• Fully supports Azure AD conditional access
• Since sign in request are still process through AAD (as opposed to
redirected)
• Requires Modern Authentication*
• Supports alternate login IDs
• Supports AAD Smart Lockout (prevents brute force attacks)
• Does not support leaked credential reports
• Not available in GCC at this time
Pass-through
Authentication Demo
Seamless Single
Sign-on
Seamless Single Sign-On
• Provides single sign on capabilities to domain joined

machines
• Compatible with Password Hash Sync or PTA
• Requirements:
• OS: Windows 7+ or Mac OS X, domain joined (to local AD)
• Browsers: IE 10+, Chrome, Safari*, Firefox*
• Does not support Edge at this time
• 1 URL needs to be added to Intranet Zone (via group policy)
• Ability to register non-Windows 10 devices with Azure AD
Seamless SSO Authentication
(browser based)
User attempts to sign in to app from domain joined

machine
Session redirected to Azure AD for sign in*
User provides username to Azure AD*
Azure AD challenges browser to provide a Kerberos Azure AD
ticket
Browser requests a ticket from local AD for the
AZUREADSSOACC computer account
AD returns ticket to browser encrypted with computer
account’s secret
Browser forward Kerberos ticket to Azure AD
Azure AD decrypts ticket, identifies user, and returns
token
On Premises
Seamless Single Sign-On
Considerations
• Opportunistic: If Seamless SSO fails, sign-in experience falls back to
regular behavior
• Sign-out supported: Allows users to sign in with other credentials if
desired
• Requires Modern Authentication
• Creates a computer account in the local AD named
AZUREADSSOACC
• Kerberos decryption key of this account, if compromised, could be used
to generate Kerberos tickets for any user in the forest
• Recommendation is to manually rollover key every 30 days (automated
method coming soon)
• Only works when devices are on the local network
Seamless Single
Sign-on Demo
Active Directory
Federation Services
Active Directory Federation
Services (2019)
• Requires Azure AD Connect for identity sync
• Also can help manage the ADFS farm
• Requires a minimum of 2 servers (1 Federation and 1 Proxy),
recommended minimum of 4
• Allows for sign in with more alternative methods
• samAccountName, Certificate, Smart-Card, Windows Hello for Business,
3rd party MFA, etc…
• Supports Extranet lockout & extranet smart lockout policies
• Supports banned IP lists
• Deep login screen customization
• Supports Windows Integrated Authentication
ADFS Authentication
ADFS Recommended
Deployment using Azure
ADFS Considerations
• Limited support for Azure AD Conditional Access

• However additional support for custom conditional access via ADFS
claim rules
• Large investment of on-premises (or cloud) infrastructure,
including DMZ deployment
• Requires valid third party certificate
• Supports Alternate Login ID
• Does not support Azure AD Identity protection
• Unless password hash is enabled as a backup*
Active Directory
Federation Services
Demo
Migrating from ADFS
to PTA
Demo
Back to the Scoreboard!
Seamless SSO
Ease of Implementation ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Security ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Customizations ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Features ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Usability ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
Maintenance & ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Reliability
Score 00 00 00
Ease of Implementation
Password Sync +
PTA + Seamless SSO ADFS 2019
Seamless SSO
Wizard based initial install and

Wizard based install and configuration Minimum of 4 servers required
configuration
Agent deployment manual or script Wizard based configuration of basic

GPO required for Seamless SSO
based features
GPO required for Seamless SSO Manual configuration for many items
★★★★☆ ★★★☆☆ ★☆☆☆☆
Security
Password Sync +
Seamless SSO
Triple hashed passwords synced to

Authentication remains on premises Authentication remains on premises
the cloud
★★★★★ ★★★★★ ★★★★★
Customizations
Password Sync +
Seamless SSO
Detailed login screen customizations

Limited login screen customization Limited login screen customization
available with CSS
Intermediate rule customizations and Intermediate rule customizations and Advanced rule customizations and
transformations transformations transformations
★★★☆☆ ★★★☆☆ ★★★★★
Features
Password Sync +
Seamless SSO
Supports all Azure AD features Supports most Azure AD features Limited support for Azure AD features
SSO support for most clients SSO support for most clients SSO support for more clients
Lack of support for instant account

Support for alternate login methods
lockouts and expirations
★★★☆☆ ★★★★☆ ★★★★☆
Usability
Password Sync +
Seamless SSO
Simple end user experience, consistent Simple end user experience, consistent End user experience depends on
with other Azure AD experiences with other Azure AD experiences customizations
★★★★★ ★★★★★ ★★★★★
Maintenance & Reliability
Password Sync +
Seamless SSO
At least 1 PTA agent must be At least 1 Federation and 1 Proxy

Can go down with minimal impact
available at all times server must be available at all times
Seamless SSO requires manual Seamless SSO requires manual

Requires certificate renewal
Kerberos rollover Kerberos rollover
Agents can go on existing servers, More servers required for

No automated failover
avoiding additional maintenance maintenance
★★★☆☆ ★★★☆☆ ★★☆☆☆
Scoreboard Results
Seamless SSO
Ease of Implementation ★★★★☆ ★★★☆☆ ★☆☆☆☆
Security ★★★★★ ★★★★★ ★★★★★
Customizations ★★★☆☆ ★★★☆☆ ★★★★★
Features ★★★☆☆ ★★★★☆ ★★★★☆
Usability ★★★★★ ★★★★★ ★★★★★
Maintenance & ★★★☆☆ ★★★☆☆ ★★☆☆☆

Reliability
Score 21 23 22
WINNER!
Pass-through
Authentication!
Taking a closer look…
• Everyone’s environment is different, and the “winner” will be

different from everyone
• The takeaway is that you should carefully consider your
authentication method based on your organization’s priorities
• It’s not too late to change your method
Thank you!

Single SignOn Showdown ADFS Vs PassThrough Authentication MaxFritz

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Single SignOn Showdown ADFS Vs PassThrough Authentication MaxFritz

Caricato da

Copyright:

Formati disponibili

Single Sign-On Showdown

ADFS vs Pass-Through Authentication

Cloud Only Password Hash Pass-through Federated 3rd Party

Identity Synchronization through Azure AD Connect

Security ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Customizations ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Features ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Usability ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Maintenance & ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

AADC request MD4 password hashes from DC via

SHA256 hash is sent to Azure AD over SSL

User attempts to sign in to app

Session redirected to Azure AD for sign in

Azure AD applies MD4+salt+PBKDF2+SHA256 process,

If successful, user is granted access to the app

User attempts to sign in to app

Session redirected to Azure AD for sign in

DC provides result to PTA agent

• Provides single sign on capabilities to domain joined

User attempts to sign in to app from domain joined

• Limited support for Azure AD Conditional Access

Security ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Customizations ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Features ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Usability ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Maintenance & ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆

Wizard based initial install and

Agent deployment manual or script Wizard based configuration of basic

★★★★☆ ★★★☆☆ ★☆☆☆☆

Triple hashed passwords synced to

★★★★★ ★★★★★ ★★★★★

Detailed login screen customizations

★★★☆☆ ★★★☆☆ ★★★★★

Lack of support for instant account

★★★☆☆ ★★★★☆ ★★★★☆

★★★★★ ★★★★★ ★★★★★

At least 1 PTA agent must be At least 1 Federation and 1 Proxy

Seamless SSO requires manual Seamless SSO requires manual

Agents can go on existing servers, More servers required for

★★★☆☆ ★★★☆☆ ★★☆☆☆

Security ★★★★★ ★★★★★ ★★★★★

Customizations ★★★☆☆ ★★★☆☆ ★★★★★

Features ★★★☆☆ ★★★★☆ ★★★★☆

Usability ★★★★★ ★★★★★ ★★★★★

Maintenance & ★★★☆☆ ★★★☆☆ ★★☆☆☆

• Everyone’s environment is different, and the “winner” will be

Potrebbero piacerti anche