Transcript Document
Agenda
Microsoft Directory Synchronization Tool
Active Directory Federation Server
ADFS Proxy
Hybrid Features – LAB
Microsoft Directory Synchronization
Directory Synchronization – Why to use
Easy to onboard large number of users – small to medium size companies
Identities to be mastered/manage on premises
Free / busy coexistence
Support for identity federation
Synchronization of photos, thumbnails, conference rooms, and security groups
Filtering coexistence
Directory Synchronization – How it works
Deploying steps for Directory Synchronization tool
Step 1 –> system requirement / permission / performance consideration
Step 2 –> Activate Directory synchronization via MS online portal
Step 3 –> Install and configure DS tool – config wizard
Step 4 –> Synchronize your directory – write objects on Azure AD from on premises
Step 5 – > Activate synced users – individual / bulk
Step 6 –> Verify / Upgrade / Reinstall
What will it synchronizes & what not
Will
All users, Mail-Enabled Contacts, Mail-Enabled Groups
Only some attributes
Will not
Built-in administrative user accounts
Passwords
Built-in administrative groups
Default Exchange Administrative groups
Exchange System Mailbox Accounts
Windows Azure
Active Directory
Sync Tool Update
The tool is downloaded from the Office 365
admin portal.
Only a one way hash of the password will
be synchronized to WAAD such that the
original password cannot be reconstructed
from it.
Synchronizes user passwords from onpremises AD to Azure AD (Office 365).
Respects on-premises password policies.
Can’t sync passwords for Federated Users,
but can co-exist.
SAML2
Identity Provider
Directory Sync
Tool or Active
Directory
Federation
Services
Password Sync
Same password to access
resources
Can control password
policies on-premises
Support for two factor
authentication
No password re-entry if on
premises
Client access filtering
Authentication occurs in
on premises directory
*
SSO with AD FS
Active Authentication:
Why Multi-Factor
Active Directory Federation Services
Active Directory Federation Services
Extremely important feature for many customers is Identity Federation
AD FS 2.0 to provide users with a single sign-on experience
Use corporate credentials to access their Office 365 services
Non federated users – Mailbox
User Experiences:
◦
◦
◦
◦
Logs in with cloud identity
User authentication takes place on cloud AD
Users have two IDs – one to access on-premise services & one for Online services
Users prompted for credentials even when logged into the domain when accessing Online Services
Administrator Experience:
◦ Manages password policy in cloud & on premises
◦ Password reset for on premises & MS Online IDs
◦ No 2 Factor Authentication integration
Federated Users – Mailbox
User Experiences:
◦
◦
◦
◦
◦
Users Sign in with corporate ID
Authentication happens on premises
Users have a single credential to provide SSO to on premises and Online services
Users get true SSO experience
2 factor Authentication can be utilized if it is deployed on-premise
Administrator Experience:
◦
◦
◦
◦
Manages password policy on premise only
Password reset for on premise IDs only
2 Factor Authentication integration options
Requires additional servers to enable identity federation so there will be an additional up front cost
ADFS Authentication Flow
Authentication for passive / web profile
Authentication for rich client profile
Authentication Exchange Active Sync / MS Outlook
ADFS 2.0 – Deployment Options
Single server configuration
AD FS 2.0 server farm and load-balancer
AD FS 2.0 proxy server or UAG/TMG
(External Users, Active Sync, Down-level Clients with Outlook)
ADFS Certificates / Policy Store
Certificates
Token signing
Token decryption
Secure Communication Certificate
Policy Store
In AD FS 2.0 the policy is stored in a database that uses either Windows Internal Database or Microsoft
SQL Server as the dedicated store
AD FS 2.0 makes policy decisions based on identity information that is provided to it in the form of
claims and other contextual information
What is ADFS proxy ?
A service that brokers a connection between external users and your internal AD FS 2.0 server
Three primary functions
◦ Assertion provider: The proxy accepts token requests from users and passes the information over SSL (default port 443) to the
internal AD FS server. It receives the token from the internal AD FS server and passes it back to the user.
◦ Assertion consumer: The proxy accepts tokens from users and passes them over SSL (default port 443) to the internal AD FS server
for processing.
◦ Metadata provider: The proxy will also respond to requests for Federation Metadata.
How does the AD FS 2.0 Proxy work
Troubleshooting O365 Issues
Certificates – on all ADFS servers / client browsers(default trusted certs.)
ISA/TMG O365 Rules – Domains
Network Firewall – IP white lists
Internet – Backup
ADFS / Proxy server event viewer – correlation ID
DIR Sync server event viewer
https://www.testexchangeconnectivity.com/
Additional reading…
Select an Office 365 plan for business (Trial)
– http://office.microsoft.com/en-in/business/compare-office-365-for-business-plans-FX102918419.aspx
Explore the Community & Blogs
-http://community.office365.com/en-us/default.aspx
-Office 365 for IT pros – Learn / Training / Try / Deploy
-http://technet.microsoft.com/en-us/office365/hh528489.aspx
Questions?