Document

Download Report

Transcript Document 

Agenda
 Microsoft Directory Synchronization Tool
Active Directory Federation Server
ADFS Proxy
Hybrid Features – LAB
Microsoft Directory Synchronization
Directory Synchronization – Why to use
 Easy to onboard large number of users – small to medium size companies
 Identities to be mastered/manage on premises
 Free / busy coexistence
 Support for identity federation
 Synchronization of photos, thumbnails, conference rooms, and security groups
 Filtering coexistence
Directory Synchronization – How it works
Deploying steps for Directory Synchronization tool
Step 1 –> system requirement / permission / performance consideration
Step 2 –> Activate Directory synchronization via MS online portal
Step 3 –> Install and configure DS tool – config wizard
Step 4 –> Synchronize your directory – write objects on Azure AD from on premises
Step 5 – > Activate synced users – individual / bulk
Step 6 –> Verify / Upgrade / Reinstall
What will it synchronizes & what not
Will 
 All users, Mail-Enabled Contacts, Mail-Enabled Groups
 Only some attributes
Will not 
 Built-in administrative user accounts
 Passwords
 Built-in administrative groups
 Default Exchange Administrative groups
 Exchange System Mailbox Accounts
Windows Azure
Active Directory
Sync Tool Update
The tool is downloaded from the Office 365
admin portal.
Only a one way hash of the password will
be synchronized to WAAD such that the
original password cannot be reconstructed
from it.
Synchronizes user passwords from onpremises AD to Azure AD (Office 365).
Respects on-premises password policies.
Can’t sync passwords for Federated Users,
but can co-exist.
SAML2
Identity Provider
Directory Sync
Tool or Active
Directory
Federation
Services
Password Sync
Same password to access
resources
Can control password
policies on-premises
Support for two factor
authentication
No password re-entry if on
premises
Client access filtering
Authentication occurs in
on premises directory
*
SSO with AD FS
Active Authentication:
Why Multi-Factor
Active Directory Federation Services
Active Directory Federation Services
 Extremely important feature for many customers is Identity Federation
 AD FS 2.0 to provide users with a single sign-on experience
 Use corporate credentials to access their Office 365 services
Non federated users – Mailbox
 User Experiences:
◦
◦
◦
◦
Logs in with cloud identity
User authentication takes place on cloud AD
Users have two IDs – one to access on-premise services & one for Online services
Users prompted for credentials even when logged into the domain when accessing Online Services
 Administrator Experience:
◦ Manages password policy in cloud & on premises
◦ Password reset for on premises & MS Online IDs
◦ No 2 Factor Authentication integration
Federated Users – Mailbox
 User Experiences:
◦
◦
◦
◦
◦
Users Sign in with corporate ID
Authentication happens on premises
Users have a single credential to provide SSO to on premises and Online services
Users get true SSO experience
2 factor Authentication can be utilized if it is deployed on-premise
 Administrator Experience:
◦
◦
◦
◦
Manages password policy on premise only
Password reset for on premise IDs only
2 Factor Authentication integration options
Requires additional servers to enable identity federation so there will be an additional up front cost
ADFS Authentication Flow
 Authentication for passive / web profile
 Authentication for rich client profile
Authentication Exchange Active Sync / MS Outlook
ADFS 2.0 – Deployment Options
Single server configuration
AD FS 2.0 server farm and load-balancer
AD FS 2.0 proxy server or UAG/TMG
 (External Users, Active Sync, Down-level Clients with Outlook)
ADFS Certificates / Policy Store
 Certificates
 Token signing
 Token decryption
 Secure Communication Certificate
 Policy Store
 In AD FS 2.0 the policy is stored in a database that uses either Windows Internal Database or Microsoft
SQL Server as the dedicated store
 AD FS 2.0 makes policy decisions based on identity information that is provided to it in the form of
claims and other contextual information
What is ADFS proxy ?
 A service that brokers a connection between external users and your internal AD FS 2.0 server
 Three primary functions
◦ Assertion provider: The proxy accepts token requests from users and passes the information over SSL (default port 443) to the
internal AD FS server. It receives the token from the internal AD FS server and passes it back to the user.
◦ Assertion consumer: The proxy accepts tokens from users and passes them over SSL (default port 443) to the internal AD FS server
for processing.
◦ Metadata provider: The proxy will also respond to requests for Federation Metadata.
How does the AD FS 2.0 Proxy work
Troubleshooting O365 Issues
 Certificates – on all ADFS servers / client browsers(default trusted certs.)
 ISA/TMG O365 Rules – Domains
 Network Firewall – IP white lists
 Internet – Backup
 ADFS / Proxy server event viewer – correlation ID
 DIR Sync server event viewer
https://www.testexchangeconnectivity.com/
Additional reading…
Select an Office 365 plan for business (Trial)
– http://office.microsoft.com/en-in/business/compare-office-365-for-business-plans-FX102918419.aspx
Explore the Community & Blogs
-http://community.office365.com/en-us/default.aspx
-Office 365 for IT pros – Learn / Training / Try / Deploy
-http://technet.microsoft.com/en-us/office365/hh528489.aspx
Questions?