Desktop Virtualization Conditional access DirectAccess & automatic VPN AD FS AuthN Web UI Web Application Proxy HTTP/S Claims, KCD, OAuth, MSOFBA, or pass-through Internet DMZ Load Balancer AD FS Proxy Firewall Load Balancer Firewall (browser, Office client or modern app) Config.
Download ReportTranscript Desktop Virtualization Conditional access DirectAccess & automatic VPN AD FS AuthN Web UI Web Application Proxy HTTP/S Claims, KCD, OAuth, MSOFBA, or pass-through Internet DMZ Load Balancer AD FS Proxy Firewall Load Balancer Firewall (browser, Office client or modern app) Config.
Desktop Virtualization Conditional access DirectAccess & automatic VPN AD FS AuthN Web UI Web Application Proxy HTTP/S Claims, KCD, OAuth, MSOFBA, or pass-through Internet DMZ Load Balancer AD FS Proxy Firewall Load Balancer Firewall (browser, Office client or modern app) Config. API over HTTPS HTTP/S Client Config. Store AuthN Active Directory Domain Controller Obtain KCD ticket for IWA AuthN Backend Server Backend BackendServer Server Corporate Network Network Isolation Basic DOS Rich Policy MFA Options Multiple Authentication Methods URL Translation SSO Selective Publishing AD FS Proxy services Web Protocols Only security token of AD FS New Windows Server 2012 R2 role service under RRAS server role, integrated into Windows Server Manager and RRAS admin experience (PSH + UI). AD FS provides rich authentication and authorization capabilities including multi-factor and federation. Published applications Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication Conditional access with multi-factor preauthentication is provided on a perapplication basis, leveraging user identity, device registration & network location Publish any standard Web/HTTP server. Single Sign On using Kerberos, claims, Office or OAuth https://sts.fabrikam.com https://sts.fabrikam.com WAP http://lob https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com ? WAP LOB https:/lob.fabrikam.com 302 http://lob ? ? https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB Edge Policies https:/lob.fabrikam.com http://lob Application Policies https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com Query String https://sts.fabrikam.com Query String WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com Query String WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com Query String WAP LOB https:/lob.fabrikam.com ? http://lob https://sts.fabrikam.com https://sts.fabrikam.com Query String WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com Query String WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com ? 401 http://lob https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com AP_REQ(tckt) http://lob https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://sts.fabrikam.com WAP LOB https:/lob.fabrikam.com http://lob https://sts.fabrikam.com https://enterpriseenrollment. fabrikam.com https://sts.fabrikam.com https://enterpriseenrollment. fabrikam.com DRS https:/lob.fabrikam.com http://lob WAP LOB Azure Active Directory DMZ Corporate Network Once started, the connectors open HTTP requests to the WAP service. The requests remain waiting until user request arrives or timeout AAD-AP Connector AAD-AP Cloud Service AAD-AP Connector User sends a request to the public address of the service that is unique per tenant and per application. E.g. https://app1-contoso.cwap.net/ AAD-AP Connector AAD-AP Cloud Service AAD-AP Connector The WAP service selects one of the pending connector requests and send the user request as payload. AAD-AP Connector AAD-AP Cloud Service AAD-AP Connector The connector sends the user request to the backend application and once there is a response, it sends it to the server as a new request AAD-AP Connector AAD-AP Cloud Service AAD-AP Connector The cloud service returns the response to the client request AAD-AP Connector AAD-AP Cloud Service AAD-AP Connector User sends a new unauthenticated request to applications that is configured to require preauthentication. AAD-AP Connector AAD-AP Cloud Service AAD-AP Connector WAP redirects the user to the Azure AD STS address with information on the application that needs preauthentication. Nothing is sent to the backend. AAD-AP Connector AAD-AP Cloud Service AAD-AP Connector User is authenticating to Azure AD STS. This process may involve other systems depending on tenant configuration. E.g. 2FA and federation. Once done, user is redirected back to the WAP service with a token AAD-AP Connector AAD-AP Cloud Service AAD-AP Connector The user request arrives again but now with a valid authentication token. Once the token is validated, the request is sent to the backend application AAD-AP Connector AAD-AP Cloud Service AAD-AP Connector http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn