Azure AD Seamless SSO

 

 

 

 

Seamless SSO,一個曾經覺得好難好難嘅東東。但係經過呢兩三年前Configure Kerberos,同開始接觸SAML後得到嘅經驗。 Seamless SSO唔再係咁難以觸摸。

第一,都係要多謝我哋偉大嘅Microsoft。Azure AD係上年九月左右嘅Update。 Pass-Through Authentication。Microsoft 解釋Benefit係Authentication會返返OnPremises AD做,可以唔需要開Password Sync。

係另一方面,雖然已經有ADFS WAP,但係係DMZ嘅關係,係無join AD。所以Azure Pre-Authentication係用唔到。係另一方面,雖然已經有ADFS WAP,但係係DMZ嘅關係,係無join AD。所以Azure Pre-Authentication係用唔到。但係用Application Proxy Connector就無呢個限制。Application Proxy Connector可以安裝係任何一部Domain Joined Server。係呢個因素之下,Machine Account 行 Kerberos就絕對無難度。

步驟可以照跟Microsoft。謂獨有一個Step令我特別留意,因為同以往Configure KCD唔同。Common係Delegation – “Trust this computer for delegation to specified services only” 下面嘅Section係揀 “Kerberos only”,但係今次Config Application Proxy Delegation係用”Use Any Authentication Protocol”

  • Reconfirm that the connector host has been granted the rights to delegate to the designated target account’s SPN, and that Use any authentication protocol is selected. For more information about this topic, see SSO configuration article

https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-back-end-kerberos-constrained-delegation-how-to

以下兩條Youtube都介紹得嘅清楚,值得一睇

Reference

https://www.youtube.com/watch?v=PyeAC85Gm7w

https://www.youtube.com/watch?v=vt2R4P4xLQA

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-sso-using-kcd

My ADFS Claims Rules Journey – Part 3 – Final

 

 

終於有時間心情寫埋最後呢Part。

繼Part 2。 經過不斷Try on Error試Claims Rules之後。
廠嘅以下呢個Article另我放棄Claims Rules去做Restriction嘅諗法。對於ActiveSync嚟講,似乎用Modern Auth係剋死Claim Rule。

以下 幾類型嘅做法可以取替Unauthorize ActiveSync device access

第一            用MDM Vendor嘅Identity Management Software – 相對難度係最高,因為多用SAML, 需要有Deploy SAML嘅經驗。而Infrasture入面嘅配置已經唔係普通Company會投資

第二            Deploy Certificate Authentication。難度同第一種做法不遑多讓。需要Deploy/ Maintain Internal CA / NDES /PKI infrastructure同樣唔容易

第三            係Azure AD,入面嘅Enterprise App disable iOS Accounts,或者係disable 其他嘅Email Client(e.g. Outlook Mobile).從而Restrict Unauthorize End User去Add Exchange Online Account。 呢個方法非常容易,唯一需要擔心嘅就係唔用iOS Native Email之後,俾End User用嘅Email Client

第四           最後 就係configure Default Block/Quarantine
呢種係最容易,最容易Configure。但係代價係需要人肉Device Control

 

Reference Article

https://www.mobileiron.com/en/smartwork-blog/lets-get-technical-ios-11-oauth-20-office-365

接連神秘Config比改動事件 I & II ……. Kerberos Auth

 

 

 

 

繼二星期前出現Exchange Server CBA vDirectory 被唔正常地disable Apphost settings 由True變False後

係前日再出現神秘事件。今次係兩個 OKTA Connector 同時disconnect,引發完全無法Login之外,就係OKTA IWA(Integrated Windows Authentication) Agent Website 用作Kerberose 嘅SPN突然消失。
所以今次呢個寫嘅IIS Configure Kerberos Auth嘅溫故知新

下面Reference嘅Website值得一睇。但係想特別提出要留意嘅有以下

  • 係開嘅IIS Website會用Service Account以唔用Default 嘅Application Pool Identity,對往後create SPN會容易控制
  • 係IIS嘅Configuration Editor,“system.webServer > security > authentication > windowsAuthentication”,入面嘅 “useAppPoolCredentials” 要Set做True
  • 最後,如果新Configure嘅IIS Website同Server本身機名唔同
    Sample 機名原本係 “ServerA.domain.local” , 但係新IIS WebSite 係 “ServerA.domain.com”, Create 新 SPN照跟Create “HTTP/ServerA.domain.com” 甚至額外加更多SPN “HTTP/Web.domain.com” 係容許嘅。只需要係Network上用resolve到”Web.domain.com”走可以

 

Reference:

http://woshub.com/configuring-kerberos-authentication-on-iis-website/

Client Ceritificate Mapping in IIS Configuration Editor

section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:”True”