Well folks, it’s time to wrap up this series on Azure Active Directory Domain Services (AAD DS). In my first post I covered the basic configurations of the managed domain and in my second post took a look at how well Microsoft did in applying security best practices and complying with NIST standards. In this post I’m going to briefly cover the LDAPS over the Internet capability, summarize some key findings, and list out some improvements I’d like to see made to the service.
One of the odd features Microsoft provides with the AAD DS service is the ability to expose the managed domain over LDAPS to the Internet. I really am lost as to the use case that drove the feature. LDAP is very much a legacy on-premises protocol that has no place being exposed to risks of the public Internet. It’s the last thing that should the industry should be encouraging. Just because you can, doesn’t mean you should. Now let me step off the soap box and let’s take a look at the feature.
As I covered in my last post LDAPS is not natively enabled in the managed domain. The feature must be configured and enabled through the Azure Portal. The configuration consists of uploading the private key and certificate the service will use in the form of a PKCS12 file (*.PFX). The certificate has a few requirements that are outlined in the instructions above. After the certificate is validated, it takes about 10-15 minutes for the service to become available. Beyond enabling the service within the VNet, you additionally have the option to expose the LDAPS endpoint to the Internet.
Microsoft provides instructions on how to restrict access to the endpoint to trusted IPs via a network security group (NSG) because yeah, exposing an LDAP endpoint to the Internet is just a tad risky. To lock it down you simply associate an NSG with the subnet AAD DS is serving. Once that is done enable the service via the option in the image above and wait about 10 minutes. After the service is up, register a external DNS record for the service that points to the IP address noted under the properties section of the AADS blade and you’re good to go.
For my testing purposes, I locked the external LDAPS endpoint down to the public IP address my Azure VM was SNATed to. After that I created an entry in the host file of the VM that matched the external DNS name I gave the service (whyldap.geekintheweeds.com) to the public IP address of the LDAPS endpoint in order to bypass the split-brain DNS challenge. Initiating a connection from LDP.EXE was a success.
Now that we know the service is running, let’s check out what the protocol support and cipher suite looks like.
Again we see the use of deprecated cipher suites. Here the risk is that much greater since a small mistake with an NSG could expose this endpoint directly to the Internet. If you’re going to use this feature, please just don’t. If you’re really determined to, don’t screw up your NSGs.
This series was probably one of the more enjoyable series I’ve done since I knew very little about the AAD DS offering. There were a few key takeaways that are worth sharing:
- The more objects in the directory, the more expensive the service.
- Users and groups can be created directly in managed domain after a new organizational unit is created.
- Password and lockout policy is insanely loose to the point where I can create an account with a three character password (just need to meet complexity requirements) and accounts never lockout. The policy cannot be changed.
- RC4 encryption ciphers are enabled and cannot be disabled.
- NTLMv1 is enabled and cannot be disabled.
- The service does not support smart-card enforced users. Yes, that includes both the users synchronized from Azure AD as well as any users you create directly in the managed domain. If I had to guess, it’s probably due to the fact that you’re not a Domain Admin so hence you can’t add to the NTAuth certificate store.
- LDAPS is not enabled by default.
- Schema extensions are not supported.
- Account-Based Kerberos Delegation is not supported.
- If you are syncing identities to Azure AD, you’ll also need to synchronize your passwords.
- The managed domain is very much “out of the box” defaults.
- Microsoft creates a “god” account which is a permanent member of every privileged group in the forest
- Recovery of deleted objects created directly in the managed domain is not possible. The rights have not been delegated to the AADC Administrator.
- The service does not allow for Active Directory trusts
- SIDHistory attribute of users and groups sourced from Azure AD is populated with Primary Group from on-premises domain
My verdict on AAD DS is it’s not a very useful service in its current state. Beyond small organizations, organizations that have very little to no requirements on legacy infrastructure, organizations that don’t have strong security requirements, and dev/qa purposes I don’t see much of a use for it right now. It comes off as a service in its infancy that has a lot of room to grow and mature. Microsoft has gone a bit too far in the standardization/simplicity direction and needs to shift a bit in the opposite direction by allowing for more customization, especially in regards to security.
I’d really like to see Microsoft introduce the capabilities below. All of them should exposed via the resource blade in the Azure Portal if at all possible. It would provide a singular administration point (which seems to be the strategy given the move of Azure AD and Intune to the Azure Portal) and would allow Microsoft to control how the options are enabled in the managed domain. This means no more administrators blowing up their Active Directory forest because they accidentally shut off all the supported cipher suites for Kerberos.
- Expose Domain Controller Event Logs to Azure Portal/Graph API and add support for AAD DS Power BI Dashboards
- Support for Active Directory trusts
- Out of the box provide a Red Forest model (get rid of that “god” account)
- Option to disable risky cipher suites for both Kerberos and LDAPS
- Option to harden the password and lockout policy
- Option to disable NTLMv1
- Option to turn on LDAP Debug Logging
- Option to direct Domain Controller event logs to a SIEM
- Option to restore deleted users and groups that were created directly in the managed domain. If you’re allow creation, you need to allow for restoration.
- Removal of Internet-accessible LDAPS endpoint feature or at least somehow incorporate the NSG lockdown feature directly into the AAD DS blade.
While the service has a lot of room for improvement the direction of a managed Windows AD offering is spot on. In the year 2018, there is no reason Windows AD shouldn’t be offered as a managed service. The direction Microsoft has gone by sourcing the identities and credentials from Azure AD is especially creative. It’s a solid step in the direction of creating a singular centralized identity service that provides both legacy and modern protocols. I’ll be watching this service closely as Microsoft builds upon it for the next few months.
Thanks and see you next post!
Hi I set this up and can LDAPS and LDAP from a vm within the Azure network but can’t LDAPS from outside it. Is this possible? I have added my IP to the network security group but still can’t connect.
Also if LDAPS over the internet is a bad practice what is the alternative option? Our application uses LDAPS to see if users are members of a group to allow them to use a specific database. Trying to get this functionality to work over the internet. Would it still be ok if the network security group only allowed our specific IP addresses?
It was possible when I labbed it out earlier this year. If the Microsoft documentation states the feature is still there, I’d double-check your security group settings.
Your second question is a great one and it’s one I’ve been asked over and over since the cloud became a thing. My first recommendation on legacy applications (any app still dependent on LDAPS is a legacy app IMO) is keep them on-premises. LDAPS has no business flowing over the public Internet. Modern applications should either be capable of accepting user data through a logical token (such as a SAML assertion or OAuth bearer token) or preferably querying for that data via a web based call to an API (such as AWS Congnito API or Azure AD Graph API).
Now if you absolutely require it for some crazy reason I would recommend one of two approaches below.
1) Synchronize only the data required by the application to a product that can provide that data over LDAP and limit network access to only trusted hosts. This will limit the impact vs exposing a data store with all your user data. This product could be OpenLDAP, AD LDS, Radiant Logic, etc.
2) Setup a dedicated connection between the endpoints such as AWS Direct Connect or MS Express Route and top it off with a VPN connection. This will ensure your data is protected in transit and doesn’t flow over the public Internet. You could even combine this recommendation with the first for added layers of security.