If you’ve followed my blog at all, you will notice I spend a fair amount of my time writing about the products and technologies powering the integration of on-premises and cloud solutions. The industry refers to that integration using a variety of buzzwords from hybrid cloud to software defined data center/storage/networking/etc. I prefer a more simple definition of legacy solutions versus modern solutions.
So what do I mean by a modern solution? I’m speaking of solutions with the following most if not all of these characteristics:
- Customer maintains only the layers of the technology that directly present business value
- Short time to market for new features and features are introduced in a “toggle on and toggle off” manner
- Supports modern authentication, authorization, and identity management standards and specifications such as Open ID Connect, OAuth, SAML, and SCIM
- On-demand scaling
- Provides a robust web-based API
- Customer data can exist on-premises or off-premises
Since I love the identity realm, I’m going to focus on the bullet regarding modern authentication, authorization, and identity management. For this series of posts I’m going to look at how Microsoft’s Active Directory Federation Service (AD FS) and Microsoft’s Web Application Proxy (WAP) can be used to help facilitate the use of modern authentication and authorization.
So where does AD FS and the WAP come in? AD FS provides us with a security token service producing the logical security tokens used in SAML, OAuth, and Open ID Connect. Why do we care about the MS WAP? The WAP acts a reverse proxy giving us the ability to securely expose AD FS to untrusted networks (like the Internet) so that devices outside our traditional firewalled security boundary can leverage our modern authentication and authorization solution.
Some real life business cases that can be solved with this solution are:
- Single sign-on (SSO) experience to a SaaS application such as SharePoint online from both an Active Directory domain-joined endpoint or a non-domain joined endpoint such as a mobile phone.
- Limit the number of passwords a user needs to remember to access both internal and cloud applications.
- Provide authentication or authorization for modernized internal applications for endpoints outside the traditional firewalled security boundary.
- Authentication and authorization of devices prior to accessing an internal or cloud application.
As we can see from the above, there are some great benefits around SSO, limiting user credentials to improve security and user experience, and taking our authorization to the next step by doing contextual-based authorization (device information, user location, etc) versus relying upon just Active Directory group.
Microsoft does a relatively decent job describing how to design and implement your AD FS and WAP rollout, so I’m not going to cover much of that in this series. Instead I’m going to focus on the “behind the scenes” conversations that occur with endpoints, WAP, AD FS, AD DS, and Azure AD. Before I begin delving into the weeds of the product, I’m going to spend this post giving an overview of what my lab looks like.
I recently put together a more permanent lab consisting of a mixture of on-premise VMs running on HyperV and Azure resources. I manage to stay well within my $150.00 MSDN balance by keeping a majority of the VMs deallocated. The layout of the lab is diagramed below.
On-premises I am running a small collection of Windows Server 2016 machines within HyperV running on top of Windows Server 2016. I’m using a standard setup of an AD DS, AD CS, AADC, AD FS, and IIS/MS SQL server. Running in Azure I have a single VNet with three subnets each separated by a network security group. My core infrastructure of an AD DS, IIS/MS SQL, and AD FS server exist in my Intranet subnet with my DMZ subnet containing a single WAP.
The Active Directory configuration consists of a single Active Directory forest with an FQDN of journeyofthegeek.local. The domain has been configured with an explicit UPN of journeyofthegeek.com which is assigned as the UPN suffix for all users synchronized to Azure Active Directory. The domain is running in Windows Server 2016 domain and forest functional level. The on-premises domain controller holds all FSMO roles and acts as the DC for the Active Directory site representing the on-premises physical location. The domain controller in Azure acts as the sole DC for the Active Directory site representing Azure. Both DCs host the split-brain DNS zone for journeyofthegeek.com.
The on-premises domain controller also runs Active Directory Certificate Services. The CA is an enterprise CA that is used to distribute certificates to security principals in the environment. I’ve removed the CDP from the certificate templates issued by the CA to eliminate complications with the CRL revocation checking.
The AD FS servers are members of an AD FS farm named sts.journeyofthegeek.com and use a MS SQL Server 2016 backend for storage of configuration information. The SQL Server on-premises hosts the SQL instance that the AD FS users are using to store configuration information.
Azure Active Directory Connect is co-located on the AD FS server and uses the same SQL server as the AD FS uses. It has been integrated with a lab Azure Active Directory tenant I use which has a few licenses of Office 365 Business Essentials. The objectGUID attribute is used as the immutable ID and the Azure Active Directory tenant has the DNS namespaces of journeyofthegeek.onmicrosoft.com and journeyofthegeek.com associated with it.
The IIS server running in Azure runs a simple .NET application (https://blogs.technet.microsoft.com/tangent_thoughts/2015/02/20/install-and-configure-a-simple-net-4-5-sample-federated-application-samapp/) that is used for claims-based authentication. I’ll be using that application for demonstrations with the Web Application Proxy and have used it in the past to demonstrate functionality of the Azure Application Proxy.
For the demonstrations throughout these series I’ll be using the following tools:
- Fiddler (http://www.telerik.com/fiddler)
- PSTools (https://docs.microsoft.com/en-us/sysinternals/downloads/pstools)
- ProcMon (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)
- Process Explorer (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer)
- API Monitor (http://www.rohitab.com/apimonitor)
- WireShark (https://www.wireshark.org/)
- Microsoft Network Monitor (https://www.microsoft.com/en-us/download/details.aspx?id=4865)
In my next post I’ll do a deep dive into what happens behind the scenes during the registration of the Web Application Proxy with an AD FS farm. See you then!