Te kuptojme “Active Directory”

Slides:



Advertisements
Similar presentations
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Advertisements

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture
Implementing and Administering AD FS
Understanding Active Directory
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Understanding Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Nassau Community College
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Chapter 12: Additional Active Directory Server Roles
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Overview of Access and Information Protection
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Implementing Secure Shared File Access
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Module 8 Configuring and Securing SharePoint Services and Service Applications.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Designing Active Directory for Security
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Configuring Active Directory Objects and Trusts
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Module 11: Securing a Microsoft ASP.NET Web Application.
Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Web Services Security Patterns Alex Mackman CM Group Ltd
Module 11: Designing an Active Directory Federation Services Implementation in Windows Server 2008.
Module 3 Planning for Active Directory®
Introduction to Active Directory
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Module 10: Identity and Access Services in Windows Server 2008 Active Directory.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Managing Office 365 Identities and Requirements.
Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,
Stop Those Prying Eyes Getting to Your Data
Overview of Active Directory Domain Services
Data and Applications Security Developments and Directions
Exam : Identity with Windows Server 2016
Understanding Active Directory
Module 8: Securing Network Traffic by Using IPSec and Certificates
(ITI310) SESSIONS 6-7-8: Active Directory.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
NAAS 2.0 Features and Enhancements
Access and Information Protection Product Overview October 2013
SharePoint Online Hybrid – Configure Outbound Search
SharePoint Online Authentication Patterns
AD FS Installation Active Directory Federation Services (AD FS) 7.1
Module 8: Securing Network Traffic by Using IPSec and Certificates
Te kuptojme “Active Directory”
System Center Marketing
Designing IIS Security (IIS – Internet Information Service)
Microsoft Virtual Academy
Presentation transcript:

Te kuptojme “Active Directory” 1 minute Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning , Microsoft

Sherbimet federate “Active Directory” (AD FS)

Cesthje: Pamje e pergjithshme e sherbimeve federate AD FS Course 6424A Cesthje: Module 6: Introduction to Active Directory® Federation Services Pamje e pergjithshme e sherbimeve federate AD FS Skenaret e shperndarjes AD FS Konfigurimi i komponenteve AD FS

Ceshtja 1 Cfare eshte identiteti i federates? Course 6424A Ceshtja 1 Module 6: Introduction to Active Directory® Federation Services Cfare eshte identiteti i federates? Si ndodh implementimi i tyre? Benefite te shperndarjes se sherbimeve federate AD FS

Cfare eshte identiteti federate? Course 6424A Cfare eshte identiteti federate? Module 6: Introduction to Active Directory® Federation Services Eshte nje proces qe aktivizon idnetifikimin e shperndare, autentifikimin, dhe autorizimin ne te gjithe hapesiren e organizates dhe platformes. Identity Federation allows for separate authentication domains or realms to be able to share resources without having to provide complete access to each of the authentication domains. So what does this REALLY mean? In the real world everyone has a number of username and passwords that they must remember, even in the same organizations or within partner organizations. Identity federation allows for different authentication domains/realms to provide single sign-on (SSO) services. This can be done without creating a full Active Directory trust between the organizations. Identiteti i federates: Kerkon lidhje besimi ndermjet dy organizatave apo entiteteve Lejon organizaten te fitoje kontroll tek: Aksesi i burimeve Perdoruesit e tyre dhe llogarite e perdoruesit te grupeve

Cfare jane skenaret e identitetit te federates? Course 6424A Cfare jane skenaret e identitetit te federates? Module 6: Introduction to Active Directory® Federation Services Federate per business-to-business (B2B) Federate per business-to-consumer ose business-to-employee ne nje skenar web ku behet nje logim i vetem Federate ne nje organizate te vetme ne aplikacione te shumefishta Web Federation for B2B Enables businesses to provide SSO for a business partner or other business unit that has a separate domain. Federation for business-to-consumer or business-to-employee in a Web single sign-on scenario This design allows a business that had a perimeter network domain to provide authentication for internal user accounts. Federation within an organization across multiple Web applications This provides SSO across multiple Web applications. No trusts exist in this scenario.

Benefite te shperndarjes se sherbimeve federate AD FS Course 6424A Benefite te shperndarjes se sherbimeve federate AD FS Module 6: Introduction to Active Directory® Federation Services Benefite te meposhtme: Ofron permiresime: Siguri dhe kontroll mbi autentifikimin Rregullator perputhshmerie Aktivitet me sistemet heterogjene AD FS provides the benefits that the following section details: Enables improved: Security and control over authentication. You establish rules to control which users are allowed to authenticate across the federated trust. Regulatory compliance. Because of controlled authentication, and not providing business partners or Internet users direct authentication with your corporate domains, this enables scenarios that would allow you to maintain regulatory compliance. Interoperability with heterogeneous systems. AD FS leverages Web services, so it can interoperate with many heterogeneous systems. Whitepapers have been created to set up this interoperation. AD FS works with AD DS or AD LDS, which allows for flexibility and INSERT use with other third-party applications. Extends Active Directory to the Internet, as it allows for users on the Internet to authenticate against AD DS for use in Web applications. Funskionon me sherbimet direktori (AD DS) por edhe sherbimet Lightweight Directory Services (AD LDS) I ben aktive sherbimet direktori AD DS ne Internet

Ceshtja 2 Cfare eshte lidhja e besimit federate? Course 6424A Ceshtja 2 Module 6: Introduction to Active Directory® Federation Services Cfare eshte lidhja e besimit federate? Cilet jane komponentet ne sherbimin AD FS? Si ofrohet sherbimi i identitetit te federates ne nje skenar B2B Si shkon trafiku ne sherbimin federate AD FS ne nje skenar B2B Si e ofron sherbimi federate AD FS Web nje logim te vetem Integrimi AD FS dhr AD RMS

Cfare eshte lidhja e besimit federate? Course 6424A Cfare eshte lidhja e besimit federate? Module 6: Introduction to Active Directory® Federation Services AD DS Web Server This trust is one way and the arrow pointer is always where the accounts come from. The side of the trust where the accounts are managed is the “account partner”, while the side of the trust that has the resources that will be accessed is the “resource partner”. However, federation trusts are not like Windows trusts. In a federation trust, the federation servers in the account partner and the resource partner do not need to communicate directly with each other. Serveri federate i burimeve Serveri federate i llogarive Federation Trust Account Partner Organization Resource Partner Organization

Cfare jane komponentet e sherbimit federate AD FS ? Course 6424A Cfare jane komponentet e sherbimit federate AD FS ? Module 6: Introduction to Active Directory® Federation Services Komponentet AD FS : Domain Controllerat AD DS AD DS domain controllers Domain controllers store directory data and manage user and domain interactions, including user logon processes, authentication, and directory searches. Federation servers A federation server is a computer that runs a specialized Web service that can issue, manage, and validate requests for security tokens and identity management. Security tokens consist of a collection of identity claims, such as a user's name or role. In addition, a federation server can protect the contents of security tokens in transit with an X.509 certificate, which makes it possible to validate trusted issuers. Federation Service Proxies You can use a federation server proxy to enhance the security and performance of your Active Directory Federation Services (AD FS) 2.0 deployment. When you install the AD FS 2.0 software on a computer and configure it for the federation server proxy role, that computer functions as proxy server in a perimeter network (also known as a screened subnet) for a protected Federation Service on an internal network. AD FS Web Agent Active Directory Federation Service (AD FS) Web Agents are Internet Server Application Programming Interface (ISAPI) extensions. They run on Internet Information Services (IIS) and Windows Server, and they manage security tokens and authentication cookies for the Web server. An AD FS Web Agent intercepts incoming client URL requests for a protected resource and ensures that a valid authentication token is presented. Account federation server/Serveri federate i llogarive Account Federation Service Proxy/Sherbimi PROXY per llogarite federate Resource Federation Server/Serveri i burimeve federate Resource Federation Server Proxy/Proxyy Server per sherbimet federate AD FS Web Agent/Agjenti Web AD FS

Si ofron AD FS Identitet Federate ne nje skenar B2B Course 6424A Si ofron AD FS Identitet Federate ne nje skenar B2B Module 6: Introduction to Active Directory® Federation Services INTRANET FOREST PERIMETER NETWORK Resource Federation Server Proxy AD DS Account Federation Server Proxy Resource FederationServer Account Federation Server AD FS-enabled Web Server Federation Trust Contoso Online Retailer

Si kalontrafiku AD FS ne nje skenar Business to Business Course 6424A Si kalontrafiku AD FS ne nje skenar Business to Business Module 6: Introduction to Active Directory® Federation Services 5 AD DS In this design, external users, such as customers, can access the Web application by authenticating to the external account federation server, which is located in the perimeter network. External users have user accounts in the perimeter-network Active Directory forest. Internal users, such as employees, also can access the Web application by authenticating to the internal account federation server, which is located in the internal network. Internal users have accounts in the internal Active Directory forest. If the Web-based application is a Windows NT token-based application, the AD FS Web Agent that is running on the Web application server intercepts requests and creates Windows NT security tokens, which are required by the Web application to make authorization decisions. For external users, this is possible because the AD FS-enabled Web server that hosts the Windows NT token-based application is joined to the domain in the external forest. For internal users, this is enabled through the forest trust relationship that exists between the perimeter forest and the internal forest. If the Web-based application is a claims-aware application, the AD FS Web Agent that is running on the Web application server does not have to create Windows NT security tokens for the user. The AD FS Web agent can expose the claims that come across, which makes it possible for the application to make authorization decisions based on the contents of the security token that is provided by the account federation server. As a result, when it deploys claims-aware applications, the AD FS-enabled Web server does not have to be joined to the domain, and the external-forest-to-internal-forest trust is not required. Web Server 4 1 3 2 Resource Federation Server Account Federation Server Federation Trust Contoso Online Retailer

Ceshtja 3 Opsionet e konfigurimit te sherbimit federate Course 6424A Ceshtja 3 Module 6: Introduction to Active Directory® Federation Services Opsionet e konfigurimit te sherbimit federate Cilat jane politikat ne lidhjet e besimit AD FS? Opsionet e konfigurimit te agjentit proxy web AD FS Cfare jane ankesat AD FS?

Opsionet e konfigurimit te sherbimit federate Course 6424A Opsionet e konfigurimit te sherbimit federate Module 6: Introduction to Active Directory® Federation Services Per te implementuar sherbimet federate: Krijo nje politike besimit per burimet dhe llogarite partnere Briefly talk about the main settings that will need to be configured before AD FS is functional: Create organizational claims Create account stores Create applications Create a trust Krijo ankesat ne nivel organizate Krijo hapesirat e magazinimit per llogarite Krijo dhe konfiguro aplikacionet

Cfare jane politikat e besimit ne sherbimet federate? Course 6424A Cfare jane politikat e besimit ne sherbimet federate? Module 6: Introduction to Active Directory® Federation Services Politikat e besimit jane specifiakat e konfigurimit qe percaktojne si te konfigurojme nje lidhje besimi federate dhe si funksionon lidhja e besimit federate Politikat e besimit per burime tek partneret perfshijne: Discuss how the trust policies really are the definition of the trust functions,. Then describe each of the configuration options for the resource and account partners trust policies. Token Lifetime Federation Service URI/Sherbimi federate URI Federation Service endpoint URL/Pika fundore per sherbimin federate URL Opsioni per te perdorur nje lidhje besimi Windows per kete partner Politikat e besimit per llogarite partnere perfshijne: Vendndodhja per nje certifikate per te verifikuar partnerin burim Opsione per te konfiguruar sesi burimet e llogarive krijohen

Opsionet e konfigurimit per agjentitn web Proxy ne sherbimet federte Course 6424A Opsionet e konfigurimit per agjentitn web Proxy ne sherbimet federte Module 6: Introduction to Active Directory® Federation Services Perfshijne: Install the AD FS Web Agent on the IIS server Windows Token-based authentication requires ISAPI extensions Claims-aware authorization can authenticate natively with ASP.NET 1 Determine how to collect user credential information from browser clients and Web applications 2

Cfare jane ankesat per sherbimet federate AD FS ? Course 6424A Cfare jane ankesat per sherbimet federate AD FS ? Module 6: Introduction to Active Directory® Federation Services Lloji i ankeses Pershkrimi Identiteti UPN: indicates a Kerberos version 5 protocol-style user principal name (UPN), for example: user@realm E-mail: indicates Request for Comments (RFC) 2822–style e- mail names of the form user@domain Common name: indicates an arbitrary string that is used for personalization Grupi Indicates membership in a group or role Custom Indicates a claim that contains custom information about a user, for example, an employee ID number Define an AD FS claim, and then talk about each type: identity, group, and custom. Be sure to talk about how they differ and, if possible, give an example of each. The table below shows more information than the slide table: Claim Type Description Identity UPN, e-mail, and common name are referred to in AD FS as identity claim types: UPN: Indicates a Kerberos-style user principal name (UPN), for example, user@realm. Only one claim may be the UPN type. Even if multiple UPN values must be communicated, only one may be of the UPN type. Additional UPNs may be configured as custom claim types. E-mail: Indicates Request for Comments (RFC) 2822–style e-mail names of the form user@domain. Only one claim may be the e-mail type. Even if multiple e- mail values must be communicated, only one may be of e-mail type. Additional e- mails may be configured as custom claim types. Common name: Indicates an arbitrary string that is used for personalization. Examples include John Smith or Tailspin Toys Employee. Only one claim may have the common name type. It is important to note that there is no mechanism for guaranteeing the uniqueness of the common name claim. Therefore, use caution when you use this claim type for authorization decisions. Group Indicates membership in a group or role. Administrators define individual claims that have the group type “Group claims.” For example, you might define the following set of group claims: [Developer, Tester, Program Manager]. Each group claim is a separate unit of administration for claim population and mapping. It is useful to think of the value of a group claim as a Boolean value indicating membership.