Conditional access DirectAccess & automatic VPN Desktop Virtualization.

Slides:



Advertisements
Similar presentations
MEC /5/2017 1:13 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Advertisements

Agenda AD to Windows Azure AD Sync Options Federation Architecture
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Introducing Windows Server 2012 R2 Work Folders:
WSO2 Identity Server Road Map
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
FlexForm Login form integration Copyright ©2008 Collective Software, LLC.
Active Directory Integration with Microsoft Office 365
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
UAGSharePoint InternetIntranet.
Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R.
Fraser Technical Solutions, LLC
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.
Access Gateway Operation
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Federation and Federated Identity: Part 2 Building Federated Identity Solutions with Forefront Unified Access Gateway (UAG) and ADFS v2 John Craddock Infrastructure.
Single Sign-On with Microsoft Azure
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Windows Server Active Directory Intranet Managed Access Managed Identities Integrated Business Apps.
Integrating and Troubleshooting Citrix Access Gateway.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Access resources in a federation partner organization.
User and Device Management
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
ALL INFORMATION PRESENTED AS WELL AS ALL SESSIONS ARE MICROSOFT CONFIDENTIAL AND UNDER YOUR NON-DISCLOSURE AGREEMENT (NDA) AND\OR TECHNOLOGY PREVIEW.
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Tomaž Čebul Principal Consultant Microsoft Bring Your Own Device, kaj pa je to?
Azure Active Directory is becoming one of, if not the, primary user identity management services for cloud applications. One of Azure Active Directory's.
Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,
EMS in action Hugh Simpson-Wells and Mark Riley 2016 Redmond Summit | Identity Without Boundaries
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
Redmond Protocols Plugfest 2016 Randy Dong AD Family and BYOD Protocol Test Suite Updates Software Engineer.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Today’s challenges Data Users Apps Devices
Identity; What you need to know to be in the Microsoft Cloud
Building Azure Mobile Apps
Throw away your DMZ Azure Active Directory Application Proxy deep-dive
Azure AD Application Proxy
Azure Identity Premier Fast Start
SaaS Application Deep Dive
Secure Remote Access to on-premises Web Apps using Azure AD
Power BI Security Best Practices
Windows Azure AppFabric
Azure AD Line Of Business Application Integration
Azure AD Application Proxy
Access and Information Protection Product Overview October 2013
TechEd /9/2018 1:09 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
AD FS Integration Active Directory Federation Services (AD FS) 7.4
Office 365 Development.
Implement Web Application Proxy (WAP)
Device Registration and Multi-Factor Authentication
System Center Marketing
TechEd /6/ :24 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Microsoft Virtual Academy
Presentation transcript:

Conditional access DirectAccess & automatic VPN Desktop Virtualization

Backend Server AD FS Backend Server Config. Store Web Application Proxy DMZ AD FS Proxy FirewallLoad Balancer Firewall Active Directory Domain Controller Client (browser, Office client or modern app) Corporate NetworkInternet HTTP/S AuthN Config. API over HTTPS AuthN Web UI Claims, KCD, OAuth, MSOFBA, or pass-through Obtain KCD ticket for IWA AuthN

Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication Conditional access with multi-factor pre- authentication is provided on a per- application basis, leveraging user identity, device registration & network location Published applications AD FS provides rich authentication and authorization capabilities including multi-factor and federation. Publish any standard Web/HTTP server. Single Sign On using Kerberos, claims, Office or OAuth New Windows Server 2012 R2 role service under RRAS server role, integrated into Windows Server Manager and RRAS admin experience (PSH + UI).

WAP

WAPLOB

WAPLOB

WAPLOB ? 302

WAPLOB ? ?

WAPLOB Edge Policies Application Policies

WAPLOB

WAPLOB

WAPLOB

WAPLOB Query String Query String

WAPLOB Query String

WAPLOB ? Query String

WAPLOB Query String

WAPLOB Query String

WAPLOB ? 401

WAPLOB Kerberos Constrained Delegation

WAPLOB AP_REQ(tckt)

WAPLOB

WAPLOB

fabrikam.com DRS WAP fabrikam.com LOB

Azure Active Directory Corporate Network DMZ

Once started, the connectors open HTTP requests to the WAP service. The requests remain waiting until user request arrives or timeout AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

User sends a request to the public address of the service that is unique per tenant and per application. E.g. AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

The WAP service selects one of the pending connector requests and send the user request as payload. AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

The connector sends the user request to the backend application and once there is a response, it sends it to the server as a new request AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

The cloud service returns the response to the client request AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

User sends a new unauthenticated request to applications that is configured to require preauthentication. AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

WAP redirects the user to the Azure AD STS address with information on the application that needs preauthentication. Nothing is sent to the backend. AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

User is authenticating to Azure AD STS. This process may involve other systems depending on tenant configuration. E.g. 2FA and federation. Once done, user is redirected back to the WAP service with a token AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

The user request arrives again but now with a valid authentication token. Once the token is validated, the request is sent to the backend application AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.