Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modern Authentication for Exchange Server On-Premises

Published byPeter Carson Modified over 6 years ago

Similar presentations

Presentation on theme: "Modern Authentication for Exchange Server On-Premises"— Presentation transcript:

1 Modern Authentication for Exchange Server On-Premises
9/6/2018 3:35 PM BRK3249 Modern Authentication for Exchange Server On-Premises Greg Taylor Principal Program Manager © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Session objectives and takeaways
Tech Ready 15 9/6/2018 Session objectives and takeaways At the end of this session, you should be better able to… Explain why Modern Auth is a good thing to adopt Understand Microsoft’s plans for Modern Auth and on-prem Exchange Explain how Modern Auth on-prem works Understand good scenarios for its use, and some that are less so © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Related content Breakout Sessions BRK4001
Tech Ready 15 9/6/2018 Related content Breakout Sessions BRK4001 Best-in-class authentication in Skype for Business and Microsoft Teams Natasha Desai Date/Time: Weds Sept 27 9:45 AM-10:30 AM Venue / Room: OCCC W314 BRK3053 Troubleshooting Office 365 identity: How modern authentication works and what to do when it doesn’t Jonas Gunnemo Date/Time: Thursday, Sept 28 1:00 PM-2:15 PM Venue / Room: OCCC West Hall F2 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Why Should I Care About MA? What is it?
9/6/2018 3:35 PM Why Should I Care About MA? What is it? For this purposes of this discussion – MA provides the ability for desktop Outlook to authenticate to Exchange using a Token As opposed to using Basic, NTLM, Kerberos, magic beans, etc. Why is it ‘Modern’? – great question. Why is it ‘better’? – Strong AuthN is good, MA allows you to much more easily perform Multi-Factor AuthN with Outlook and Exchange Who is it good for? – Anyone with a security team that insists on MFA from outside the company firewall, or anyone who wants to improve the authentication of users to Exchange Who is it not good for? – It relies on good network connectivity for token acquisition and renewal – so poor networks might rule you out But These Scenarios Are Not Yet Supported –This is an Insider look at futures © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 9/6/2018 3:35 PM Some terminology ADAL – Azure AD Authentication Library - API to be used by developers to implement Modern Authentication – it’s the ADAL stack in Exchange and Outlook that add the ability to use OAuth OAuth – Standards based protocol used for authentication AD FS – On-Prem token issuing service providing Single Sign On services for external services/applications EvoSTS – The token issuer for Azure AD CA – Conditional Access - Allows the IT admin to only allow access based on certain conditions, usually location based or device based. Outlook – the Exchange client Exchange – Outlook Server © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Overview of How It Works
9/6/2018 3:35 PM Overview of How It Works In short – this is how it works Outlook indicates to Exchange it can do Modern Auth during the initial unauthenticated connection conversation Exchange responds with a redirect URL to the Security Token Service (STS) The user heads over there and authenticates – this could be simple creds, certificate, MFA, whatever the STS is configured to require Once the user is authenticated an OAuth token is passed to the client (2 actually –an Access (specific to the URL) token and a Refresh token) The client hands the Access token to Exchange and is authorized to access the resource and uses the Refresh token to renew the Access token as needed MAPI-HTTP only, no Outlook Anywhere Exchange does this for ALL connections, internal and external Exchange no longer does the auth, so it’s up to the STS to auth the user, enforce MFA © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 9/6/2018 3:35 PM Outlook Asks for OAuth POST HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: text/xml Authorization: Bearer Cookie: OutlookSession="{3C3FF6EF-033E-49C8-A881-FFE1263C8B9E}" User-Agent: Microsoft Office/16.0 (Windows NT 6.3; Microsoft Outlook ; Pro) X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Client-Request-Id: { D-51C4-49E0-94C5-9D441648F286} X-User-Identity: X-MapiHttpCapability: 1 Depth: 0 X-AnchorMailbox: Content-Length: 348 Host: autodiscover.contoso.com © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 And the Response…. HTTP/1.1 401 Unauthorized Content-Length: 0
9/6/2018 3:35 PM And the Response…. HTTP/ Unauthorized Content-Length: 0 Server: Microsoft-IIS/8.5 Microsoft-HTTPAPI/2.0 request-id: 2a6e4e41-38fc-468d-a599-5c444979bb2e Www-Authenticate: Negotiate Www-Authenticate: NTLM Www-Authenticate: Basic realm="autodiscover.contoso.com" X-FEServer:CONTOSOEX16 X-Powered-By: ASP.NET WWW-Authenticate: Bearer client_id=" ff1-ce ", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri=" Date: Thu, 13 Jul :00:59 GMT Proxy-Support: Session-Based-Authentication © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Initial Connection Without Token
9/6/2018 3:35 PM Initial Connection Without Token STS trust User Outlook Exchange (open Outlook) Request access (no token) 401: need token from [authURL] GET [authURL] / 200: (show login page) (enter Username/password) (verify username/password) 200: (return access/refresh token) (cache refresh token) Request access (access token) 200: allow access © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Access With Expired Token
9/6/2018 3:35 PM Access With Expired Token STS trust User Outlook Exchange Request access (w expired token) (use Outlook) 401: Access token invalid [authURL] (request new Access Token with Refresh Token) 200: return new access token Request access (access token) 200: allow access © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Token Lifetime Access Tokens are valid for 1 hour by default
9/6/2018 3:35 PM Token Lifetime Access Tokens are valid for 1 hour by default Refresh Tokens are valid for 14 days by default (up to 90 days) But these can be adjusted - Lower token lifetimes means more authN requests Password changes invalidate Refresh Tokens but Access Token validity isn’t immediately affected – so up to 1 hour of access with default settings has some guidance on disabling access © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Two Flavours (I spell it like that)
9/6/2018 3:35 PM Two Flavours (I spell it like that) Pure On-Prem – Exchange Server 2019 Feature Hybrid with Azure AAD (HMA) – Coming in a future CU for Exchange 2013/16 Both require you remove all 2010 Exchange from the Org. Exchange 2013/16 won’t proxy connections to 2010 if the client used OAuth. Because the MA dance is done before we know where the user’s mailbox is, a client with a mailbox on 2010 could authenticate to 2013/16 using MA, only to then fail once we proxy © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Pure On-Prem – Coming in Exchange 2019
9/6/2018 3:35 PM Pure On-Prem – Coming in Exchange 2019 Entry bar is higher, requires AD FS 2016, Outlook 2016 AD FS does both AuthN and issuing of tokens Outlook 2016 only Exchange 2013/16 (no 2010 in org) Configuration at ADFS is a few custom rules, Outlook requires a secret reg key Device registration is required for device trust decisions Client sends empty Bearer header, Exchange responds with URL for AD FS, client goes to AD FS, gets token, presents to Exchange © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Modern Auth – Pure On-Prem
9/6/2018 3:35 PM Modern Auth – Pure On-Prem Outlook login (no cached tokens or Integrated Auth) Client attempts to connect to Exchange Exchange responds with “get token from AD FS” Client connects to URI provided by Exchange User provides username and password to AD FS AD FS returns Access and Refresh tokens to Outlook Client gives client Access token to Exchange on-prem On premises ADFS AD EX 2013, 2016 Trust flow Transaction flow © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Hybrid Modern Auth (Coming in a future CU)
9/6/2018 3:35 PM Hybrid Modern Auth (Coming in a future CU) Exchange 2013/16 must be Hybrid with O365 with Identity sync (Fed is not a requirement, password sync is fine) OAuth tokens come from AAD, AuthN can be done at AD FS Works with all MA capable clients supported with O365 and all 3rd party IDP’s supported by O365 Exchange HCW must be used to enable OAuth On-Prem SPN’s need to be registered in AAD Same auth flow whether mailbox is on-prem or in the cloud © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Hybrid Modern Auth – Federated Domain
9/6/2018 3:35 PM Hybrid Modern Auth – Federated Domain O365 AAD evoSTS Outlook login (no cached tokens or Integrated Auth) Outlook attempts to connect to Exchange Exchange responds with “get token from AAD” Outlook connects to URI provided by Exchange User provides username to AAD AAD redirects to on-prem AD FS User enters password/certificate/drop of blood AD FS redirects back to AAD AAD returns Access and Refresh tokens to Outlook Outlook gives client Access token to Exchange Directory Sync On premises AAD Connect ADFS AD EX 2013, 2016 Trust flow Transaction flow © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 9/6/2018 3:35 PM OAuth Tokens Exchange implementation of OAuth for Server to Server Auth is referred to as S2S OAuth 2.0 and we have documented it in detail here OAuth tokens are not encrypted so rely on TLS to be protected How we use OAuth in Hybrid is detailed here To inspect, grab tokens using Fiddler, decode using From Base64 or © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Exchange Replies – I can do OAuth But Not For You
9/6/2018 3:35 PM Exchange Replies – I can do OAuth But Not For You HTTP/ Unauthorized Content-Length: 0 Server: Microsoft-IIS/8.5 Microsoft-HTTPAPI/2.0 request-id: a8e9dfb4-cb06-4b18-80a0-b e1 Www-Authenticate: Negotiate Www-Authenticate: NTLM Www-Authenticate: Basic realm="autodiscover.contoso.com" X-FEServer: CONTOSOEX16 x-ms-diagnostics: ;reason="Flighting is not enabled for domain X-Powered-By: ASP.NET WWW-Authenticate: Bearer client_id=" ff1-ce ", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri=" Date: Thu, 13 Jul :22:13 GMT Proxy-Support: Session-Based-Authentication © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Token Issued by AAD for On-Prem Mailbox
9/6/2018 3:35 PM Token Issued by AAD for On-Prem Mailbox { "aud": " "iss": " "acr": "1", "aio": "ASQA2/8DAAAAn27t2aiyI+heHYucfj0pMmQhcEEYkgRP6+2ox9akUsM=", "amr": [ "pwd" ], "appid": "d3590ed6-52b aeff-aad2292ab01c", "appidacr": "0", "e_exp": , "enfpolids": [], "family_name": "Taylor", "given_name": "Greg", "ipaddr": “ ", "name": "Greg Taylor (sounds like a cool guy)", "oid": "7f199a96-50b db0-57b362c5d564", "onprem_sid": "S ", "platf": "3", "puid": "1003BFFD9ACA40EE", "scp": "Calendars.ReadWrite Contacts.ReadWrite Files.ReadWrite.All Group.ReadWrite.All Mail.ReadWrite Mail.Send Privilege.ELT Signals-Internal.Read Signals-Internal.ReadWrite Tags.ReadWrite user_impersonation", "sub": "32Q7MW8A7kNX5dPed4_XkHP4YwuC6rA8yBwnoROnSlU", "tid": "f31f3647-5d87-4b69-a0b6-73f62aeab14c", "unique_name": "upn": "ver": "1.0" } © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Adding On-Prem URLs to Azure AD
9/6/2018 3:35 PM Adding On-Prem URLs to Azure AD $x= Get-MsolServicePrincipal -AppPrincipalId ff1-ce $x.ServicePrincipalnames.Add(" Set-MSOLServicePrincipal -AppPrincipalId ff1-ce ServicePrincipalNames $x.ServicePrincipalNames PS C:\windows\system32> $formatenumerationlimit =-1 PS C:\windows\system32> Get-MsolServicePrincipal -AppPrincipalId ff1-ce ExtensionData : System.Runtime.Serialization.ExtensionDataObject AccountEnabled : True Addresses : {} AppPrincipalId : ff1-ce DisplayName : Office 365 Exchange Online ObjectId : 2ab0a94e-ef5d-4701-aea8-60ee06ea872f ServicePrincipalNames : { ff1-ce /mail.contoso.com, ff1-ce /autodiscover.contoso.com, ff1-ce /contoso.com, ff1-ce /outlook.office365.com, ff1-ce /mail.office365.com, ff1-ce /outlook.com, ff1-ce /*.outlook.com, ff1-ce } TrustedForDelegation : True © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 9/6/2018 3:35 PM Random Wrap-Up Slide Don’t try this with 2010 in the org, proxy will fail Clients can have ADALEnabled set to turn off Outlook MA if you must control deployment but that doesn’t cover all clients Make sure you are on the latest CU’s on Exchange And keep Outlook up to date too OWA doesn’t support this flow but it natively supports ADFS anyway Conditional Access works for HMA just as it does for cloud Remember this affects all auth flow, so auth takes a trip to the cloud for internal as well as external users © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Please evaluate this session
Tech Ready 15 9/6/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 9/6/2018 3:35 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Modern Authentication for Exchange Server On-Premises"

Similar presentations

Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.

Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.
Identity; What you need to know to be in the Microsoft Cloud

Identity; What you need to know to be in the Microsoft Cloud
Introduction to Windows Azure AppFabric

Introduction to Windows Azure AppFabric
Enterprise Security in Practice

Enterprise Security in Practice
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.

5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
SaaS Application Deep Dive

SaaS Application Deep Dive
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
6/17/2018 5:54 AM OSP322 Getting the best of both worlds, making the most of SharePoint hybrid search solutions Shyam Narayan Microsoft © 2013 Microsoft.

6/17/2018 5:54 AM OSP322 Getting the best of both worlds, making the most of SharePoint hybrid search solutions Shyam Narayan Microsoft © 2013 Microsoft.
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Modernizing your Remote Access

Modernizing your Remote Access
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Microsoft Virtual Academy

Microsoft Virtual Academy
Decoding audit events in Microsoft Office 365

Decoding audit events in Microsoft Office 365
Optimizing Microsoft OneDrive for the enterprise

Optimizing Microsoft OneDrive for the enterprise
Build data-driven solutions using Microsoft Visio

Build data-driven solutions using Microsoft Visio
Understand Hybrid Identity with Azure and Azure Stack

Understand Hybrid Identity with Azure and Azure Stack
Virtual Machine Diagnostics in Microsoft Azure

Virtual Machine Diagnostics in Microsoft Azure

Similar presentations

Ads by Google