Presentation is loading. Please wait.

Presentation is loading. Please wait.

Conditional access DirectAccess & automatic VPN Desktop Virtualization.

Published byPhillip Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Conditional access DirectAccess & automatic VPN Desktop Virtualization."— Presentation transcript:

1

2

3

4

5 Conditional access DirectAccess & automatic VPN Desktop Virtualization

6

7 Backend Server AD FS Backend Server Config. Store Web Application Proxy DMZ AD FS Proxy FirewallLoad Balancer Firewall Active Directory Domain Controller Client (browser, Office client or modern app) Corporate NetworkInternet HTTP/S AuthN Config. API over HTTPS AuthN Web UI Claims, KCD, OAuth, MSOFBA, or pass-through Obtain KCD ticket for IWA AuthN

8

9

10 Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication Conditional access with multi-factor pre- authentication is provided on a per- application basis, leveraging user identity, device registration & network location Published applications AD FS provides rich authentication and authorization capabilities including multi-factor and federation. Publish any standard Web/HTTP server. Single Sign On using Kerberos, claims, Office or OAuth New Windows Server 2012 R2 role service under RRAS server role, integrated into Windows Server Manager and RRAS admin experience (PSH + UI).

11 http://lob https://sts.fabrikam.com WAP

12 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com

13 http://lob WAPLOB https://sts.fabrikam.com https:/lob.fabrikam.com https://sts.fabrikam.com

14 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com ? 302 https://sts.fabrikam.com

15 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com ? ?

16 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com Edge Policies Application Policies

17 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com

18 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com

19 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com

20 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com Query String Query String

21 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com Query String

22 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com ? Query String

23 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com Query String

24 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com Query String

25 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com ? 401

26 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com Kerberos Constrained Delegation

27 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com AP_REQ(tckt)

28 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com

29 http://lob https://sts.fabrikam.com WAPLOB https:/lob.fabrikam.com https://sts.fabrikam.com

30 http://lob https://sts.fabrikam.com https://enterpriseenrollment. fabrikam.com DRS WAP https://enterpriseenrollment. fabrikam.com LOB https:/lob.fabrikam.com

31

32

33

34

35

36

37

38

39 Azure Active Directory Corporate Network DMZ

40 Once started, the connectors open HTTP requests to the WAP service. The requests remain waiting until user request arrives or timeout AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

41 User sends a request to the public address of the service that is unique per tenant and per application. E.g. https://app1-contoso.cwap.net/ AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

42 The WAP service selects one of the pending connector requests and send the user request as payload. AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

43 The connector sends the user request to the backend application and once there is a response, it sends it to the server as a new request AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

44 The cloud service returns the response to the client request AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

45 User sends a new unauthenticated request to applications that is configured to require preauthentication. AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

46 WAP redirects the user to the Azure AD STS address with information on the application that needs preauthentication. Nothing is sent to the backend. AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

47 User is authenticating to Azure AD STS. This process may involve other systems depending on tenant configuration. E.g. 2FA and federation. Once done, user is redirected back to the WAP service with a token AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

48 The user request arrives again but now with a valid authentication token. Once the token is validated, the request is sent to the backend application AAD-AP Connector AAD-AP Connector AAD-AP Cloud Service

49

50

51 www.microsoft.com/learning http://microsoft.com/msdn http://microsoft.com/technet http://channel9.msdn.com/Events/TechEd

52

53

54

Download ppt "Conditional access DirectAccess & automatic VPN Desktop Virtualization."

Similar presentations

MEC 2014 4/5/2017 1:13 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

MEC /5/2017 1:13 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Introducing Windows Server 2012 R2 Work Folders:

Introducing Windows Server 2012 R2 Work Folders:
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.

IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
FlexForm Login form integration Copyright ©2008 Collective Software, LLC.

FlexForm Login form integration Copyright ©2008 Collective Software, LLC.
Active Directory Integration with Microsoft Office 365

Active Directory Integration with Microsoft Office 365
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.

Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
UAGSharePoint InternetIntranet.

UAGSharePoint InternetIntranet.
Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R.

Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R.
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC

Similar presentations

Ads by Google