ADFS - Multi Factor Authentication using Azure MFA and Certificate Authentication

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys hope you all doing well and welcome back to our series of factor Directory Federation services and in this video we are going to talk about multi-factor authentication so if you're watching the series from the beginning what we already know what is a relying party trust i've also discussed about the claim x-ray tool and in the last video we have covered claim provider trust and this video our scope will be knowing how multi-factor authentication works with a DFS and what are the different set of options that you can choose to configure MFA so if we talk about multi-factor authentication and the set of options that are available with a DFS you can configure as your MFA you can have as your MFA server setup on frame you can use certificate authentication method as well as you can integrate third party MFA providers but now let's understand which operating system offers you what kind of capability by default and what are the different custom methods that are available so if we talk about both the operating systems which we are discussing from the beginning 2012 r2 and 2016 the default method on both these OS versions is certificate authentication whereas 2016 gives you the capability to add as your MFA or to use as your MFA as a second factor authentication method and this is something which is available by default if we talk about custom method you can have as your MFA server setup for both the operating systems as well as you can integrate third party MFA providers now as your MFA server is something which I have already covered in a different playlist and I will be sharing the link of that playlist in the description if you guys want you can go ahead and review that as well and get back to me if you have any questions now the scope for this particular video will be knowing how certificate authentication works and how to configure your MFA to complete second factor authentication now let's start off with Azure mfa itself and know some more details about Roger mfa so this is a default option which is available with 2016 and you don't have to go ahead and install or you know add any service it is available by default the moment you will set up a TFS you can get the option of Asha and the fair and I'll show you where you can find it all you have to do is you have to configure MFA as your MFA in fact as an authentication provider and for that all you have to do is you have to run these three commands I will be sharing these three commands in the description section as well just copy them from the description and try running in your lab get yourself familiar first and then tried in your production environment if you are planning to go ahead and use as your MFA as a second factor authentication but make sure that you replace the tenant ID as I've shown here from the first and the second sorry and a third command we're in this part has to be replaced with your tenant name in our case we'll it will be M casts on my piece off just put in it directly now let's move on and understand how as your MFA is going to work with air EFS now since we know that the application has to send the authentication request to area first to initiate primary authentication and for that what a TFS does it actually contacts your active directory to present the credential that you are giving on ad FS page that means if application is requesting a form based authentication ad FS will render ad FS will respond back with this page and on this page user has to enter user name and password once it is verified from your ad now the next step which ad FS has to do is to go ahead and check access control policies so this is something which is and by which happens by default in fact if you don't have any policy that should go ahead and trigger MFA a TFS world directly as you were talking to your application but if you have any policy that is configured to trigger MFA a TFS will trigger MFA now in our case since we will implement this with a her MFA what will happen a MFA request will be triggered by a DFS before providing a token to an application now there is something which is very important and which you guys have to make sure that it has done for all the users and that is that since it is a jour which is initiating MFA what you have to make sure that the users for which you are enabling MFA are synced to Azure Active Directory and the proof of process is completed that means all the users have registered themselves from the MF s setup page and the link is aka dot M s /mf a set up now the reason why I'm telling you all this because if you have configured as your MFA on your ad FS but the user has not submitted the details where in the azure and the fest service should contact likewise if he has given a contact number or if he wants to receive a phone call the azure MFA service should be able to trigger a phone call if this set of information is not available the MFA will not get completed and ad FS will not send a token to the application so there are two things which you have to keep on in mind then and that is apart from configuring MFA settings on your ad FS server make sure for all the users MFA proof of process is also completed now once the azure and the first figured what could be the behavior that as per the preference of the user a user might receive a phone call a text message or a notification up on a notification on the Authenticator app now once the second factor authentication for the user will be completed what a TFS will do is a token will be sent to your application and there will be a set of different information in terms in terms of ten method providers as well as Auton method references now what do I mean by this that the first prom to which ad FS has given to a user within the user is typing user name and password that's something called form based authentication and now since it's a TFS which is also triggering mfa all as your MSI authentication will also be mentioned in the set of claims that are being sent by a TFS to your application the same goes with the part which is called Orton method references this is something which contains the claim type value of claim description if you remember guys schema dot Microsoft comm is something which we use while we create claim description so as you can see there is one more additional value which is coming in the response and that has multiple lawton so these are the two set of information which will be included in that token which a DFS has given to an application after completing MFA so now let's switch to my ad FS machine and see how everything works so this is my ad FS machine and as you can see I'm in the section which says authentication methods and I'm getting the option of multi-factor authentication now all I have to do is I have to click on edit and then I'll get the option of multi-factor and here I will be selecting the option of either MFA click on apply ok that's it that's all you have to do and now if you guys remember I've shown you three commands which you have to run and I will be running these three commands but before you run these three commands make sure you are connected to a mass all module and that is something which you can do by running the command get - MS all service enter and here you have to sign in with your global admin credential now there is a reason behind this because there is a credential that you will add in one of your service principal if you closely observe at the second dr. Mont it says new - MS all Service principal credential and this is something which requires global admin credential and anyways you are using MS all so you have to sign in with your global admin credentials so I'll use my first command to generate a certificate let's not copy it I'll copy it again enter so I'm getting this warning because this come on I have run it before as well on my tenon but since if you guys will be running it for the first time in your lab or in your production environment you'll not get this morning I'll go back and I'll copy the second command and I'll run in a PowerShell okay copy paste okay and now the third command make sure that you replace the tenant ID value with your directory name and then everything will be configured so as you can see that I'm getting the option of the authentication provider configuration data was successfully updated before the changes taken effect restart your ad FS service so I'll go to services that MSC and I'll just restart my service once the service is restarted all I have to do is I'll go to claims x-ray tool and then I will try signing in with my username and password and the expected behavior is the MFA should get triggered but there is one more change which we have to do and that is we have to let the area first know that for this relying parties you have to do MFA now so for that what I'll do is I'll go to edit access control policy and here I will select this option which says permit everyone aren't required in effect now the moment I'll click on OK this relying party will start getting prompted or the users who are trying to sign into this blank party will start getting prompted to complete MFA so I'll go to the browser now and I'll go to a link of a TFS help from here we'll go to claims x-ray and here I will type my Federation service name form based authentication WS Feld force fresh authentication and now I will sign in with my username and password now the expected behavior is that it will show me we are trying to send you a text message on your contact number because when I tried signing in with a test user account I have choose my preference as a verification code so that's exactly what has happened and now I'll go ahead and I'll type the six digit code that I have received and I'll click on sign in now I'm signed in to my application and if you guys remember I was talking about two different claims and as you can see that in autumn method providers I'm getting as your multi-factor authentication getting listed here and here what you see is a different claim which is which will be issued if you are doing multi-factor authentication so this is how as your MFA works with a DFS now if I talk about certificate authentication the process is same you have to go to the same set of options and make slight changes and what are those in the authentication method you'll get the option of either MFA because we have selected it before click here on edit and change it to certificate authentication remove this as your MFA click on apply and then click on OK now there is no change that you have to do here because an access control policy you are saying that a DFS has to complete MFA okay but what option should a DFS choose to complete MFA is something which has been defined here so now the change that we have done is we are saying that instead of going with Azure Emma fair do a certificate authentication but there is a couple of other information as well which is required to get the certificate authentication done and that is a certificate so for that what I'll do is I'll switch to one of my machine which is being joined to this domain it's a client machine at some Windows 10 OS and here I am logged in with one of my ad account and this is the account that I'm using it's name is enter and in order to sign in or in order to get the second factor authentication completed with a certificate what I have to do is I must have a certificate and then only it will be completed so make sure and that they for the user for whom you are enabling certificate authentication in the user store of certificate on their laptops or on their machines make sure the personal folder has a user certificate present then only the certificate authentication will get completed otherwise it will fail right now I don't have a certificate I don't have in fact they use a certificate and let's see what will be the behavior if I try to access an application that requires MFA so claim x-ray is an application that's been added to my ad FS and that requires MF it's fairly simple now and I'm trying to access the same application now from my client machine which doesn't have a user certificate let's see what happens I'll sign in with my username and password and see I'm getting an option here which is saying that select a certificate that you want to use for authentication if you cancel this operation please close your browser but the fact is that I'm not getting any prompt to select the certificate now the reason behind this is the user certificate is not available on this particular machine so this covers one of the use case that in in the scenarios when the users are getting back to you and saying that I'm not getting any prompt to select the certificate you can think of this or this could be one of the reason that the certificate user certificate is not even present on that particular machine so what I'll do now is I'll close this browser I'll go back to my certificate pane I'll right click here and I'll click on all tasks and I'll click on request new certificate now this is something but she user can do or if you want you can actually push the certificates as well I'll click on next I'll again click on next and then I'll select the option of user I'll click on enroll and now I'm enrolled for a user certificate and as you can see I have a user certificate on my machine that's been issued to enter by my enterprise CA that means what if now I will try to sign in in the application which requires certificate ought to be completed i should be prompted to select a particular sort of certificate so what I'll do is I'll go back to browser and I'll sign in into that application with my username and password and then let's see whether this browser gives any prompt to select the certificate or not same set of options form based authentication WS well force fresh authentication test authentication and now I'll try to sign in with my username and password I'm getting the option to choose the certificate and if you'll click on certificate information this is the same certificate which we have just requested so if you will see if I go here and the thumbprint you see it's 6 C to 1 and if we go back to the browser succeed to 1 now the moment I will click on the certificate and I will click on it ok I'm signed and back to my application and as I said you before in fact what I've shown you before that in austen method providers we were getting some options if you guys remember and now you can see that I'm getting an option which says multiple authentication done but you have selected a certificate you see x.509 and it's pretty much highlighted here that apart from form based authentication a certificate authentication has been done by a user so now if we talk about the flow of what exactly happens when you choose a certificate authentication for certificate authentication all a user has to do is he/she will be presented to choose a certificate on port four nine four four three now once the user is prompted to select a certificate user has to just select the certificate that's been intended for him or her and make sure that certificate is stored on that particular machine which user is using this could be internal certificate or if you have different PKI environment if there must be a user certificate that should be you know the primary objective to check if certificate authentication is failing so now let's talk about a quick summary of what all we have covered in this particular video we have talked about multi-factor authentication we have talked about the as your MFA we have also discussed about certificate authentication in the next video I'm going to talk about a TFS proxy if you guys have any questions feedback or suggestions please feel free to reach me at learn concepts work in gmail.com and if you guys have learned something new please feel free to subscribe thank you so much guys thanks for your time bye
Info
Channel: Concepts Work
Views: 21,158
Rating: 4.8965516 out of 5
Keywords: ADFS, Active Directory Federation Service, Azure MFA, Azure MFA server, Authentication, ADFS Authentication, adfs token, claim based Identity, adfs sso, Multi Factor Authentication, MFA, Certificate Based Authentication, ADFS Certificate Based Authentication
Id: IUo4aCWG_4I
Channel Id: undefined
Length: 20min 44sec (1244 seconds)
Published: Sun Mar 31 2019
Related Videos
Introduction to SAML - Chalktalk on what is it, how it is used
Centrify
368K
2FA: Two Factor Authentication - Computerphile
Computerphile
395K
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
SAML 2.0: Technical Overview
VMware End-User Computing
228K
How to upgrade your security with Azure Multi-Factor Authentication
Microsoft Azure
38K
Onboard Windows 10 Devices from MDM | Microsoft Defender for Endpoint
Concepts Work
2.2K
How does Multifactor Authentication work? | MFA and privacy explained
Jordan M. Schroeder
3.6K
CMMC Rollout and 2021 Outlook for the Defense Industrial Base (DIB)
Summit 7 Systems
537
CompTIA Network+ Certification Video Course
PowerCert Animated Videos
3.5M
Network Security 101: Full Workshop
SecureSet
1.6M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.