Azure AD Joined SSO Access to AD Joined Resources!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video i want to look at accessing active directory domain services resources from an azure ad joined machine without having to mess around with hybrid join or entering extra sets of credentials something that's actually super super useful as we move into this more cloud first world but hey sometimes i still want to be able to access those on-premises or at least a d joined resources maybe a server share a printer some windows integrated authenticator application as always this is useful a like and subscribe is appreciated so if we think about today's modern management for desktops i can think well i have my machine and instead of joining it to that old active directory domain services what we really think about is modern management so at the top of this we have our azure active directory instance and we join our machine to that azure id so i am actually joined to the azure ad instance so now i have an object in the azure id now to complete that management picture we add things like an mdm solution so this could be microsoft endpoint management that uses intune in the cloud for patching it might be things like well windows update for business or the new windows auto patch solution we have things like enterprise state roaming for a consistent experience so we're not using group policy objects or any of those things we're using these all cloud first technologies and this is fantastic and what this gives me is when my machine when i actually now go and join that to the azure id when i go and authenticate when i go through the authentication process what actually happens is hey we send that authentication to our azure id and what we get back is a primary refresh token that is stored securely on our machine and i can then use it to go and get access tokens for other services and also we get an identity token so these are sent back as part of that authentication with azure id now that primary refresh token is leveraged by that cloud ap plugin on our machine and it gives us single sign-on to any resource that trusts our instance of azure id so if i think about for a second all those other software as a service could be azure itself office 365 etc but i have all of these software as a service or maybe pass services they trust our azure id and through this primary refresh token when i want to go and talk to those i get single sign-on i don't have to re-enter credentials i'm leveraging this to go and talk to anything that trusts my instance of azure ids fantastic seamless experience so that's that's awesome however what about if i do still have some on-premises resources there's some file server maybe i have a point-to-site vpn connection sometimes i take my azure ad join machine with my laptop and i take it to a corporate office so i have connectivity through the network through a point-to-site for a site-to-site vpn to these corporate resources well these corporate resources they're not azure adjoined i have my active directory domain services and they're joined to that they trust this well i want to be able to access it when i have a line of sight to these adjoin resources how do i access those do i have to do now at hybrid join really taking a step back from that cloud first world well no i don't the reality is i have for example my user account typically comes from my active directory what is actually happening behind the scenes is we have this idea of azure ad connect and it could also be the cloud sync version where the engine runs in the cloud and i have these lightweight little components that run on the domain controllers and this is responsible for replicating objects from our active directory domain services are on-prem active directory and i say on-prem doesn't actually have to be on-prem these could be virtual machines sitting in a virtual network in azure or another cloud but it's this more traditional active directory domain services and it's synchronizing those accounts into my azure id now it creates me a cloud version of the account and that's what i'm authenticating as but it's synchronized from its on-premises um equivalent now as part of this synchronization this azure id connect is actually sending some other attributes about my active directory domain services so some of the key things it's actually sending is this idea of a sam account name it's sending the net bios domain name and it's sending the dns domain name it's giving information to azure ad well actually about my active directory domain services environment and this collection of information if i kind of make it available as this this is actually sent back as part of this identity token so those values that same data that azure ad connect told sorry ad told azure id via azure ad connect those attributes are part of the identity token that gets sent back to me they get back to my local machine well this local machine with that knowledge what i have on here is i have my local security authority the lsa now that lsa when i do that authentication to azure id and i get the primary refresh token back and then i get this identity token that local security authority on the device along with the kerberos authentication provider says oh i've got these interesting bits of information i've got this sam account name the net bios domain name and the dns domain name can i find a domain controller for this information because remember i have the user's credentials if i was using windows hello for business i i can use the pk init that i had as part of that so what actually happened here as part of this the lsa will be like can i find a dc so it's going to go along and it's going to do a few things well i need to find a dc via dns i know the dns domain name and they're going to go and query dns for the various service locator records so the first thing i need for this to work is we talked about hey maybe i'm taking my machine i've put it on my work network or i have a point-to-site vpn or a site-to-site vpn i need dns resolution to my domain records so whatever network i'm on it has to be able to have that resolution so that's kind of a point one that i require for that again it could be i've moved it into the corp network i have a point-to-site vpn connection whatever that is i have to be able to have dns resolution and then if you can find the domain controller it's going to go and do the auth it's going to go and do that authentication and then what this will generate for me assuming that authentication is successful so assuming i can find a domain controller and then assuming i have line of sight to a domain controller so two things i have to get the dns resolution and i have to have line of sight i.e a communication path again i'm on the network i've got a point to say i've got a site site i have some way to communicate to a dc that i found through the dns service record lookup if i then have that successful authentication it's going to generate me a kerb ross ticket granting ticket and send that back well at this point that's huge so even though my machine is not adjoined my user was synchronized from on-premises to my azure id because as part of the identity token azure ad sent me back i can now know the details of what the on-premises active directory domain service environment is i'll try and find somewhere i can authenticate to and perform the authentication now an important point it's the user that is authenticating to active directory domain services not the machine the machine is not joined to ad the machine has no account in ad so this is going to work fantastic for services like an s p file share a printer it's using windows integrated authentication that authenticates the user if it requires the machine to be known and the machine to authenticate this is not going to work so it's only for the user but what this is now going to get me is anything that is trusting and using windows integrated authentication to my ad i'm going to get single sign-on to that as well without doing anything all i did was authenticate to azure id that gives me the primary refresh token gets me single sign on to any cloud apps that trust my azure id in parallel because i have line of sight for this particular instance in time hey i'm on the corp network i'm site site or point site vpn because i have line of sight it's also going to take that same credential or pk in it if it's hello for business and try and find a domain controller and authenticate and get me a curb boss ticket granting ticket as well which i can then exchange so once i've got that ticket granting ticket i can use that for ongoing communication to my domain controllers to exchange it for kobros service tickets to come and talk to an smb file share to go and talk to some website that integrates with ad to talk to some client app that uses windows integrated authentication i'm not doing anything special it's just gonna work and that's it i didn't actually have to do anything it's the azure ad connect is synchronizing those it's synchronizing these values and again if i'm not connected to the work network obviously i can't do the authentication but i probably couldn't access these resources anyway so let's see this let's actually look at what this looks like so what i have over here so this is my azure ad joined machine and what we can see very clearly is if i go to my settings accounts access work or school we can see i am connected to azure ad i am not connected to a regular active directory domain services this is not hybrid joined this is just azure a d joint and to prove this if i do a ds reg cmd status and if we go all the way up we can see keep scrolling here we go so azure ad joined yes this machine is is it domain joint no it is not so all i have here is an azure adjoined machine bringing the details of my azure ad my user state my single style on state so yes i have an azure id primary refresh token that's fantastic that's exactly what i want and so this machine has no visibility to active directory it's not joined so not visibility it is not joined to my active directory and i can see that as well so if i just open up active directory users and computers if i was to now go and look at hey any computers i have notice it is not there if i look at my host name it's demo vm there's no demo vm there i'm not hiding it this is my windows 365 boxes um it's not in cloudy that's a user i'm not hiding it in anything else it has no user object but this machine does have a line of sight to my domain controller and what i can do here is if i do a k list this is going to look at my kerberos tickets we'll see a few interesting things now you're going to see some extra tickets because i also have the azure ad curb ros enabled which is currently in preview completely nothing to do with this whatsoever but that's why you might see some kind of extra tickets but the one i want you to pay attention to is the fact that hey look i have this kerb ross ticket grant in ticket and the kdc it spoke to was my on-premises domain controller so i've gone ahead and got a ticket from my active directory and that's different from you can see this other one which was this azure ad kerberos service but without doing anything special i got a ticket granting ticket from my regular ad and from that you can then see oh hey look gifs for smb i got that as well from my on premises i also got an ldap ticket so for different purposes i've got a number of different tickets and so i can now go and access things that trust a.d and in fact i've already demoed it because notice i fired up active directory users and computers for my on-premises domain it just worked didn't have to end a credential it just worked i could go and change domain controller to a different domain controller it just works i'm not doing anything special but because it's part of that authentication i'm getting that ticket granting ticket you notice now i've got some extra ones because i went and changed domain controller it went and did some additional communication with some other services so i actually got two more tickets so now you can see no it's my server i've got a new ldap session ticket for ldap here so i could go and talk to this domain controller also talk to his smb so i'm just going ahead and getting tickets as needed completely seamlessly as i'm looking at different types of resource i can also really do anything else there's no limitations on this kerberos flow so if i did let's say over um here run and i'm just going to access an smb file share now the important thing to notice about this this machine does not have the default dns suffix of sampletech.net so i can't just type the name i have to add in the dot sampletech.net but if you were doing a point to site vpn normally those things will kind of get handled for you i'm going to go and access a file share and it just worked that's a different server and then i can go and look at the things so there's the animated john there's no prizes for seeing the mini john in this video it's pretty blatant it's right there but we can see i have access to those various things again it's just working behind the scenes to access those services and that's it there's really nothing special that i have to do but it's important to realize this is going to happen behind the scenes map shares using smb connect to printers access web servers again as long as it's using that windows integrated authentication which is a requirement i can do things i can manage the domain you saw me doing that now if i'm using password lists there are a few special considerations if we actually jump over for a second and i've got a link in the description below there are some extra resources to pay attention to to making this work if i'm using kind of 502 hybrid key trust certificate trust so there are a few extra little steps and again that's in the description to go and look at those but that's it this thing is just going to work for you so the key point azure ad connect is synchronizing it has to be a user account synchronized from azure from active directory domain services it cannot be a cloud user account because well there's no user in the active directory domain services database so how can i get ticket for it there's no way it's going to work so i have to be authenticating against the user that was synchronized from ad and at the point in time i'm trying to access that ad trusting resource i have to be connected to a network that's going to let me have that dns resolution and i have to have a line of sight to a domain controller and then what it's going to let me do is well then yeah great hey i want to talk to this smb file share i've got that kerberos ticket granting ticket i'll go and talk to ad and say hey i need a service ticket to talk to this smb file server it will give me the service ticket and then absolutely i'll be able to go and talk to that and i'll be a very happy user with no hair obviously but that's it remember your machine is not authenticating so if you do have services that require the machine to be known the machine to authenticate it's not going to work this is based around the user but that was it again it means i don't have to do things like hybrid join i can still get a fantastic seamless experience for my users if i do have that requirement to talk to on premises resources so as always i really hope this was useful until next video take care you
Info
Channel: John Savill's Technical Training
Views: 18,136
Rating: undefined out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad
Id: 4Ip3h4kJxmw
Channel Id: undefined
Length: 20min 40sec (1240 seconds)
Published: Tue Jul 19 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.