NEW Native Azure AD KERBEROS!!!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video i want to talk about native kerberos with azure active directory now this isn't the curb wasp we've had in the past where azure id could understand a kerberos token given by something else as part of single sign-on this is azure ad acting as a kerberos realm and actually giving out tickets as always if this is useful please go ahead and like subscribe comment and share and hit that bell icon to get notified of new content when i think about azure ad it's a cloud-based identity provider so it speaks cloud we speak things like open id connect we speak things like a wharf 2 we speak saml we speak ws fed because they all work very much around the cloud now on premises we're used to the idea of regular active directory a regular active directory well that speaks kerberos that speaks ntlm and that's great when you have those various ports open where i have some shared secret between the service i want to talk to and their identity provider but if i want kerb ross today in azure well either i extend my active directory into my virtual network maybe it's a site site vpn or expressroute private peering maybe actually put dc's up in my virtual network or i could use things like azure ad domain services and get that managed set of domain controllers to give me an active directory domain services environment which lets me have things like kerberos there are some services for example azure files that if i want to do that data plane role-based access control it integrates with active directory so either i have to tie my storage account into an ad domain services or i use that azure ad domain services so that's very much what we've had in the past but now what's happening is azure ad so this is our aad tenant up here is going to support kerberos and it's doing this by it is going to be its own kerberos realm it's actually going to be this kerberos dot microsoft online dot com so it will actually give out things like that ticket granting ticket it will give out tickets to access various services there's no extra configuration i have to perform on my azure ad tenant there is no line of sight required to domain controllers to actually leverage this it's just azure ad hey it's now a kerberos role now this is in preview i really want to stress that so the things i'm going to talk about right now the implementation details are likely to change over time more services will get added over time but i want to go through the experience as it is right now now we always think about there's different elements involved in kerberos so i'm going to come back to that but the first part is obviously the device that i am on so the device i am on well that device must be azure adjoint so i have to have this azure ad joint it can be hybrid so it could be adjoined as well but that is not required at all i don't need line-of-sight to domain controllers all i have to be is azure adjoint in terms of the operating system this can be windows 10 now it needs the latest i've seen different actual answers for is it the 21 h1 or 20 h1 but think of it as the new version of windows 10 is the latest cumulative update it can be the latest kind of windows 11 or even server 2022 if i'm focusing on that interactive authentication now also on the device to use this there is a policy that i have to turn on to basically say hey i want to go and get my cloud tokens if you actually go and look at a machine for a second so let's jump over here and actually see that if it's going to wake up so this is my windows 11 box running actually up in the cloud and i've got this navigated over to my local computer policy administrative templates under computer configuration system kerberos and we have this policy allow retrieving the cloud kerberos ticket during the log logon that you have to have enabled so that's really the only key change i require on the client that's going to let it actually go and get these tokens from that azure ad kerberos realm i have to be logged on as an azure ad user as well now once again i do not need to be adjoined in the environment there is no requirement for the ad now what you're going to see in my environment is i am not adjoined but i do have line of sight to domain controllers so what that means is because of the seamless sign-on experience you get if you're azure adjoined and have line of sight to domain controllers well because what's actually going on behind the scenes is hey well i have my account remember we have azure ad connect and that actually sends information about the aed as well so what happens is when i go and get my primary refresh token when i authenticate to azure ad it sends me information about the on-prem id so if i have line of sight to domain controllers i actually go and talk to the lsa on my a.d and i will get kerberos tickets as well so you might see that when i demo this i am not adjoined i do not require that ticket it's simply a side effect because i do have a line of sight to domain controllers but i don't need line-of-sight i'm not adjoined this is all utilizing azure ad now what that's going to mean now is that for the services that support this when they need kerb ross i can just use the azure ad kerberos service for that in my demonstration for example i'm going to use azure files so what you'll see me actually do here is hey i'm going to have a storage account so i'm using azure files let's say this is storage account one and i'm going to use that as my demonstration now today in the preview this is really designed around hey azure files hosting fslogix profiles from azure virtual desktop there were also in private preview using kind of sql managed instance windows authentication with azure id application proxy using kerberos expect this to grow today i cannot bring my own application to integrate with this kerb ross so it's a very distinct set of scenarios today but again it's in preview it's just come out expect this to grow over time what i'm going to demo this with is i'm not actually using azure virtual desktop or fxlogic i am just going to use regular azure files but show how i've joined that to the kerberos realm of azure id and i'm going to be able to do kind of a net use without passing any credentials the only requirement here is the account i'm using has been synchronized from my on-prem ad to the azure ad so that i've got that account now sits up in the azure active directory now when we think about kerberos remember there's three heads the reason it's called per brass is you have that three-headed dog guarding the gates of hades well there's three heads when i think about kerberos we have the client that's actually going to go and access some service we have the service i want to access in this case a storage account and then we actually have the secure token service the sts which azure ad is playing in this for this to work they have to be known to the service so my account we already talked about that's been replicated via azure ad connect the machine has to be joined to azure id but the storage account in this instance or the cqmi or whatever else has to have a representation in the azure ad as well now what this means today fresh and files is a set of steps you go through but if this is storage account one for example what will happen is i do an app registration so i will create an app registration for storage account one that represents the storage accounts that's going to enable this to actually work and we can see this if i jump over for a second so i created a storage account just called curb one and what you'll notice straight away is when i go to file shares it's telling you hey look you've configured azure ad curb boss authentication preview and it tells you hey this is really just designed for azure virtual desktops fs logix profiles today but i'm not going to do that i'm just going to do a regular net use of that but what we then do is we actually create a new access token i'll show this but the key point is in azure id i actually go in and i create an app registration for that storage account so that becomes the representation in azure ad of the storage account because remember we need all three parts to work we need the sts we need the client we need the service so that app registration is the representation of the storage account because when we actually do kerb bras there isn't a dis direct conversation between the service and the sds i azure id what happens is me as the client says hey i want to go and talk to this service give me a token a ticket that i can use well for this to trust it there has to be a shared secret between them so the way this actually works is you create an access key so let's say i create an access key called curb key one on the app registration i set that as the secret so now there is a shared secret between that azure id so when it gets a token hey only me and the sts know that i'm going to trust it and that's going to make this actually work in terms of the ports used for the communications well it's actually using the kerberos proxies this is over https such as 443 so it's gonna work over the internet there's no security or pull problems you're gonna see actually with this happening so let's look at a little bit more detail around this again this is a scenario there are many others this is just the one i'm kind of using in this example so for the storage account example there's a set of steps you go through there's quite a few of them but what it really boils down to is i'm going to end up creating that app registration to represent the storage account i create a new access key on the storage account that i'm going to configure as kind of a password on the app registration so now i have that shared secret between them once again today there's quite a lot of steps i would expect as this moves to ga for the various services you'll see that actual experience change so i showed that storage account already there are some additional things you have to do for example on the app registration itself there are some api permissions you have to go and consent to things like the open id sign users in view users basic profile sign in and read the user profile on the storage account itself there's a whole set of steps so this is all the various steps i've performed and this is all outlined in the microsoft docs if you follow the microsoft doc exactly step by step it works if you deviate it doesn't work but if i go and look this is the details of the active directory properties from my storage account and you can see it's configured hey these domain names forest names domain guides azure storage city has all of these properties so it is configured for active directory based authentication but as we saw in that portal it's using azure ad for this so that's the configuration that we're actually going to do now don't forget also you still need the permissions on the storage account so at the data plane level actually go there remember in the access control i still need the role assignment to actually be allowed to connect so here you can see i've got that storage file data smb share elevated contributor and i've given it to my user once again i'm showing the storage account for sql mi for proxy the exact details will vary but let's see this in action so what i have over here is i just have a regular terminal up and running and if i dump out my tickets you can see i've got a bunch of different tickets right now now you will notice when we look at this i have that ticket i talked about this machine is not adjoined but you'll see i do have a ticket from my regular active directory because it's azure adjoint as ready connect sent it information i to azure id about my ad so i get the primary refresh token from azure id when i authenticate it gives me the detail about the on-prem ad as well and then i go and talk to the lsa and i get a regular kerberos token so that lets me access a.d trusting resources that's just a benefit but i'm not adjoined in any way and i do not require this i'm just explaining why i have this token what we also see is hm interesting over here i have kerbros.microsoftonline.com and that's the one we care about and i get that because i set that policy now what i'm going to do is i'm going to kill all of these off so let's just do a purge and if we do a k list we see i don't have any right now so now all i'm going to do is a net use of my storage account i'm not going to give it a credential and i'm connected if i go to z i can see the files if we go back and now look at our k list well yep once again as part of the authentication it went and got a token from my regular on-prem but i don't need that once again i got that ticket granting ticket from kerb ross.microsoft online and because i tried to access the resource i actually now got a ticket for gifs i smb for the file share and it was given to me by kerbros.microsoftonline.com so there's no interaction yes i have that ad ticket i don't need it at all it's just a side effect because i have line of sight we can see hey yeah the kdc proxy login.microsoftonline.com that's how i got that connection completely seamless for me it just works and that's really really cool so you can see all of those different elements in action and what's actually really nice about this the ticket granting ticket that i get based on the primary request when i authenticate is actually pinned to the tpm of the client so it actually helps secure it it can't be moved or used anywhere else so that's kind of the key points and just to prove if i look at my ds reg cmd status oh if i type it correctly don't type too many d's what you can see up here is we can see sure yeah if i'm azure adjoined i am not domain joined and what we'll also see if we keep looking down we see that tenant information but we can see here yeah i have an azure ad primary refresh token we can see the various top level names we can see the azure id um prt from refresh token authority but that kind of proves that hey i'm not a d joined i'm not doing any of that stuff but i am part of azure id and it's the azure id that makes this work now if you're kind of stuck and you're having problems one of the things you can do is you can kind of force to go and get the curb ross ticket granting tickets so if i like did that k list purge again so i don't have any if you do a k list get kerb ross ticket granting ticket it will go out and get the various ticket granting tickets it can get and you can see hey yeah i've got that key important one from the azure 80 curbros realm once again you can ignore the ones from my domain that's just a benefit azure ad does if you have line of sight domain controllers but it is nothing i actually need at all for this to actually function it's just kind of a side effect so that was kind of a demo of what it does and you saw if the setup is correct it's actually super super easy to do i showed the storage account so remember what's happening here is the way this is functioning is i authenticate i'm getting that ticket granting ticket and then when i want to talk to a service that needs kerberos and is trusting this realm because it has that identity in here as well i go to azure id and say hey i want to speak to sa1 what it then does is it gives me the token that i can give so it gives me that ticket so i can think about hey here's your essay one ticket that i can give and it signs that with that kerberos key that only they know so it knows hey the client is giving it to me it's signed with saying only we know encrypted oh yeah it's legitimate i will trust and use this that's a key tenant and this is nothing special about azure id that's just how curb ross works but that's why you need the service you're talking to to have a representation in the identity provider in the sts so storage account it's not registration other services may vary hey some might use the managed identity if it's a compute service it can leverage that so the details will vary today again it's a set amount of services that can use this it's very limited this is the initial private preview of this some are in private preview again the storage account just works but again today it's only public preview officially for azure virtual desktops and fs logics but as you saw it does work just for regular azure files but expect it to grow cannot bring my own apps today down the path i'm sure that will be an option so that's it this is the native kerberos using azure ad i think fantastic it's certainly going to start helping with a lot of scenarios if you want to start playing with it it's just available again there's no config on your tenant you just need to have a policy on the client make sure you're running a support client and a service that works as part of the preview until next time take care you
Info
Channel: John Savill's Technical Training
Views: 8,984
Rating: undefined out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad, kerberos
Id: fevwz8O954A
Channel Id: undefined
Length: 22min 9sec (1329 seconds)
Published: Tue Dec 14 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.