1
00:00:03,040 --> 00:00:08,830
Welcome to this course on Identity Federation and Access Control in Windows Server 2019.

2
00:00:09,710 --> 00:00:15,200
The focus of this course is on Active Directory Federation Services, which has a role in Windows Server

3
00:00:15,200 --> 00:00:20,180
2019 and a technology that's existed for several versions of Windows Server.

4
00:00:21,050 --> 00:00:27,410
ADF's allows you to authenticate and authorise users to access applications that you host and also allows

5
00:00:27,410 --> 00:00:33,050
users to access applications hosted by other organisations that you federated with and they can do that

6
00:00:33,050 --> 00:00:35,570
using their credentials within your organisation.

7
00:00:36,380 --> 00:00:42,860
ADF's allows you to set up trust relationships to allow users to authenticate across security boundaries.

8
00:00:43,790 --> 00:00:47,480
Think of an application hosted on a server as a trust boundary.

9
00:00:48,360 --> 00:00:54,090
It could have its own authentication mechanism, like storing user information in a database and verifying

10
00:00:54,090 --> 00:00:58,830
a user's identity when they log in with the username and password stored in that database.

11
00:00:59,730 --> 00:01:05,550
For applications hosted within the corporate network, you can leverage Kerberos authentication to pick

12
00:01:05,550 --> 00:01:07,710
up the user's identity from the network.

13
00:01:08,590 --> 00:01:12,720
But you still need to make authorization decisions based on attributes of the user.

14
00:01:12,760 --> 00:01:17,860
Typically, roles that are either stored in Active Directory or within the application itself and linked

15
00:01:17,860 --> 00:01:19,240
to your user identities.

16
00:01:20,140 --> 00:01:25,060
Even though Windows integrated authentication brings convenience when it comes to the authentication

17
00:01:25,060 --> 00:01:30,520
mechanism, it's obviously limited to Internet applications, and your application is coupled to that

18
00:01:30,520 --> 00:01:32,290
specific authentication method.

19
00:01:33,200 --> 00:01:40,730
What ADF's does is decouple authentication mechanisms from applications so you can change the authentication

20
00:01:40,730 --> 00:01:46,580
method from Windows integrated to more robust authentication mechanisms like Certificates or Azure MFA

21
00:01:46,610 --> 00:01:47,210
or Windows.

22
00:01:47,210 --> 00:01:50,750
Hello for business and the application itself isn't affected.

23
00:01:51,650 --> 00:01:57,650
You can also require a second factor of authentication in order for users to access applications and

24
00:01:57,650 --> 00:02:00,380
no changes to the application itself are required.

25
00:02:01,280 --> 00:02:07,220
And using a special feature of ADF's called Web Application Proxy, you can publish applications to

26
00:02:07,220 --> 00:02:12,620
the extra net or Internet and specify a different set of authentication credentials for users coming

27
00:02:12,620 --> 00:02:13,910
from outside your network.

28
00:02:14,800 --> 00:02:19,210
ADF's also allows for authorising who can access the applications.

29
00:02:20,110 --> 00:02:25,480
It lets you make those authorisation decisions based on granular attributes about the user called claims

30
00:02:25,490 --> 00:02:27,410
rather than relying solely on roles.

31
00:02:28,330 --> 00:02:32,440
And you can send those claims back to the application to make further decisions.

32
00:02:33,350 --> 00:02:38,480
All this serves to speed up development time because applications don't need to have their own individual

33
00:02:38,480 --> 00:02:45,140
authentication and authorization subsystems because those services are decoupled from the application.

34
00:02:45,170 --> 00:02:50,210
You have more flexibility in how you implement them and the authentication methods that you choose.

35
00:02:51,140 --> 00:02:57,890
Centralizing identity management and access control reduces the pain related to provisioning and provisioning

36
00:02:57,890 --> 00:02:58,430
users.

37
00:02:59,320 --> 00:03:05,410
And ADF's uses open standards so it can provide authentication and authorisation not only for custom

38
00:03:05,410 --> 00:03:10,570
built applications but for any commercial off the shelf solution that supports those standards.

39
00:03:11,470 --> 00:03:16,840
Now I've mentioned that you can use a component of DFS to publish applications to the Internet.

40
00:03:17,740 --> 00:03:20,860
That technology is called Web Application Proxy.

41
00:03:21,740 --> 00:03:27,620
It allows you to pre authenticate users coming from the internet before accessing internal applications.

42
00:03:28,490 --> 00:03:34,160
And you can specify that those users provide one set of authentication credentials and users on your

43
00:03:34,160 --> 00:03:35,840
intranet provide a different set.

44
00:03:36,710 --> 00:03:41,750
Maybe you want users on the Internet to use multifactor authentication, for example.

45
00:03:42,650 --> 00:03:48,710
Typically, ADF's is used with claims based applications and we'll be going into a lot of detail later

46
00:03:48,710 --> 00:03:51,020
in the course on claims and how they're used.

47
00:03:51,890 --> 00:03:58,190
But address can also be used with web application proxy to authenticate users to applications that use

48
00:03:58,190 --> 00:04:05,060
Windows integrated authentication so you can publish those applications outside your corporate network.

49
00:04:05,940 --> 00:04:12,180
ADF's will require the user to log in with forms based authentication and then it will return a Kerberos

50
00:04:12,180 --> 00:04:15,060
ticket to authenticate the users to the application.

51
00:04:15,930 --> 00:04:18,180
I'll be showing you that later in the course.

52
00:04:19,110 --> 00:04:24,540
So just for applications hosted within your network, there's a pretty good value proposition for using

53
00:04:24,690 --> 00:04:28,290
DFS, especially since it's already part of Windows Server.

54
00:04:29,220 --> 00:04:36,030
But where it really shines is by federating a user's identity across organisational boundaries using

55
00:04:36,030 --> 00:04:37,360
standard protocols.

56
00:04:37,380 --> 00:04:40,840
You can set up a trust relationship with another organisation.

57
00:04:41,730 --> 00:04:47,130
So when your users try to access applications hosted by that organisation, they can get redirected

58
00:04:47,130 --> 00:04:52,710
to the partner's identity server which redirects them to your ADF's server to log in with their own

59
00:04:52,710 --> 00:04:53,370
credentials.

60
00:04:54,300 --> 00:04:59,640
Then standard claims can be returned to the other organisation to be used to identify the user and to

61
00:04:59,640 --> 00:05:01,620
make further authorisation decisions.

62
00:05:02,560 --> 00:05:05,530
I'll be showing you how to set this up later in the course.

63
00:05:06,460 --> 00:05:11,950
This opens up a lot of possibilities not only for federating with other organisations, but for allowing

64
00:05:11,950 --> 00:05:17,140
users to access web based applications like Salesforce or ArcGIS online or office.

65
00:05:17,140 --> 00:05:18,220
365.

66
00:05:19,090 --> 00:05:24,250
When you set up trust relationships with those software as a service solutions, users don't need to

67
00:05:24,250 --> 00:05:28,540
have a separate set of credentials, which makes life a lot easier for end users.

68
00:05:29,440 --> 00:05:35,380
For organizations moving to the cloud, there's often a concern about identity management and security.

69
00:05:36,220 --> 00:05:41,860
Organizations may not want to store user passwords in the cloud for security or compliance reasons.

70
00:05:42,760 --> 00:05:46,730
ADF's isn't the only solution for integrating with Microsoft Azure.

71
00:05:46,780 --> 00:05:51,040
But it is a very flexible one that allows you to leverage on premises authentication.

72
00:05:51,040 --> 00:05:56,820
So user accounts are sync to the cloud, but user passwords are stored on premises inactive directory.

73
00:05:56,920 --> 00:06:02,380
And you can leverage all of the benefits of DFS in terms of the authentication, methods, features

74
00:06:02,380 --> 00:06:04,060
and the control that it offers.

75
00:06:04,930 --> 00:06:10,630
When users access resources in Azure, they get redirected to your ADF's server that's exposed to the

76
00:06:10,630 --> 00:06:16,630
Internet using web application proxy and they authenticate with a DFS before being allowed access to

77
00:06:16,630 --> 00:06:18,040
your resources in the cloud.

78
00:06:18,980 --> 00:06:22,160
I'll be showing you how to set this up later in the course too.

79
00:06:23,000 --> 00:06:26,420
ADF's has really evolved through the different versions.

80
00:06:27,320 --> 00:06:32,900
And it's part of Microsoft's overall strategy to protect a user's password and even eliminate the need

81
00:06:32,900 --> 00:06:34,490
for passwords altogether.

82
00:06:35,390 --> 00:06:36,830
Passwords have issues.

83
00:06:37,760 --> 00:06:43,100
They can be obtained by nefarious actors through hacking and social engineering, and users tend to

84
00:06:43,100 --> 00:06:46,220
use the same password across many different applications.

85
00:06:47,120 --> 00:06:52,640
So not only does that increase the risk of a password being stolen, it also increases the damage that

86
00:06:52,640 --> 00:06:54,260
can be done when it is stolen.

87
00:06:55,100 --> 00:07:00,350
Later in the course, you're going to see all the different authentication methods that ADF can provide

88
00:07:00,350 --> 00:07:06,350
from Windows authentication in forms based authentication to certificate authentication, device authentication

89
00:07:06,350 --> 00:07:11,540
and Windows Hello for business, which lets the user authenticate using their device and a gesture like

90
00:07:11,540 --> 00:07:13,610
a fingerprint or facial recognition.

91
00:07:14,480 --> 00:07:19,970
You'll see how Azure multifactor authentication can be used as a second factor of authentication after

92
00:07:19,970 --> 00:07:24,320
one of the other methods and the user can be sent a text message to enter into the browser.

93
00:07:24,440 --> 00:07:30,030
Or they could receive a phone call or a push notification to an app on their phone to complete authentication.

94
00:07:30,880 --> 00:07:36,670
Azure MFA can also be used as the primary authentication method, so users don't need to enter a password

95
00:07:36,670 --> 00:07:41,020
at all and you can integrate other non Microsoft MFA providers with ADF.

96
00:07:41,260 --> 00:07:48,020
Also, user identity information is typically stored in Active Directory, but you can configure ADF

97
00:07:48,020 --> 00:07:52,060
first to authenticate users against any LDAP compliant directory.

98
00:07:52,930 --> 00:07:58,330
You typically retrieve the user attributes from the identity store, but it's possible to configure

99
00:07:58,330 --> 00:08:05,380
additional attributes stores also even when using Active Directory as the identity store, user attributes

100
00:08:05,380 --> 00:08:10,630
can be retrieved from other sources like an LDAP directory or Microsoft SQL Server.

101
00:08:11,560 --> 00:08:13,660
You'll see that later in the course too.

102
00:08:14,500 --> 00:08:19,600
So we've talked about the benefits of using Active Directory Federation services and the value that

103
00:08:19,600 --> 00:08:24,110
it can bring for users and for I.T in the rest of the module.

104
00:08:24,130 --> 00:08:31,630
You'll learn about some of the new features in Free 2019 will discuss the lab environment for the VMs

105
00:08:31,630 --> 00:08:34,390
I'll be using in the demos so you can set up your own.

106
00:08:35,290 --> 00:08:42,400
Then I'll explain the certificates used by EDF's and we'll create an SSL certificate that the ADF service

107
00:08:42,400 --> 00:08:42,970
will use.

108
00:08:43,870 --> 00:08:49,330
Then we'll install and configure ADF's in a Windows Server 2019 environment.

109
00:08:50,240 --> 00:08:57,320
After that you'll learn about upgrading ADF's from ADF's 2016 and it's also supported to upgrade directly

110
00:08:57,320 --> 00:09:05,720
from ADF in Windows Server 2012 or to then I'll show you the new ADF RFS Help website, which is a resource

111
00:09:05,720 --> 00:09:08,930
Microsoft provides for troubleshooting ADF's problems.

112
00:09:09,820 --> 00:09:15,400
And finally, you'll see a couple of the tools that you can get from that website, the ADF's Diagnostics

113
00:09:15,400 --> 00:09:21,520
Analyzer and the ADF's Rapid Restore tool for backing up and restoring a single serve or ADF, for instance.

114
00:09:22,450 --> 00:09:27,340
So next, let's talk about some of the new features in ADF's 2019.