First published on TechNet on Nov 21, 2017
Hi, Michele Ferrari here from the Premier Field Engineer-Identity Team in San Francisco here today to do some mix and match about multiple technologies we have within the Azure space.
This is the question we're going to answer today:
How can We use an Azure AD cloud Only Identity to access an OnPrem non-cloud resource?
First of all, we need a resource. We enable remote access to "Work Folders" using Azure Active Directory (great Kudo to our PM Jeff Patterson from the Product Group), secondly I'll show you how you can use a cloud only identity (it only exist in AzureAD) to actually impersonate an OnPrem User Account to access Work Folder. This is made possible by Azure AD Application Proxy which enables Kerberos Constrained Delegation.
Ready? Follow me…
Prerequisites
I'm not going to cover how to Enable remote access to Work Folders using Azure Active Directory Application Proxy as this is already available here:
I'm only providing a high-level overview to get you in the mood (Thanks Jeff):
What you achieved so far is the possibility to use Work Folders from everywhere using an OnPrem User Account.
Now, let's see how we can use a cloud only identity to do the same. This identity is not synchronized from Onprem to AAD, I'm talking about impersonate an AD account using an Azure AD user identity
You should now have 2 Apps in AAD:
Now, to use a cloud only identity to impersonate an OnPrem User Account we use Kerberos Constrained Delegation with the Work Folder Proxy Web App.
Before diving into the nuts and bolts, let briefly summarize what must fundamentally happen for KCD to be successful:
Follow me in this further step, in step 4 I'm saying that the Application Proxy retrieves the Username part of the UPN .
Azure AD Cloud Only User: misterMik@ADAL.mistermik.com
OnPrem Account: mistermik@IDENTITY.LOCAL
The user part of the UPN for my cloud only account is: MisterMik @ADAL.mistermik.com
Since we've configured the App Proxy to retrieve only the Username, as long as an account exists in my OnPrem AD with the same Username and it's not disabled, the Connector Server Computer Object will impersonate the user and request a token for it to access the work folders resource.
This is Constrained delegation: client send the Service Ticket to the Server, and server requests the service ticket via S4U2Proxy for the user.
This is the Azure AD user we are going to use to impersonate the OnPrem AD account: MisterMik@ADAL.mistermik.com
This is the OnPrem Active Directory Account which we'll impersonate to access our files on the Work Folders Server. IDENTITY\Mistermik. These accounts have only the "SAMID" which is the same.
We configure the Delegate Login Identity to deconstructs and craft the username part of the user principal account. ( MisterMik@ADAL.mistermik.com ).
AAD-Application Proxy has a few of options regarding which identity should be used when we attempt the KCD. • On prem UPN (e.g. when customers used the alternate login ID) option in Sync and so the on prem UPN is different than the cloud one
• UPN User part only
• samAccountName
We also have an option to request a SPNego Kerberos ticket if needed.
We need to allow the cloud only user to sign-on with our Work Folders Application for the AzureAD Pre-authentication.
We're now ready for the final test. We use a Windows client (in my example a Win 10 1703 in workgroup). We start the configuration for Work Folders.
Here we use the External URL provided by the Work Folders Proxy App:
https://workfolders-mod507542.msappproxy.net/
The Application Proxy, using its Connector will reach out to the internal address:
https://workfolders.identity.local/
We enter the Application Proxy External URL into the Work Folders URL:
User Consent and Application Management. When you registered the Native App, you defined which permissions the app needs access to, and which resources.
Because native clients (Work Folders Native) are not authenticated, an app defined as a native client app can only request delegated permissions. This means that there must always be an actual user involved when obtaining a token.
Web apps and web APIs (Work Folders Proxy) must always authenticate with Azure AD when getting an access token.
As shown in the following snapshot, an OAuth2 authorization request is the first step for your application to get an access token. As part of the authorization process, user consent is involved. User consent is the act of displaying a dialog that clearly lists the permissions that your application is requesting. The user can decide if the permissions your application is requesting should be granted. The permissions that appear in this consent dialog are the same permissions you configured for the Native App.
We must accept the security policies for my client device, which were specified earlier on my Work Folders server. Click I accept these policies on my PC.
Configuration is completed in a few seconds. Data from the server location will get synchronized to the specified folder on my client. Again, this data will be stored in an encrypted way (hence the green color in file explorer when viewing the folder).
Looking at what happened on the Application Proxy Connector Server, it used a delegation normally referred to as S4U, specifically It used the Service-for-User-to-Proxy (S4U2Proxy) flavor of delegation which it is an extension that allows a service to obtain a service ticket on behalf of a user to a different service.
Much about Kerberos has been well documented on TechNet. The two links below can expand your knowledge as far as you would like to take it beyond the scope of this post.
Obviously if the OnPrem Account is disabled or it doesn't exist, the impersonation will fail and the user won't have access to the data. Same result if I restrict access from the AzureAD endpoint prospective, I can block the user before calling the Application Proxy Connector.
This was only an example of the great capabilities of Azure AD Application Proxy and what you can do integrating app in AAD.
That's all! Enjoy having your corporate users' data folders synchronized to your end-user's client device, wherever you are and using only an Azure AD cloud only identity.
Michele Ferrari ( MisterMik )
Premier Field Engineer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.