OPS108: Windows authentication internals in a hybrid world

Published Feb 02 2021 08:30 AM 5,732 Views
Microsoft

Have you ever wondered what happens when you type your password into Windows? With the cloud becoming a major part of our world, we find ourselves having to talk to both on-premises and cloud-native resources, which dramatically affects what happens when you do type your password into Windows. Follow along as Steve Syfuhs gives a guided tour of how Windows handles logons internally and secures your authentication in a hybrid world.

 

Speaker:

Steve Syfuhs, Senior Developer

 

 

This session includes:

02:11 Logging on to Windows
03:36 Types of logins
06:33 The Logon UI
09:39 Local Security Authority
21:53 Logon UI Part II
23:42 Local Security Authority Part II
25:14 Kerberos in Windows
35:35 Logon Sessions including Azure Active Directory
38:09 Local Security Authority Part III
43:53 Oauth in Windows - Types of credentials
45:55 Windows Hello Logon
53:34 FIDO Logon
56:32 Local Security Authority Part IV
1:01:08 Azure AD Join
1:05:14 Community Q&A - How long do we need to keep on-premises AD around?
1:09:39 How can we enable MFA/FIDO keys for normal AD Login and not only for Apps that support Modern Auth?
1:12:44 When will we get rid of passwords once and for all?

 

Community chat

Want to chat about this session? Come join us on Discord! https://aka.ms/ops108-chat

 

Learn more

IT Ops Talks Hybrid Event: https://aka.ms/ITOpsTalks
IT Ops Talks Community Chat: https://aka.ms/OPS108-chat
Steve on Security: https://syfuhs.net/
Detailed look at Windows Credentials 
Windows Hello for Business 
Passwordless FIDO 
FIDO Hybrid to on-prem 
Windows Hello Enhanced Sign-in Security 

 

Was this perfect or how could we improve this? Please take a moment to submit your feedback at https://aka.ms/ops108-feedback 

To watch more sessions from the IT Ops Talks: All Things Hybrid event check out https://aka.ms/ITOpsTalks

 



 
%3CLINGO-SUB%20id%3D%22lingo-sub-2109557%22%20slang%3D%22en-US%22%3EOPS108%3A%20Windows%20authentication%20internals%20in%20a%20hybrid%20world%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2109557%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20ever%20wondered%20what%20happens%20when%20you%20type%20your%20password%20into%20Windows%3F%20With%20the%20cloud%20becoming%20a%20major%20part%20of%20our%20world%2C%20we%20find%20ourselves%20having%20to%20talk%20to%20both%20on-premises%20and%20cloud-native%20resources%2C%20which%20dramatically%20affects%20what%20happens%20when%20you%20do%20type%20your%20password%20into%20Windows.%20Follow%20along%20as%20Steve%20Syfuhs%20gives%20a%20guided%20tour%20of%20how%20Windows%20handles%20logons%20internally%20and%20secures%20your%20authentication%20in%20a%20hybrid%20world.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId-174043191%22%20id%3D%22toc-hId-172374961%22%3ESpeaker%3A%3C%2FH4%3E%0A%3CP%3ESteve%20Syfuhs%2C%20Senior%20Developer%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CIFRAME%20src%3D%22https%3A%2F%2Fchannel9.msdn.com%2FShows%2FIT-Ops-Talk%2FOPS108-Windows-Authentication-in-a-Hybrid-World%2Fplayer%3FWT.mc_id%3Dmodinfra-12977-socuff%22%20width%3D%22960%22%20height%3D%22540%22%20frameborder%3D%220%22%20allowfullscreen%3D%22allowfullscreen%22%20title%3D%22OPS108%20Windows%20Authentication%20in%20a%20Hybrid%20World%22%3E%3C%2FIFRAME%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--1633411272%22%20id%3D%22toc-hId--1635079502%22%3EThis%20session%20includes%3A%3C%2FH4%3E%0A%3CP%3E02%3A11%20Logging%20on%20to%20Windows%3CBR%20%2F%3E03%3A36%20Types%20of%20logins%3CBR%20%2F%3E06%3A33%20The%20Logon%20UI%3CBR%20%2F%3E09%3A39%20Local%20Security%20Authority%20%3CBR%20%2F%3E21%3A53%20Logon%20UI%20Part%20II%3CBR%20%2F%3E23%3A42%20Local%20Security%20Authority%20Part%20II%3CBR%20%2F%3E25%3A14%20Kerberos%20in%20Windows%3CBR%20%2F%3E35%3A35%20Logon%20Sessions%20including%20Azure%20Active%20Directory%3CBR%20%2F%3E38%3A09%20Local%20Security%20Authority%20Part%20III%3CBR%20%2F%3E43%3A53%20Oauth%20in%20Windows%20-%20Types%20of%20credentials%3CBR%20%2F%3E45%3A55%20Windows%20Hello%20Logon%3CBR%20%2F%3E53%3A34%20FIDO%20Logon%3CBR%20%2F%3E56%3A32%20Local%20Security%20Authority%20Part%20IV%3CBR%20%2F%3E1%3A01%3A08%20Azure%20AD%20Join%3CBR%20%2F%3E1%3A05%3A14%20Community%20Q%26amp%3BA%20-%20How%20long%20do%20we%20need%20to%20keep%20on-premises%20AD%20around%3F%3CBR%20%2F%3E1%3A09%3A39%20How%20can%20we%20enable%20MFA%2FFIDO%20keys%20for%20normal%20AD%20Login%20and%20not%20only%20for%20Apps%20that%20support%20Modern%20Auth%3F%3CBR%20%2F%3E1%3A12%3A44%20When%20will%20we%20get%20rid%20of%20passwords%20once%20and%20for%20all%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId-854101561%22%20id%3D%22toc-hId-852433331%22%3ECommunity%20chat%3C%2FH4%3E%0A%3CP%3EWant%20to%20chat%20about%20this%20session%3F%20Come%20join%20us%20on%20Discord!%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FOPS108-chat%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fops108-chat%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--953352902%22%20id%3D%22toc-hId--955021132%22%3ELearn%20more%3C%2FH4%3E%0A%3CP%3EIT%20Ops%20Talks%20Hybrid%20Event%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FITOpsTalks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FITOpsTalks%3C%2FA%3E%3CBR%20%2F%3EIT%20Ops%20Talks%20Community%20Chat%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FOPS108-chat%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FOPS108-chat%3C%2FA%3E%3CBR%20%2F%3ESteve%20on%20Security%3A%20%3CA%20href%3D%22https%3A%2F%2Fsyfuhs.net%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fsyfuhs.net%2F%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-server%2Fsecurity%2Fwindows-authentication%2Fcredentials-processes-in-windows-authentication%3FWT.mc_id%3Dmodinfra-12977-socuff%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDetailed%20look%20at%20Windows%20Credentials%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-identity-verification%3FWT.mc_id%3Dmodinfra-12977-socuff%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Hello%20for%20Business%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-passwordless-security-key-windows%3FWT.mc_id%3Dmodinfra-12977-socuff%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPasswordless%20FIDO%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-passwordless-security-key-on-premises%3FWT.mc_id%3Dmodinfra-12977-socuff%2520%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EFIDO%20Hybrid%20to%20on-prem%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-hardware%2Fdesign%2Fdevice-experiences%2Fwindows-hello-enhanced-sign-in-security%3FWT.mc_id%3Dmodinfra-12977-socuff%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Hello%20Enhanced%20Sign-in%20Security%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWas%20this%20perfect%20or%20how%20could%20we%20improve%20this%3F%20Please%20take%20a%20moment%20to%20submit%20your%20feedback%20at%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fops108-feedback%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fops108-feedback%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20watch%20more%20sessions%20from%20the%20IT%20Ops%20Talks%3A%20All%20Things%20Hybrid%20event%20check%20out%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FITOpsTalks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FITOpsTalks%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CDIV%20class%3D%22ms-editor-squiggler%22%20style%3D%22color%3A%20initial%3B%20font%3A%20initial%3B%20font-feature-settings%3A%20initial%3B%20font-kerning%3A%20initial%3B%20font-optical-sizing%3A%20initial%3B%20font-variation-settings%3A%20initial%3B%20forced-color-adjust%3A%20initial%3B%20text-orientation%3A%20initial%3B%20text-rendering%3A%20initial%3B%20-webkit-font-smoothing%3A%20initial%3B%20-webkit-locale%3A%20initial%3B%20-webkit-text-orientation%3A%20initial%3B%20-webkit-writing-mode%3A%20initial%3B%20writing-mode%3A%20initial%3B%20zoom%3A%20initial%3B%20place-content%3A%20initial%3B%20place-items%3A%20initial%3B%20place-self%3A%20initial%3B%20alignment-baseline%3A%20initial%3B%20animation%3A%20initial%3B%20appearance%3A%20initial%3B%20aspect-ratio%3A%20initial%3B%20backdrop-filter%3A%20initial%3B%20backface-visibility%3A%20initial%3B%20background%3A%20initial%3B%20background-blend-mode%3A%20initial%3B%20baseline-shift%3A%20initial%3B%20block-size%3A%20initial%3B%20border-block%3A%20initial%3B%20border%3A%20initial%3B%20border-radius%3A%20initial%3B%20border-collapse%3A%20initial%3B%20border-inline%3A%20initial%3B%20inset%3A%20initial%3B%20box-shadow%3A%20initial%3B%20box-sizing%3A%20initial%3B%20break-after%3A%20initial%3B%20break-before%3A%20initial%3B%20break-inside%3A%20initial%3B%20buffered-rendering%3A%20initial%3B%20caption-side%3A%20initial%3B%20caret-color%3A%20initial%3B%20clear%3A%20initial%3B%20clip%3A%20initial%3B%20clip-path%3A%20initial%3B%20clip-rule%3A%20initial%3B%20color-interpolation%3A%20initial%3B%20color-interpolation-filters%3A%20initial%3B%20color-rendering%3A%20initial%3B%20color-scheme%3A%20initial%3B%20columns%3A%20initial%3B%20column-fill%3A%20initial%3B%20gap%3A%20initial%3B%20column-rule%3A%20initial%3B%20column-span%3A%20initial%3B%20contain%3A%20initial%3B%20contain-intrinsic-size%3A%20initial%3B%20content%3A%20initial%3B%20content-visibility%3A%20initial%3B%20counter-increment%3A%20initial%3B%20counter-reset%3A%20initial%3B%20counter-set%3A%20initial%3B%20cursor%3A%20initial%3B%20cx%3A%20initial%3B%20cy%3A%20initial%3B%20d%3A%20initial%3B%20display%3A%20block%3B%20dominant-baseline%3A%20initial%3B%20empty-cells%3A%20initial%3B%20fill%3A%20initial%3B%20fill-opacity%3A%20initial%3B%20fill-rule%3A%20initial%3B%20filter%3A%20initial%3B%20flex%3A%20initial%3B%20flex-flow%3A%20initial%3B%20float%3A%20initial%3B%20flood-color%3A%20initial%3B%20flood-opacity%3A%20initial%3B%20grid%3A%20initial%3B%20grid-area%3A%20initial%3B%20height%3A%20initial%3B%20hyphens%3A%20initial%3B%20image-orientation%3A%20initial%3B%20image-rendering%3A%20initial%3B%20inline-size%3A%20initial%3B%20inset-block%3A%20initial%3B%20inset-inline%3A%20initial%3B%20isolation%3A%20initial%3B%20letter-spacing%3A%20initial%3B%20lighting-color%3A%20initial%3B%20line-break%3A%20initial%3B%20list-style%3A%20initial%3B%20margin-block%3A%20initial%3B%20margin%3A%20initial%3B%20margin-inline%3A%20initial%3B%20marker%3A%20initial%3B%20mask%3A%20initial%3B%20mask-type%3A%20initial%3B%20max-block-size%3A%20initial%3B%20max-height%3A%20initial%3B%20max-inline-size%3A%20initial%3B%20max-width%3A%20initial%3B%20min-block-size%3A%20initial%3B%20min-height%3A%20initial%3B%20min-inline-size%3A%20initial%3B%20min-width%3A%20initial%3B%20mix-blend-mode%3A%20initial%3B%20object-fit%3A%20initial%3B%20object-position%3A%20initial%3B%20offset%3A%20initial%3B%20opacity%3A%20initial%3B%20order%3A%20initial%3B%20origin-trial-test-property%3A%20initial%3B%20orphans%3A%20initial%3B%20outline%3A%20initial%3B%20outline-offset%3A%20initial%3B%20overflow-anchor%3A%20initial%3B%20overflow-wrap%3A%20initial%3B%20overflow%3A%20initial%3B%20overscroll-behavior-block%3A%20initial%3B%20overscroll-behavior-inline%3A%20initial%3B%20overscroll-behavior%3A%20initial%3B%20padding-block%3A%20initial%3B%20padding%3A%20initial%3B%20padding-inline%3A%20initial%3B%20page%3A%20initial%3B%20page-orientation%3A%20initial%3B%20paint-order%3A%20initial%3B%20perspective%3A%20initial%3B%20perspective-origin%3A%20initial%3B%20pointer-events%3A%20initial%3B%20position%3A%20initial%3B%20quotes%3A%20initial%3B%20r%3A%20initial%3B%20resize%3A%20initial%3B%20ruby-position%3A%20initial%3B%20rx%3A%20initial%3B%20ry%3A%20initial%3B%20scroll-behavior%3A%20initial%3B%20scroll-margin-block%3A%20initial%3B%20scroll-margin%3A%20initial%3B%20scroll-margin-inline%3A%20initial%3B%20scroll-padding-block%3A%20initial%3B%20scroll-padding%3A%20initial%3B%20scroll-padding-inline%3A%20initial%3B%20scroll-snap-align%3A%20initial%3B%20scroll-snap-stop%3A%20initial%3B%20scroll-snap-type%3A%20initial%3B%20shape-image-threshold%3A%20initial%3B%20shape-margin%3A%20initial%3B%20shape-outside%3A%20initial%3B%20shape-rendering%3A%20initial%3B%20size%3A%20initial%3B%20speak%3A%20initial%3B%20stop-color%3A%20initial%3B%20stop-opacity%3A%20initial%3B%20stroke%3A%20initial%3B%20stroke-dasharray%3A%20initial%3B%20stroke-dashoffset%3A%20initial%3B%20stroke-linecap%3A%20initial%3B%20stroke-linejoin%3A%20initial%3B%20stroke-miterlimit%3A%20initial%3B%20stroke-opacity%3A%20initial%3B%20stroke-width%3A%20initial%3B%20tab-size%3A%20initial%3B%20table-layout%3A%20initial%3B%20text-align%3A%20initial%3B%20text-align-last%3A%20initial%3B%20text-anchor%3A%20initial%3B%20text-combine-upright%3A%20initial%3B%20text-decoration%3A%20initial%3B%20text-decoration-skip-ink%3A%20initial%3B%20text-indent%3A%20initial%3B%20text-overflow%3A%20initial%3B%20text-shadow%3A%20initial%3B%20text-size-adjust%3A%20initial%3B%20text-transform%3A%20initial%3B%20text-underline-offset%3A%20initial%3B%20text-underline-position%3A%20initial%3B%20touch-action%3A%20initial%3B%20transform%3A%20initial%3B%20transform-box%3A%20initial%3B%20transform-origin%3A%20initial%3B%20transform-style%3A%20initial%3B%20transition%3A%20initial%3B%20user-select%3A%20initial%3B%20vector-effect%3A%20initial%3B%20vertical-align%3A%20initial%3B%20visibility%3A%20initial%3B%20-webkit-app-region%3A%20initial%3B%20border-spacing%3A%20initial%3B%20-webkit-border-image%3A%20initial%3B%20-webkit-box-align%3A%20initial%3B%20-webkit-box-decoration-break%3A%20initial%3B%20-webkit-box-direction%3A%20initial%3B%20-webkit-box-flex%3A%20initial%3B%20-webkit-box-ordinal-group%3A%20initial%3B%20-webkit-box-orient%3A%20initial%3B%20-webkit-box-pack%3A%20initial%3B%20-webkit-box-reflect%3A%20initial%3B%20-webkit-highlight%3A%20initial%3B%20-webkit-hyphenate-character%3A%20initial%3B%20-webkit-line-break%3A%20initial%3B%20-webkit-line-clamp%3A%20initial%3B%20-webkit-mask-box-image%3A%20initial%3B%20-webkit-mask%3A%20initial%3B%20-webkit-mask-composite%3A%20initial%3B%20-webkit-perspective-origin-x%3A%20initial%3B%20-webkit-perspective-origin-y%3A%20initial%3B%20-webkit-print-color-adjust%3A%20initial%3B%20-webkit-rtl-ordering%3A%20initial%3B%20-webkit-ruby-position%3A%20initial%3B%20-webkit-tap-highlight-color%3A%20initial%3B%20-webkit-text-combine%3A%20initial%3B%20-webkit-text-decorations-in-effect%3A%20initial%3B%20-webkit-text-emphasis%3A%20initial%3B%20-webkit-text-emphasis-position%3A%20initial%3B%20-webkit-text-fill-color%3A%20initial%3B%20-webkit-text-security%3A%20initial%3B%20-webkit-text-stroke%3A%20initial%3B%20-webkit-transform-origin-x%3A%20initial%3B%20-webkit-transform-origin-y%3A%20initial%3B%20-webkit-transform-origin-z%3A%20initial%3B%20-webkit-user-drag%3A%20initial%3B%20-webkit-user-modify%3A%20initial%3B%20white-space%3A%20initial%3B%20widows%3A%20initial%3B%20width%3A%20initial%3B%20will-change%3A%20initial%3B%20word-break%3A%20initial%3B%20word-spacing%3A%20initial%3B%20x%3A%20initial%3B%20y%3A%20initial%3B%20z-index%3A%20initial%3B%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2109557%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OPS108.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250949iB62EDC1D64311EB7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22OPS108.jpg%22%20alt%3D%22OPS108.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EPeek%20behind%20the%20Windows%20logon%20process%20for%20on-prem%2C%20hybrid%20and%20Cloud%20environments%20as%20Steve%20explains%20how%20authentication%20is%20secured.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2109557%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EITOps%20Talks%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOrin%20Thomas%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESonia%20Cuff%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎May 14 2021 11:14 AM
Updated by: