(biz303) active directory in the aws cloud | aws re:invent 2014

AWS CloudOn Premise Datacenter

VPN Connection1

Authenticate User and Request

Kerberos Ticket

Active Directory Forest

2Get Kerberos

Tocket

4Use Information

in Ticket

EC2 Instances

User

3Submit Ticket

AWS CloudRemote Office

VPN Connection1

Authenticate User and Request

Kerberos Ticket

Active Directory Forest

2Get Kerberos

Tocket

4Use Information

in Ticket

EC2 InstancesUser

3Submit Ticket

AWS CloudOn-Premise Datacenter

User

ADFS 2.0 Server

EC2 Instance

Windows Identity Foundation

Active Directory Domain Services

Application

VPN Connection

1,2Login and

receive Kerberos Ticket

3,4Query For Token

Requirements

5Request Token, Send Kerberos

Ticket8

Return Token

9Forward Token to

Application

10,11, 12Resolve Token and Evaluate

Claim

13Get the Data

6,7Find and Return

Claim

AWS CloudOn-Premise Datacenter

User

8.User is

authenticated to app

ADFS 2.0 Server

EC2 Instance

Active Directory Domain Services

Application

Security Token Service

1: Log into AD/Get Kerberos TGT

2. Establish Session with

App

3. App needs token

redirect to STS

4. STS sends token

request to Identity Provider

5. ADFS gets authuser info from AD createsSAML Tioken

6. ADFS redirects user to STS with SAML token

7. Redirect user back to app with

token

Characteristic RODC Writeable DC

AD Database Access RODC is Read-Only.

Certain write operations

are forwarded and

referrals can be given

All operations supported

Data Replication Only replicated data

FROM a writable DC

Replicate all changes

Data Stored in DB Contains copy of all data

except for credentials and

like attributes

Complete copy of the

entire database

Administration Administration can be

delegated to non-Domain

Admins

Only a Domain Admin

can administer

Active Directory

SharePoint 2013

Remote Desktop Gateways

PowerShell DSC

http://aws.amazon.com/microsoft/whitepapers/ad-reference-architecture/

http://aws.amazon.com/microsoft/whitepapers/sharepoint-2013/

http://aws.amazon.com/microsoft/whitepapers/rdgateway-reference-architecture/

http://aws.amazon.com/microsoft/whitepapers/powershell/

Microsoft Pages on AWS

Securing Windows Based Application on AWS

Windows Details Page

Microsoft License Mobility Program

http://aws.amazon.com/microsoft

aws.amazon.com/whitepapers/secure-microsoft-applications-on-aws

http://aws.amazon.com/windows

http://aws.amazon.com/windows/mslicensemobility/

Capacity planning for ADDS

Active Directory Replication Over Firewalls

Active Directory Replication Concepts

Active Directory Federation Services

Troubleshooting AD Replication

http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx

http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx

http://technet.microsoft.com/en-us/library/cc731537(v=ws.10).aspx

http://awsmedia.s3.amazonaws.com/EC2_ADFS_howto_2.0.pdf

http://technet.microsoft.com/en-us/library/cc949120(v=ws.10).aspx#BKMK_Intro

Please give us your feedback on this session.

Complete session evaluations and earn re:Invent swag.

http://bit.ly/awsevals

http://bit.ly/awsevals

(biz303) active directory in the aws cloud | aws re:invent 2014

Technology

kerberos ticket3

adget kerberos tgt2

resolve token

redirect user

adfs redirects user

nondomain adminsonly

complete session evaluations

replicated data