Directory Sync Update: Deploying Password SyncLucas CostaSenior Service [email protected]
Agenda What is password
sync? How does it work? Deploying DirSync
with password sync Password sync
scenarios
March 2013 Understanding DirSyn
c
June 2013 Office 365 Identity
June 2013 Overview of Microsoft
Office 365 Identity Management
Office 365 Directory and Access Management with Windows Azure AD
5
7
Password Sync: What it is Feature of DirSync – synchronizes user password hashes from on-premises AD to Windows Azure AD
Enables users to log to Windows Azure AD services using the same username/password as on-prem AD
Part of DirSyncNo additional softwareNo changes to domain controllers, no reboots
8
Password Sync: What it is Easier, less-expensive alternative to AD FS Single Sign-On, but not the same thingNo redirection to on-prem authenticationNo token exchange between the on-premises environment and the
cloudAuthentication takes place in the cloud
Only for single-forest scenario
9
Password Sync: How it works Security considerations
Synchronizes hashes from on-premises AD to Azure ADNever see or store plaintext passwords
Password Policy considerationsDefer to on-premises password policiesOn-premises complexity policies override cloud policies for
synchronized usersPasswords of synchronized users “never expire” in the cloud
Password Sync: How it works Checks for password updates every 2 minutes DirSync of other attributes still runs every 3 hours
Only sync passwords for users scoped for DirSyncWon’t sync password hash if “user must change Password at next
logon”
Retries failed password syncsRetries every hour for up to 1 day
Full Password SyncAvailable via PowerShell (Set-FullPasswordSync)
10
Deploying Directory Synchronization Step 1: Prepare for DirSync Step 2: Activate DirSync Step 3: Set up DirSync Step 4: Synchronize directories Step 5: Activate synced users Step 6: Manage DirSynchttp://technet.microsoft.com/en-us/library/hh967642.aspx
12
Enable password sync
Initial sync
Password during activation
Force a full syncMonitor events
Deploying Directory Synchronization
Manage DirSync
Activate Users
Sync Directori
es
Setup DirSync
Activate DirSync
Prepare for
DirSync
Prepare: Decide on Identity Scenario
14
Cloud Identity
no integration to on-premises directories
Directory & Password Synchronization
Integration without federation
Federated Identity
Single federated identity and credentials
+
Prepare: Decide on Identity Scenario
15
Feature Password Sync
SSO with AD FS
Use same username + password Control password policy on-premises Support for two-factor authentication * No password re-entry if on-premises Client access filtering Authentication occurs on-premises (no credentials on cloud) Change password available from the web Support for multi-forest configurations (FIM)
* Azure AD offers basic 2FA features with Azure Active Authentication AD FS can support a larger set of 2FA/Strong Authentication options
16
Prepare: Review Requirements Requirements for the DirSync computer
Windows Server 2008 R2 SP1 or higher
Requirements for Domain Controllers Requirements for Admin Permissions Understand Performance Considerations Review UPN requirements New object quota – 300K with verified domains
http://technet.microsoft.com/en-us/library/jj151831.aspx
17
Prepare: Leverage Tools OnRamp
Guidance tool that includes readiness checks for DirSyncHelps identify issues to be fixed that will minimize DirSync errorshttp://onramp.office365.com
IdFixAD remediation tool that includes statistics on top DirSync errors
requiring remediationhttp://www.microsoft.com/en-us/download/details.aspx?id=36832
Deploying Directory Synchronization
Manage DirSync
Activate Users
Sync Directori
es
Setup DirSync
Activate DirSync
Prepare for
DirSync
Deploying Directory Synchronization
Manage DirSync
Activate Users
Sync Directori
es
Setup DirSync
Activate DirSync
Prepare for
DirSync
Setup: Version Requirement Use the current version of DirSync
Version 6382.0000 or greater required to enable the Password Sync feature
Download the current version hereCheck information about version updates here
26
Setup: Install No difference as far as password sync
Current version installs SQL Express 2012 SP1
27
Deploying Directory Synchronization
Manage DirSync
Activate Users
Sync Directori
es
Setup DirSync
Activate DirSync
Prepare for
DirSync
Synchronize: Initial Password Sync After config wizard, DirSync does the initial password sync (full password sync)
Only passwords for users in the DirSync scope
Passwords for federated users are not synchronized
Deploying Directory Synchronization
Manage DirSync
Activate Users
Sync Directori
es
Setup DirSync
Activate DirSync
Prepare for
DirSync
Activate Users: Password Handling When activating users, those with synchronized passwords won’t have their passwords overwritten.
Deploying Directory Synchronization
Manage DirSync
Activate Users
Sync Directori
es
Setup DirSync
Activate DirSync
Prepare for
DirSync
Manage: Operational Tasks Password sync can be disabled by running the Configuration Wizard and unchecking “Enable Password Sync”
Lookout for updated versions of DirSyncCheck information about version updates here
Monitor App Event Logs to troubleshoot and detect password sync errorshttp://support.microsoft.com/kb/2855271
Manage: Monitor App Log Events
35
Application Log, Event Source = Directory Synchronization
Password synchronization starts retrieving updated
passwords from the on-premises AD DS
Event ID 650Finished retrieving
updated passwords from on-premises AD DS
Event ID 651
success
Failed to retrieve updated passwords from
on-premises AD DS
Event ID 652
error
Manage: Monitor App Log Events
36
Application Log, Event Source = Directory Synchronization
Password synchronization starts informing Windows Azure AD that there are
no passwords to be synced
Event ID 653Finishes informing
Windows Azure AD that there are no passwords to
be synced
Event ID 654
success
Failed to inform Windows Azure AD that there are
no passwords to be synced
Event ID 655
error** This occurs every 30 minutes if no passwords have been updated on-premises
Manage: Monitor App Log Events
37
Application Log, Event Source = Directory Synchronization
Password synchronization detects password
changes and tries to sync it to Windows Azure AD
Event ID 656 User(s) whose password was successfully synced
Result : Success
Event ID 657
success
User(s) whose password was not syncedResult : Failed
error
** Lists at least 1 user, at most 50 users
39
Password Sync and SSO Together Configuration of password sync and SSO is based on a given domain/namespace
DirSync skips sync of passwords for users that are configured for SSO (i.e. federated domains)
DirSync syncs passwords for all users not configured for SSO (i.e. users in managed domains).Users within the same namespace cannot be configured for both
password sync and SSOA specific user cannot be configured for both password sync and SSO
Convert from SSO to Password Sync 2 approaches
Convert individual users from federated managed by changing the user’s identity domain (user’s UPN suffix)
Convert a domain (and all associated users) from a federated domain to a managed domain
Must sync password after conversion http://social.technet.microsoft.com/wiki/contents/article
s/17857.how-to-switch-from-single-sign-on-to-password-sync.aspx
40
41
Override a Synchronized Password? It is possible to use PowerShell to reset a user’s passwordIn this case, the new password manually set via PowerShell overrides
the user’s synchronized passwordPassword policies defined in the cloud apply to the new password
If user changes on-premises password, this new password gets synchronized to the cloud and overwrites the manually updated password
Resources Implement Password Sy
nchronization Password synchronizatio
n troubleshooting guide for Office 365
DirSync Content Map DirSync Version History Best Practices for Deplo
ying and Managing DirSync
DirSync FAQ42
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.