Active Directory Domain Services is one of the most widely installed enterprise software applications in the world. (I’ve never used the official “Domain Services” name in the past, as everyone in Microsoft-centric IT knows what Active Directory is. But now there’s an Active Directory in the cloud, too.) According to corporate vice president Takeshi Numoto, 93% of Fortune 1000 companies run it. And I can’t get anyone on the directory services team to admit to a number, but several years ago I remember seeing that 70-something% of all organizations in the world over 500 seats use Active Directory. (Oops. Active Directory Domain Services.)
But AD can't handle all the new identity requirements of our rapidly growing world of web services and multiple identity providers by itself. It’s not the product’s fault; AD is a highly-scalable and flexible design that’s endured the test of time. But the cloud computing world we’re experiencing now just didn’t exist when the product was being designed in the late 90’s. Back then, Amazon was just a bookstore.
This gap between what AD Domain Services can support and what the cloud computing world needs is where Active Directory Federation Services (AD FS) has stepped to the fore. AD FS is the identity bridge between the Active Directory forest and the wild world of web services. Sam Devasahayam, principle lead program manager on the directory services team, succinctly describes AD FS as "an authentication service head on top of AD Domain Services that provides modern protocol support beyond RPC and LDAP."
In Windows Server 2012 R2, AD FS and Active Directory Domain Services have been extended to comprehend the most popular mobile devices and provide conditional access to enterprise resources based on user+device combinations and access policies. With these policies in place, you can control access based on users, devices, locations, and access times.
The main scenarios the directory services team has targeted are:
- Single sign on to access corporate resources with Workplace Joined devices (see below)
- Enable users to work from anywhere, with a variety of devices, while still adhering to IT risk management strategy
- IT can conditionally grant access to company apps across all these devices
The key enabling concept to these new BYOD capabilities is the AD Workplace Join. This join is similar to the traditional Windows domain join, but it’s more lightweight. Group Program Manager Uday Hegde describes Workplace join as the middle ground in a spectrum of AD connection options, from a full join for supported Windows devices to Workplace Join to an unjoined state. When a mobile device is registered with Workplace Join, a device object is created in AD with an association to the AD user object that owns the device. On the client side, a user@device certificate is installed on the mobile device and is associated with that device's object in AD.
Figure 1: An iPad joined to a domain with AD Workplace Join
Once the user’s device has been validated as a trustworthy object, IT will then be able to grant some kind of conditional access to the user / device combination. Because the device is trusted, this means it can be used for multifactor authentication without requiring smart cards or hardware tokens. At the same time, AD FS has also been enhanced to provide a framework that any third-party multifactor provider can integrate into. It's all designed to look seamless to the end user.
To accomplish all this, two major components have been either enhanced or built new. AD FS appears to be the component that’s had the most work done on it to support these new scenarios. AD FS has become the Swiss Army Knife of Microsoft authentication, growing the range of identity standards the Microsoft world supports while not disturbing the enormous installed base of Active Directory Domain Services. AD FS in R2 is easier to deploy than its predecessors. It also doesn’t require IIS be installed on the AD FS server. This allows you to install AD FS directly on a domain controller, and that is in fact Microsoft’s recommended configuration. Figure n below shows the major AD FS enhancements:
Figure 2: AD FS enhancements in Windows Server 2012 R2
The other component is brand new. The Web Application Proxy, a new feature under the Remote Access role in Windows Server 2012 R2, is an HTTP reverse proxy that provides the access point to perform the Workplace Join operation, and where BYOD users gain access to corporate resources.
Accomplishing this doesn’t require that you upgrade all your domain controllers to Windows Server 2012 R2, just that you upgrade the schema to support new device object and attribute classes. What does need to be running the latest code, however, is the server running AD FS, and the Web Application Proxy.
Device support is more or less prioritized by market share. IOS devices – e.g. iPad and iPhone – and Windows devices are supported. Android is “being worked on”, and Windows Phone appears to be farther down the road, possibly with a future OS upgrade.
To summarize, Active Directory's new identity related BYOD capabilities are
- AD workplace join
- Single Sign On
- Work from anywhere
- Multifactor Authentication
- Multifactor Access Control
- AD Authentication Library
If this BYOD management works the way other Windows enhancements have been introduced, it won't have all the capabilities of the more complete mobile device management solutions from third parties. But the architecture will be sound and provide a framework to build upon. I'll look forward to the beta bits.
Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.
