We’ve been hearing about Windows Server 2016 for a while now. It’s time to see what Microsoft is doing with respect to Active Directory Domain Services (AD DS) and authentication enhancements.
It’s obvious that Microsoft is more focused on web- and cloud-based environments than on intranet environments. No surprise there.
It’s a bit of a good news/bad news story.
The good news is that if you are currently using only AD DS – which includes the vast majority of the organizations with which I come into contact – then there doesn’t appear to be a whole lot of change. So you won’t have to learn a bunch of new stuff.
The bad news is that if you would like to improve your IT shop’s identity management and authentication support for web- and/or cloud-based applications, you’ll have to buy more Microsoft products. Of course, that also means you’ll need to buy more hardware to run those additional products.
With that as an introduction, let’s take a high-level look at the new identity management and authentication function coming in Windows Server 2016.
Active Directory Domain Services (AD DS)
The majority of the new function falls into the following categories:
- Privileged Access Management (PAM)
Privileged access management – not to be confused with Pluggable Authentication Module, a concept that originated in UNIX – provides some interesting additional security that allows for isolating privileged accounts from non-privileged accounts. When a user requests additional privileges, the new support within PAM can require the requestor to provide an additional authentication factor (i.e. knowledge of a PIN sent to a person’s cell phone.) PAM even includes a minor Kerberos enhancement. A user can be a member of multiple groups with different time-to-live (TTL) values. The new support will limit the TTL to the smallest TTL value. PAM also includes new monitoring supports to easily identify who requested access, what access was granted, and what activities were performed. Unfortunately, you need a license for Microsoft Identity Manager and your Windows AD forest must be at a functional level of Windows Server 2012 R2 or higher in order to take advantage of it.
- Azure AD Join
Azure AD is Microsoft’s cloud-based analog for Active Directory in the intranet. AD enhancements allow for a tighter integration between Azure AD and AD DS. As far as I can tell, none of this function is available without an Azure AD license.
The new function allows you to:- Access organizational resources on mobile devices (phones, phablets) that can’t be joined to a Windows Domain, whether they are corporate-owned or BYOD
- Single Sign-On to Office 365 and other organizational apps, websites and resources.
- Add a work account (from an on-premises domain or Azure AD) to a personally-owned device providing SSO to work resources, via apps and on the web, in a way that helps ensure compliance with new capabilities such as Conditional Account Control and Device Health attestation.
- Microsoft Device Management (MDM) integration lets you automatically enroll devices to your MDM (Intune or third-party).
- Set up “kiosk” mode and shared devices for use by multiple users in your organization
- Option to “image” corporate owned devices or allow end users to configure those devices during the first-run experience.
- Microsoft Passport
A digital certificate is a mechanism that is used to exploit the security inherent to asymmetric keys (i.e. public/private key pairs.) Digital certificate management is what you do in order to be able to use and manage asymmetric key pairs and the identities to which they are associated. Passport is an attempt to provide an easier and cheaper alternative to digital certificate management for the enterprise. Like digital certificates, Passport is primarily intended to access web- and cloud-based applications from mobile devices or from Windows 10 workstations.If you aren’t already an Azure AD customer, or your primary applications aren’t cloud-based, then Passport probably doesn’t buy you much. If you are, AD DS now has more integrated support for Passport.As with the other areas of enhancements for AD DS, this appears to be mainly focused on mobile devices and accessing external resources from your internal network.
Active Directory Federation Services (AD FS)
AD FS is an extension to AD. It provides sign on with a common set of credentials for applications like Office 365 and other cloud-based applications, and to applications on the corporate network. In a way, AD FS provides the ability to integrate AD, Azure AD, third-party LDAP v3, and Passport authentication for enterprise users so they can log in anywhere with only their AD credentials.
Here are a few of the more interesting enhancements in AD FS.
- Authenticating to AD FS resources from any LDAP v3 directory, not just AD and from u-trusted or partially trusted AD domains and forests.
- Federate third-party LDAP v3 directories with Azure AD (cloud-based AD) and Office 365
- Conditional Access Control for restricting access to resources based not only on identity but also by the device that identity is using.
- Delegated Service Management – previously AD admins had to be a local server administrator, but in 2016 you will be able to designate a standard security group.
Summary
Microsoft is adding a lot of new, interesting function in Windows Server 2016. However, if your shop isn’t already up to its nose in migration planning or won’t be going to Windows Server 2016 in the near future, then most of that function doesn’t apply to you.
If your shop is already using AD FS and/or Azure AD with Office 365, for example, this function does apply to you. You have already embarked on the learning curve road. Depending on where you are on that journey, I suspect it will get a lot steeper if you need to exploit these enhancements. For more details, check out this URL: https://technet.microsoft.com/en-us/library/mt126143.aspx
