WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services
-
Upload
chris-spanougakis -
Category
Technology
-
view
175 -
download
1
description
Transcript of WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services
![Page 1: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/1.jpg)
Windows Server 2012 R2 Live Meeting
Bring your own device using AD FS
Wednesday 2 April 2014, 19:00 – 20:00
Chris Spanougakis MCT, MVP Directory [email protected]
![Page 2: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/2.jpg)
WhoamI
• Microsoft Certified Trainer since 2000
• Microsoft Most Valuable Professional in Directory Services since 2008
• IT Consultant, teaching, travelling
• Twitter @spanougakis
• Blog http://www.spanougakis.com
![Page 3: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/3.jpg)
agenda
• What is Work Folders?• Implementation of Work Folders using ADFS• Work Folders with File Server Roles• Workplace Join using ADFS• Demos• Links• Questions
![Page 4: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/4.jpg)
![Page 5: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/5.jpg)
Enabling work from anywhere
IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity
IT can provide seamless corporate access with DirectAccess and automatic VPN connections.
Users can work from anywhere on their device with access to their corporate resources.
Users can register devices for single sign-on and access to corporate data with Workplace Join
Users can enroll devices for access to the Company Portal for easy access to corporate applications
IT can publish Desktop Virtualization (VDI) for access to centralized resources
![Page 6: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/6.jpg)
BYOD
http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-8-1/compare/default.aspx
![Page 7: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/7.jpg)
Consumer
/ personal
data
Individual work data
Team /
group
work data
Personal
devices
Data location
SkyDrive Public cloud
SkyDrive Pro SharePoint / Office 365
Work Folders File server
Folder Redirection / Client-Side Caching
File server
File Sync Solutions
![Page 8: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/8.jpg)
New File Server Role in Windows Server 2012 R2New file sync protocol over HTTPSNon-Work Folder clients can connect via SMBWorks with other File Server RolesRequires Locally Attached DiskWork Folder ShareRequires Public or Private PKIUser must be a member of a Sync Group
Work Folders Prerequisites
![Page 9: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/9.jpg)
• Windows 8.1 Domain Joined
• Windows 8.1 Non-Domain Joined
• Windows 8.1 RT
• Windows 7 (with agent software, coming soon)
• iPad (coming soon)
Work Folders Clients
![Page 10: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/10.jpg)
Options to connect
• Auto-Discovery• User types his e-mail address
• By using a URL• User types the URL
• Opt-in (GPO, SCCM, Intune)• User decides when to connect
• Mandatory (GPO, SCCM, Intune)• Forced, automatic
![Page 11: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/11.jpg)
• Install the FS role on Windows Server 2012 R2 and enable Work Folders
• Create a DNS entry for workfolders.yourdomain.com
• Open port 443 on your firewall and publish the FS
• Create or use the server certificate and verify that is used by https web app
• Create users, groups, GPOs
• Configure the Windows 8.1 client
Where to start
![Page 12: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/12.jpg)
GPOs & Certificates
• netsh http show sslcert• netsh http delete sslcert hostnameport=dc.testlab.com:443• netsh http add sslcert hostnameport=dc.testlab.com:443
certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY
• Use it to force automatic setup, so the user should not type his e-mail address or WorkFolders URL
• It’s a good idea to use https instead of http
• It’s also a good idea to use a public PKI certificate...
![Page 13: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/13.jpg)
• TechNet - http://blogs.technet.com/b/in_the_cloud/archive/2013/07/10/what-s-new-in-2012-r2-making-device-users-productive-and-protecting-corporate-information.aspx
• How to deploy Test Lab - http://blogs.technet.com/b/filecab/archive/2013/07/10/work-folders-test-lab-deployment.aspx
• Work Folders - http://technet.microsoft.com/en-us/library/dn296644(v=wps.630).aspx
• PowerShell http://technet.microsoft.com/en-us/library/dn296644(v=wps.630).aspx
• Selective Wipe - http://blogs.technet.com/b/configmgrteam/archive/2013/07/10/protecting-corporate-data-on-mobile-devices.aspx
Work Folders Links
![Page 14: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/14.jpg)
Work Folders Demousing ADFS
![Page 15: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/15.jpg)
Workplace Join
Associates the device with a user Provides a seamless second factor authentication Enables IT to conditionally restrict access only to workplace joined
devices
Enables a better end user experience with SSO
Avoids risks involved in saving passwords with each application Avoids users having to repeatedly enter their credentials
Enabled by device registration service in AD FS
![Page 16: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/16.jpg)
Expanding device support
Limited accessNo IT Control
Device at work with IT governance & controlled access to apps
Company owned device with full IT
control & full access
Active Directory
Not Joined to AD Workplace Joined Domain Joined
![Page 17: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/17.jpg)
• Active Directory Domain• Active Directory Federation Server
Role• Managed Service Account for the
ADFS Service:• Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10) • New-ADServiceAccount FsGmsa -DNSHostName adfs.contoso.com –ServicePrincipalNames
http/adfs.contoso.com
• Certificate for the ADFS Server:• Subject Name (CN): adfs.contoso.com
Subject Alternative Name (DNS): adfs.contoso.com
Subject Alternative Name (DNS): enterpriseregistration.contoso.com
Workplace Join Prerequisites
See all the detailed steps here: http://technet.microsoft.com/en-us/library/dn280939.aspx
![Page 18: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/18.jpg)
• Authenticate the users using one more…. Factor
• Microsoft Azure can help with PhoneFactor
• Phone calls or SMS can be used for additional authentication
Multi-Factor Authentication
![Page 19: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/19.jpg)
Workplace Join Demousing ADFS
![Page 20: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/20.jpg)
Έχετε Windows 8? Κατεβάστε την δωρεάν εφαρμογή!
![Page 21: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/21.jpg)
Q&AQuestions And Answers
![Page 23: WINDOWS SERVER 2012 R2: Bring Your Own Device Using AD Federation Services](https://reader035.fdocuments.in/reader035/viewer/2022081602/556425c4d8b42a69298b51a6/html5/thumbnails/23.jpg)
Windows Server 2012 R2 Live Meeting
Thank you!
Chris Spanougakis MCT, MVP Directory [email protected]