Introduction

This document provides instructions on how to configure Hybrid Azure AD join by using IBM® Security Verify as the Identity Provider.
The following Prerequisites must be met before configuration:

Azure AD with administrator access.
Windows AD server e.g. Windows Server 2019 Datacenter edition, installed with Azure AD Connect.
Windows 10 device domain joined to Windows AD domain.
Windows device with Powershell and Microsoft Online Services Module installed.
IBM Security Verify domain with administrator access.

Complete the following tasks:

Azure Active Directory
- Configure a federated Azure AD Domain.
On-premise Microsoft® Active Directory
- Setup the On-premise Active Directory.
- Setup Azure AD Connect.
- Enable Kerberos Authentication.
IBM Security Verify
- Configure Microsoft 365 application (WS-Federation).

Configure a federated Azure AD domain

Refer to the Microsoft 365 WS-Federation single sign-on (SSO) configure guide with the following steps:

Open IBM Security Verify Admin portal.
Click Applications.
Create a new Microsoft 365 application or select an existing Microsoft 365 application.
Click the Sign-on tab, and select WS-Federation as the Sign-on method.
The guide is displayed on the right panel.

Configure On-premise Active Directory

Note: The following instructions are based on a fresh installed Windows Server 2019 Datacenter edition with the latest updates installed.

Add Active Directory Role to Windows Server

From the Server Manager, click Manage and select Add Roles and Features from dropdown to launch Add Roles and Features Wizard.

In the Add Roles and Features Wizard, click Next.
In the Select server Roles window, select the Active Directory Domain Services checkbox and click Add Features in the pop-up window.

In the Select features window, click Next.
In the Confirmation page, click Install.

After the installation is complete, close the Add Roles and Features Wizard.

Configure Active Directory

From the Server Manager, click the notification icon and select Promote this server to a domain controller.

In the Active Directory Domain Services Configuration Wizard, under Deployment Configuration, select Add a new forest and specify the domain name.

The domain name is the one that is used in Configure a federated Azure AD domain.
3. In the Domain Controller Options window, use the default options and specify a Directory Service Restore Mode (DSRM) password. Click Next to proceed.

In the Additional Options window, change the NetBIOS domain name if necessary.

Click Next for the rest of the windows.
In the Installation window, click Install. The Windows Server restarts automatically after the installation is completed. If it does not restart automatically, restart it manually.

Test join to the On-premise Active Directory from a Windows 10 device (Optional)

Creating a new domain user for domain join

From Administrative Tools, open Active Directory Users and Computers and expand your domain.
Right-click Users and select New > User.

Specify the required information to create the user.

Join the Windows Domain

Note:

Windows 10 Home Edition does not support domain join, use Windows 10 Professional or Enterprise or Educational edition.
The Windows AD configured in Configure On-premise Active Directory must be used as a DNS of Windows 10 device. Change the Windows 10 device network configure accordingly.

Sign in to the Windows 10 device.
Open Settings, select Accounts> Access work or school.
Click Connect.
Select Join this device to a local Active Directory domain.
1. Enter the Domain name you have configured in Configure AD.
2. Enter the credentials from Create a new domain user for domain join and click OK.
3. Click Next or Skip
4. Click Restart now.
Verify that the Windows 10 device is part of the domain after restarting.
1. The following screen appears after restarting. The domain name is the NetBIOS domain name.
2. Ensure that the sign in to Windows with the domain user is successful.

Installing and Configuring Azure AD Connect on the On-premise Active Directory

Installing Azure AD Connect

Download the Azure AD Connect installer from https://www.microsoft.com/en-us/download/details.aspx?id=47594.
Double-click the installer to start the installation.
In the Welcome window, agree to the license terms and privacy notice.
Click Continue.

In the Express Settings window, click Customize.

In the Required Components window, click Install without selecting any options.

Wait for the installation of the optional components to complete.
Configure Azure AD Connect:
1. In the User Sign-in window, select Do not configure.
2. In the Connect to Azure AD window, specify your AAD Admin login credential.
3. Click Sync > Connect Directories, select the On-premise Active Directory domain name for the FOREST, and click Add Directory.
4. Select Create new AD account and specify the On-premise Active Directory domain Admin (The Windows AD Server administrator user) credential at the popup windows.
Do not change the remaining options and click Next for the rest of the pages.
Click Install.

Configuring Azure AD Connect for hybrid Azure AD join

Launch Azure AD Connect by double-clicking the desktop icon.
In the Welcome window, click Configure.

In the Tasks window, select Configure device options and click Next.

In the Overview window, click Next.
In the Connect to Azure AD page, enter the AzureAD Admin credential.
In the Device options window, select Configure Hybrid Azure AD join and click Next.

In the Device systems window, select both options and click Next.

In the SCP window, select the checkbox next to the domain name.
Select the IBM Security Verify tenant name for Authentication Service and click Add.
Specify the On-premise Active Directory domain Admin (The Windows AD Server administrator user) credential and click Next.

Click Next for the rest of the pages and click Configure.
Click Exit after the configuration is completed.

Configuring Controlled validation of hybrid Azure AD join

Refer to this Microsoft document Controlled validation of hybrid Azure AD join.

Clearing the SCP from AD

See Clear the SCP from AD.

Configuring client-side registry setting for SCP

See Configure client-side registry setting for SCP.

Skip the remaining part of this Microsoft document Controlled validation of hybrid Azure AD join.

Validating Hybrid Azure AD Join on an On-premise Active Directory domain joined Windows 10 device (Optional)

Join to the On-premise Active Directory Domain

Refer to Test join to the On-premise Active Directory from a Windows 10 device (Optional) section to join a Windows 10 device to local AD domain.

Wait for the Windows 10 device status become Hybrid Azure AD Joined

It can take up to 30 minutes to synchronize the newly On-premise Active Directory Domain joined Windows 10 device to Azure AD.
It might take another 30 minutes or more for the device to complete Hybrid Azure AD join after it is synchronized to Azure AD.

Note: Try rebooting the Windows 10 device and sign-in again if Hybrid Azure AD join is not fully completed after a long time.

Check Windows 10 device Hybrid AAD join status by using command line dsregcmd /status on the Windows 10 device:
- After On-premise Active Directory Domain join, before Hybrid Azure AD join is fully completed, the device state is:
  AzureADJoined: NO
  DomainJoined: YES
- After Hybrid Azure AD join is fully completed, the device state is:
  AzureADJoined: YES
  DomainJoined: YES
Check Windows 10 device Hybrid Azure AD join status in the Azure portal:
After the On-premise Active Directory Domain joined device is synchronized to AAD, the device appears in Azure portal - Azure Active Directory - Devices.
- Before Hybrid Azure AD join is fully completed, the device state Registered column is Pending.
- After Hybrid Azure AD join is fully completed, the device state Registered column is date and time on which Hybrid AAD join is fully completed.

Configuring Service Principal Name (SPN) and Keytab file to enable Kerberos Authentication

Creating a Service Account User on Windows AD Server

Refer to Create a new domain user for domain join section on how to create a new domain user.

When you are creating a password for the service account, uncheck User must change password at next logon and check Password never expires.

Enabling Kerberos AES encryption for the Service Account User (Optional)

Right-click the newly created Service Account User and select Properties.
On the Account tab, in Account options select This account supports Kerberos AES 128 bit encryption. and/or This account supports Kerberos AES 256 bit encryption.

Click OK to save the change.

Finding out the DNS A record of the IBM Security Verify tenant hostname

The DNS A record of the IBM Security Verify tenant hostname must be used to configure the Service Principal Name (SPN) and create the Kerberos keytab file.

Refer to Linux / MacOS or Windows to find out the DNS A record.

Linux / MacOS

Open terminal and execute the following command:
dig <ISVTenentHostName>
From the output, under the ;; ANSWER SECTION: section, there are lines in this format <FQDN>. 4 IN A <IP>, where the <FQDN> is the DNS A record for the IBM Security Verify tenant hostname.
Note: Remove the '.' (dot) at the end of the DNS A record.

Windows

Open PowerShell and execute the following command:
nslookup <ISVTenentHostName>.
Note: In the command line, a '.' (dot) must be appended after the IBM Security Verify Tenant Hostname without space.
From the output, under Non-authoritative answer:, there is a line starts with Name:, the value after Name: is the DNS A record for the IBM Security Verify tenant hostname.

Configuring Service Principal Name (SPN)

Open PowerShell and execute the following command to configure an SPN for the service account.
The SPN must be set to ISV WSFed app configure.

setspn -S HTTP/<ISVTenantHostName_DNS_A_RECORD> <ServiceAccountName>

(Optional) Verify the Service Account has the required servicePrincipalName attribute with a valid value. Enter the following command:

setspn -L <ServiceAccountName>

6.4 Configuring the Keytab file

Open a PowerShell console, and run the following command to configure the Keytab file.
The Keytab file is the must be uploaded to ISV WSFed app configure.

NOTE: Use uppercase for DOMAINNAME.

ktpass /out <FullPathToKeytabFile> /princ HTTP/<ISVTenantHostName_DNS_A_RECORD@DOMAINNAME> /mapuser <ServiceAccountName> /pass <ServiceAccountNamePassword> /pType KRB5_NT_PRINCIPAL

If encryption is needed, additional parameters can be appended to the end of the command:

For AES128: append /crypto AES128-SHA1.
For AES256: append /crypto AES256-SHA1.
Refer to Microsoft document ktpass for ktpass command details.

Optional Step: Configure keytab file to contain multiple SPNs.

Pre-condition: an existing keytab file contains one or more SPNs.
To add a SPN for the ServiceAccount into the existing keytab file, run the following command:

ktpass /in <FullPathToOriginalKeytabFile> /out <FullPathToNewKeytabFile> /princ HTTP/<ISVTenantHostName_DNS_A_RECORD@DOMAINNAME> /mapuser <ServiceAccountName> /pass <ServiceAccountNamePassword> /pType KRB5_NT_PRINCIPAL

If /in and /out are the same file, the existing keytab file is overwritten.

Configuring IBM Security Verify tenant URL to Intranet zone using Group Policy Object

Open the Group Policy Management.
Edit the Client Side SCP group policy object that is created in Configure client-side registry setting for SCP.
Select Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.
Edit Site to Zone Assignment List.

Enable the policy and click Show under Options.

Enter the IBM Security Verify tenant URL to Value name (the URL shall start with https://), enter 1 to Value.

Save and close. Ensure that the Client Side SCP group policy object is linked to the domain.
This should have already been completed in Configure client-side registry setting for SCP.

Enabling Kerberos authentication for IBM Security Verify Microsoft 365 application (WS-Federation)

Kerberos authentication can be enabled by using either IBM Security Verify WebUI or API.

Refer to Using WebUI to enable Kerberos authentication using WebUI.
Refer to Using API (curl) to enable Kerberos authentication using API.

Using WebUI

If there is an existing Microsoft 365 application (WS-Federation), refer to Update an existing Microsoft 365 application (WS-Federation).
Otherwise, refer to Create new Microsoft 365 application (WS-Federation).

Update an existing Microsoft 365 application (WS-Federation)

Login to the IBM Security Verify Admin portal.
Click Applications.
Find the Microsoft 365 application to update from the list and click the gear icon on the right of the row to change the application settings.
Click the Sign-on tab. Ensure that the Sign-on method is WS-Federation.
At the Upload keytab file section, click Select keytab file and select the keytab file to use.
At the Service principal names section, enter the SPN to use.
If the Federate multiple domains for Microsoft 365 is checked, multiple SPNs can be added.
Note: Ensure that the keytab file contains all the SPNs.
Click Save. The sha256 checksum of the uploaded keytab file is displayed after saving.

Create new Microsoft 365 application (WS-Federation)

Login to the IBM Security Verify Admin portal.
Click Applications.
Click Add application.
Select Microsoft 365 from the Select Application Type list and click Add application.
Fill in the information on General tab.
Click the Sign-on tab and select WS-Federation for Sign-on method. Provider ID and WS-Federation end point of the application are not changed. Ensure that the correct certificate is selected for Signature Certificate.
Select the attribute to be used for Name identifier under SAML subject.
Select the attributes to be used for UPN and ImmutableID under Attribute mappings. Additional attribute mappings can be added here if needed.
Click Select keytab file and select the keytab file to use.
In the Service principal names section, enter the SPN to use.
If Federate multiple domains for Microsoft 365 is checked, multiple SPNs can be added.
Note: make sure the keytab file contains all the SPNs.
Click Save button at the bottom right of the page.
Configure the Access Type at Entitlements tab.
Click Save.

Provisioning on-premises Microsoft Active Directory users into IBM Security Verify

Refer to Active Directory provisioning.

Validating Kerberos authentication by enabling OneDrive Silent Configuration (Optional)

OneDrive silent configure can be used to verify if Kerberos authentication is correctly configured.

For more information, see:

Obtaining the OneDrive Administrative Template and install it to the Windows AD server

Refer to https://docs.microsoft.com/en-us/onedrive/use-group-policy to obtain the OneDrive Administrator Template files, and copy them to the Windows AD server.

Open File Explorer, specify \\<domainName>\SYSVOL\<domainName>\Policies in the address bar.
Right-click and create a folder PolicyDefinitions.

Open PolicyDefinitions folder and copy the OneDrive Administrator Template files into PolicyDefinitions.

Create a en folder under PolicyDefinitions.
Copy OneDrive.adml into the en folder.

Configuring Group Policy Object to Enable OneDrive Silent Configuration

Open the Group Policy Management.
Right-click Group Policy Object and select New.

Name it OneDrive Silent Config.

Edit the OneDrive Silent Config group policy object.

Select Policies > Administrative Templates > OneDrive, change policy Silently sign in users to the OneDrive sync app with their Windows credentials to Enabled.

Save and close.
Link the OneDrive Silent Config group policy object to the domain.

Validating OneDrive Silent Configuration is enabled on a Windows 10 device

Ensure that the Windows 10 device is On-premise Active Directory Domain joined.
A reboot of the Windows 10 device might be required in order to obtain the latest Group Policy from the Windows AD server.
Login the Windows 10 device as a domain user. There is a notification from OneDrive if the Kerberos authentication configure is correct.

The name displayed on the OneDrive notification is the AzureAD tenant name.