Hybrid Azure AD Join
Introduction
This document provides instructions on how to configure Hybrid Azure AD join by using IBM® Security Verify as the Identity Provider.
The following Prerequisites must be met before configuration:
- Azure AD with administrator access.
- Windows AD server e.g. Windows Server 2019 Datacenter edition, installed with Azure AD Connect.
- Windows 10 device domain joined to Windows AD domain.
- Windows device with Powershell and Microsoft Online Services Module installed.
- IBM Security Verify domain with administrator access.
Complete the following tasks:
- Azure Active Directory
- Configure a federated Azure AD Domain.
- On-premise Microsoft® Active Directory
- Setup the On-premise Active Directory.
- Setup Azure AD Connect.
- Enable Kerberos Authentication.
- IBM Security Verify
- Configure Microsoft 365 application (WS-Federation).
Configure a federated Azure AD domain
Refer to the Microsoft 365 WS-Federation single sign-on (SSO) configure
guide with the following steps:
- Open IBM Security Verify Admin portal.
- Click
Applications
. - Create a new Microsoft 365 application or select an existing Microsoft 365 application.
- Click the
Sign-on
tab, and selectWS-Federation
as the Sign-on method.
The guide is displayed on the right panel.
Configure On-premise Active Directory
Note: The following instructions are based on a fresh installed Windows Server 2019 Datacenter edition with the latest updates installed.
Add Active Directory Role to Windows Server
- From the
Server Manager
, clickManage
and selectAdd Roles and Features
from dropdown to launchAdd Roles and Features Wizard
.
- In the
Add Roles and Features Wizard
, clickNext
. - In the
Select server Roles
window, select theActive Directory Domain Services
checkbox and clickAdd Features
in the pop-up window.
- In the
Select features
window, clickNext
. - In the
Confirmation
page, clickInstall
.
- After the installation is complete, close the
Add Roles and Features Wizard
.
Configure Active Directory
- From the
Server Manager
, click the notification icon and selectPromote this server to a domain controller
.
- In the
Active Directory Domain Services Configuration Wizard
, underDeployment Configuration
, selectAdd a new forest
and specify the domain name.
The domain name is the one that is used in Configure a federated Azure AD domain.
3. In the Domain Controller Options
window, use the default options and specify a Directory Service Restore Mode (DSRM)
password. Click Next to proceed.
- In the
Additional Options
window, change the NetBIOS domain name if necessary.
- Click
Next
for the rest of the windows. - In the
Installation
window, clickInstall
. The Windows Server restarts automatically after the installation is completed. If it does not restart automatically, restart it manually.
Test join to the On-premise Active Directory from a Windows 10 device (Optional)
Creating a new domain user for domain join
- From
Administrative Tools
, openActive Directory Users and Computers
and expand your domain. - Right-click
Users
and selectNew
>User
.
- Specify the required information to create the user.
Join the Windows Domain
Note:
- Windows 10 Home Edition does not support domain join, use Windows 10 Professional or Enterprise or Educational edition.
- The Windows AD configured in Configure On-premise Active Directory must be used as a DNS of Windows 10 device. Change the Windows 10 device network configure accordingly.
-
Sign in to the Windows 10 device.
-
Open
Settings
, selectAccounts
>Access work or school
. -
Click
Connect
. -
Select
Join this device to a local Active Directory domain
.-
Enter the Domain name you have configured in Configure AD.
-
Enter the credentials from Create a new domain user for domain join and click
OK
. -
Click
Next
orSkip
-
Click
Restart now
.
-
-
Verify that the Windows 10 device is part of the domain after restarting.
-
The following screen appears after restarting. The domain name is the NetBIOS domain name.
-
Ensure that the sign in to Windows with the domain user is successful.
-
Installing and Configuring Azure AD Connect on the On-premise Active Directory
Installing Azure AD Connect
- Download the Azure AD Connect installer from https://www.microsoft.com/en-us/download/details.aspx?id=47594.
- Double-click the installer to start the installation.
- In the Welcome window, agree to the license terms and privacy notice.
- Click
Continue
.
- In the
Express Settings
window, clickCustomize
.
- In the
Required Components
window, clickInstall
without selecting any options.
-
Wait for the installation of the optional components to complete.
-
Configure Azure AD Connect:
-
In the
User Sign-in
window, selectDo not configure
. -
In the
Connect to Azure AD
window, specify your AAD Admin login credential. -
Click
Sync
>Connect Directories
, select the On-premise Active Directory domain name for the FOREST, and clickAdd Directory
. -
Select
Create new AD account
and specify the On-premise Active Directory domain Admin (The Windows AD Server administrator user) credential at the popup windows.
-
-
Do not change the remaining options and click
Next
for the rest of the pages. -
Click
Install
.
Configuring Azure AD Connect for hybrid Azure AD join
- Launch Azure AD Connect by double-clicking the desktop icon.
- In the
Welcome
window, clickConfigure
.
- In the
Tasks
window, selectConfigure device options
and clickNext
.
- In the
Overview
window, clickNext
. - In the
Connect to Azure AD
page, enter the AzureAD Admin credential. - In the
Device options
window, selectConfigure Hybrid Azure AD join
and clickNext
.
- In the
Device systems
window, select both options and clickNext
.
- In the
SCP
window, select the checkbox next to the domain name. - Select the IBM Security Verify tenant name for
Authentication Service
and clickAdd
. - Specify the On-premise Active Directory domain Admin (The Windows AD Server administrator user) credential and click
Next
.
- Click
Next
for the rest of the pages and clickConfigure
. - Click
Exit
after the configuration is completed.
Configuring Controlled validation of hybrid Azure AD join
Refer to this Microsoft document Controlled validation of hybrid Azure AD join.
Clearing the SCP from AD
Configuring client-side registry setting for SCP
See Configure client-side registry setting for SCP.
Skip the remaining part of this Microsoft document Controlled validation of hybrid Azure AD join.
Validating Hybrid Azure AD Join on an On-premise Active Directory domain joined Windows 10 device (Optional)
Join to the On-premise Active Directory Domain
Refer to Test join to the On-premise Active Directory from a Windows 10 device (Optional) section to join a Windows 10 device to local AD domain.
Wait for the Windows 10 device status become Hybrid Azure AD Joined
It can take up to 30 minutes to synchronize the newly On-premise Active Directory Domain joined Windows 10 device to Azure AD.
It might take another 30 minutes or more for the device to complete Hybrid Azure AD join after it is synchronized to Azure AD.
Note: Try rebooting the Windows 10 device and sign-in again if Hybrid Azure AD join is not fully completed after a long time.
-
Check Windows 10 device Hybrid AAD join status by using command line
dsregcmd /status
on the Windows 10 device:-
After On-premise Active Directory Domain join, before Hybrid Azure AD join is fully completed, the device state is:
AzureADJoined: NO
DomainJoined: YES -
After Hybrid Azure AD join is fully completed, the device state is:
AzureADJoined: YES
DomainJoined: YES
-
-
Check Windows 10 device Hybrid Azure AD join status in the Azure portal:
After the On-premise Active Directory Domain joined device is synchronized to AAD, the device appears inAzure portal
-Azure Active Directory
-Devices
.-
Before Hybrid Azure AD join is fully completed, the device state
Registered
column isPending
. -
After Hybrid Azure AD join is fully completed, the device state
Registered
column is date and time on which Hybrid AAD join is fully completed.
-
Configuring Service Principal Name (SPN) and Keytab file to enable Kerberos Authentication
Creating a Service Account User on Windows AD Server
Refer to Create a new domain user for domain join section on how to create a new domain user.
When you are creating a password for the service account, uncheck User must change password at next logon
and check Password never expires
.
Enabling Kerberos AES encryption for the Service Account User (Optional)
- Right-click the newly created Service Account User and select
Properties
. - On the
Account
tab, inAccount options
selectThis account supports Kerberos AES 128 bit encryption.
and/orThis account supports Kerberos AES 256 bit encryption.
- Click
OK
to save the change.
Finding out the DNS A record of the IBM Security Verify tenant hostname
The DNS A record of the IBM Security Verify tenant hostname must be used to configure the Service Principal Name (SPN) and create the Kerberos keytab file.
Refer to Linux / MacOS or Windows to find out the DNS A record.
Linux / MacOS
- Open terminal and execute the following command:
dig <ISVTenentHostName>
- From the output, under the
;; ANSWER SECTION:
section, there are lines in this format<FQDN>. 4 IN A <IP>
, where the<FQDN>
is the DNS A record for the IBM Security Verify tenant hostname.
Note: Remove the '.' (dot) at the end of the DNS A record.
Windows
- Open PowerShell and execute the following command:
nslookup <ISVTenentHostName>.
Note: In the command line, a '.' (dot) must be appended after the IBM Security Verify Tenant Hostname without space. - From the output, under
Non-authoritative answer:
, there is a line starts withName:
, the value afterName:
is the DNS A record for the IBM Security Verify tenant hostname.
Configuring Service Principal Name (SPN)
Open PowerShell and execute the following command to configure an SPN for the service account.
The SPN must be set to ISV WSFed app configure.
setspn -S HTTP/<ISVTenantHostName_DNS_A_RECORD> <ServiceAccountName>
(Optional) Verify the Service Account has the required servicePrincipalName attribute with a valid value. Enter the following command:
setspn -L <ServiceAccountName>
6.4 Configuring the Keytab file
Open a PowerShell console, and run the following command to configure the Keytab file.
The Keytab file is the must be uploaded to ISV WSFed app configure.
NOTE: Use uppercase for DOMAINNAME
.
ktpass /out <FullPathToKeytabFile> /princ HTTP/<ISVTenantHostName_DNS_A_RECORD@DOMAINNAME> /mapuser <ServiceAccountName> /pass <ServiceAccountNamePassword> /pType KRB5_NT_PRINCIPAL
If encryption is needed, additional parameters can be appended to the end of the command:
- For AES128: append
/crypto AES128-SHA1
. - For AES256: append
/crypto AES256-SHA1
.
Refer to Microsoft document ktpass forktpass
command details.
Optional Step: Configure keytab file to contain multiple SPNs.
Pre-condition: an existing keytab file contains one or more SPNs.
To add a SPN for the ServiceAccount into the existing keytab file, run the following command:
ktpass /in <FullPathToOriginalKeytabFile> /out <FullPathToNewKeytabFile> /princ HTTP/<ISVTenantHostName_DNS_A_RECORD@DOMAINNAME> /mapuser <ServiceAccountName> /pass <ServiceAccountNamePassword> /pType KRB5_NT_PRINCIPAL
If /in and /out are the same file, the existing keytab file is overwritten.
Configuring IBM Security Verify tenant URL to Intranet zone using Group Policy Object
-
Open the
Group Policy Management
. -
Edit the
Client Side SCP
group policy object that is created in Configure client-side registry setting for SCP. -
Select
Policies
>Administrative Templates
>Windows Components
>Internet Explorer
>Internet Control Panel
>Security Page
. -
Edit
Site to Zone Assignment List
.
- Enable the policy and click
Show
underOptions
.
- Enter the IBM Security Verify tenant URL to
Value name
(the URL shall start withhttps://
), enter 1 toValue
.
- Save and close. Ensure that the
Client Side SCP
group policy object is linked to the domain.
This should have already been completed in Configure client-side registry setting for SCP.
Enabling Kerberos authentication for IBM Security Verify Microsoft 365 application (WS-Federation)
Kerberos authentication can be enabled by using either IBM Security Verify WebUI or API.
- Refer to Using WebUI to enable Kerberos authentication using WebUI.
- Refer to Using API (curl) to enable Kerberos authentication using API.
Using WebUI
If there is an existing Microsoft 365 application (WS-Federation), refer to Update an existing Microsoft 365 application (WS-Federation).
Otherwise, refer to Create new Microsoft 365 application (WS-Federation).
Update an existing Microsoft 365 application (WS-Federation)
- Login to the IBM Security Verify Admin portal.
- Click
Applications
. - Find the Microsoft 365 application to update from the list and click the gear icon on the right of the row to change the application settings.
- Click the
Sign-on
tab. Ensure that theSign-on method
isWS-Federation
. - At the
Upload keytab file
section, clickSelect keytab file
and select the keytab file to use. - At the
Service principal names
section, enter the SPN to use. - If the
Federate multiple domains for Microsoft 365
is checked, multiple SPNs can be added.
Note: Ensure that the keytab file contains all the SPNs. - Click
Save
. The sha256 checksum of the uploaded keytab file is displayed after saving.
Create new Microsoft 365 application (WS-Federation)
- Login to the IBM Security Verify Admin portal.
- Click
Applications
. - Click
Add application
. - Select
Microsoft 365
from theSelect Application Type
list and clickAdd application
. - Fill in the information on
General
tab. - Click the
Sign-on
tab and selectWS-Federation
forSign-on method
.Provider ID
andWS-Federation end point of the application
are not changed. Ensure that the correct certificate is selected forSignature Certificate
. - Select the attribute to be used for
Name identifier
underSAML subject
. - Select the attributes to be used for
UPN
andImmutableID
underAttribute mappings
. Additional attribute mappings can be added here if needed. - Click
Select keytab file
and select the keytab file to use. - In the
Service principal names
section, enter the SPN to use. - If
Federate multiple domains for Microsoft 365
is checked, multiple SPNs can be added.
Note: make sure the keytab file contains all the SPNs. - Click
Save
button at the bottom right of the page. - Configure the
Access Type
atEntitlements
tab. - Click
Save
.
Provisioning on-premises Microsoft Active Directory users into IBM Security Verify
Refer to Active Directory provisioning.
Validating Kerberos authentication by enabling OneDrive Silent Configuration (Optional)
OneDrive silent configure can be used to verify if Kerberos authentication is correctly configured.
For more information, see:
- https://docs.microsoft.com/en-us/onedrive/use-group-policy
- https://docs.microsoft.com/en-us/onedrive/use-group-policy#silently-sign-in-users-to-the-onedrive-sync-app-with-their-windows-credentials
Obtaining the OneDrive Administrative Template and install it to the Windows AD server
Refer to https://docs.microsoft.com/en-us/onedrive/use-group-policy to obtain the OneDrive Administrator Template files, and copy them to the Windows AD server.
- Open File Explorer, specify
\\<domainName>\SYSVOL\<domainName>\Policies
in the address bar. - Right-click and create a folder
PolicyDefinitions
.
- Open
PolicyDefinitions
folder and copy the OneDrive Administrator Template files intoPolicyDefinitions
.
- Create a
en
folder underPolicyDefinitions
. - Copy
OneDrive.adml
into theen
folder.
Configuring Group Policy Object to Enable OneDrive Silent Configuration
- Open the
Group Policy Management
. - Right-click
Group Policy Object
and selectNew
.
- Name it
OneDrive Silent Config
.
- Edit the
OneDrive Silent Config
group policy object.
- Select
Policies
>Administrative Templates
>OneDrive
, change policySilently sign in users to the OneDrive sync app with their Windows credentials
toEnabled
.
- Save and close.
- Link the
OneDrive Silent Config
group policy object to the domain.
Validating OneDrive Silent Configuration is enabled on a Windows 10 device
Ensure that the Windows 10 device is On-premise Active Directory Domain joined.
A reboot of the Windows 10 device might be required in order to obtain the latest Group Policy from the Windows AD server.
Login the Windows 10 device as a domain user. There is a notification from OneDrive if the Kerberos authentication configure is correct.
The name displayed on the OneDrive notification is the AzureAD tenant name.
Updated 7 months ago