Kevin Remde's IT Pro Weblog

What’s New for Active Directory in Server 2012 R2?

What’s New for Active Directory in Server 2012 R2?

  • Comments 10
  • Likes

Active Directory.  You know it.  You love it.  You’ve loved it since it made its introduction back in Windows 2000 Server.  Over 90 percent of the world’s business IT relies on Active Directory for local user and machine management, authentication, policy application, and directory services. 

Contoso.com's ADAnd with every new version of a Windows Server product, we make improvements and add new functionality that either directly impacts Active Directory, or indirectly impacts (read: enables) other new functionality on behalf of your users, applications, and managed resources.  So naturally we couldn’t do a series of “Why Windows Server 2012 R2” articles without discussing it.

If there were an overall theme on top of the updates in Active Directory in Windows Server 2012 R2, I would have to say it’s the new capabilities to support the “Consumerization of IT” and “BYOD”. 

From this TechNet Document:

“One of the most prevalent IT industry trends at the moment is the proliferation of consumer devices in the workplace.  Employees and partners want to access protected corporate data from their personal devices, from checking email to the consumption of advanced business applications.  IT administrators in organizations, while wanting to enable this level of productivity, would like to continue to ensure that they can manage risk and govern the use of corporate resources.”

To support this notion of giving our employees the ability to get their work done from their personal devices, of course there has been new functionality added to Active Directory to support it.  But before I get ahead of myself, why don’t I list out the 4 key value propositions – the main things you get that are new, and enabled by new capabilities in Active Directory:

  1. Workplace Join – Allow a user to associate their personal device with the company directory
  2. Single Sign-On from those devices now associated with the directory, granting them access to corporate data and applications
  3. Securely authenticate for and connect to company applications and data from anywhere (with an Internet connection), and
  4. Manage the risk of those users who work from and access data from anywhere.

NOTE: These each are very big topics in their own right.  So, rather than doing an exhaustive write-up on each one, I’ll summarize the capabilities and benefits here, point out what specifically has changed in Active Directory to support it, and then point you to more complete documentation and user guides for further study if you wish.

Join the Workplace

What is it?

clip_image002As a company employee who has his/her own device, and with the blessing of the company I work for (who is really interested in allowing me to be mobile and productive on whatever device I have), I want to be able to get stuff done.  So I will “join” my device to the “workplace”.

“Isn’t that like joining the domain?”

Yes.  Well, sort of.  But more correctly, NO.  It’s not going to be a domain-joined device in the way that we’ve been managing devices since Windows NT.  In this case, we’re registering the device with the domain so that it (and its owner) will be trusted when requesting and running company-secured applications, accessing company-secured data, or otherwise accessing company-secured resources.  When you join a device to the workplace, it becomes “a known device and will provide seamless second factor authentication and single-sign-on to workplace resources and applications.”  And once the device is “known”, IT can leverage that knowledge to also apply additional configurations (example: pushing company VPN connection settings to the device).

What changed in AD to support it?

The main change here was the addition of the Device Registration Service.  The DRS, which is a new part of the Active Directory Federation (ADFS) role, creates a device object in Active Directory, and tracks the associated device’s certificate in order to represent the device’s identity.  

For more information:

The SSO (Single Sign-On)

What is it?

Here’s a simple scenario: You have a device that you’re using to connect to a company SharePoint server.  You’ve registered your device with the company (“workplace join”), so your device has a certificate that is known to the directory as being yours; an employee in good standing.  Without SSO, you would be prompted for a login with every application or company SharePoint server you try to access.  But with SSO, you will only be asked one time. 

What changed in AD to support it?

In addition to the Device Registration Service, the Active Directory Federation (ADFS) role allows claims-based authentication to occur based on trusted certificates.  Once the user is authenticated (username + password + trusted device + other factors as needed), the claim then is trusted and, while valid, can be used to launch company applications or access company data. 

For more information:

Authentication of users “Anywhere-and-on-Any-Device”

What is it?

Well.. it’s not just enough to be able to sign in once on my non-domain-joined, personal device.  I also want to be able to use it from anywhere.  With nothing more than an internet connection, I should be able to have authenticated, secured access to my company applications data; whether they’re hosted in public cloud locations or on the private corporate network.

What changed in AD to support it?

Web Application Proxy Topology

The Web Application Proxy is a new role service; a new part of the Remote Access role.   Web Application Proxy “provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network. Web Application Proxy preauthenticates access to web applications using Active Directory Federation Services (AD FS), and also functions as an AD FS proxy.“

So, now armed with SSO (facilitated through ADFS), the authenticated user + device can access applications on the corporate network without having to use a VPN connection

For more information:

Trusting your “Anywhere-and-on-Any-Device” Users

What is it?

In the end, who are we really trusting?  We have users who have user accounts with passwords in Active Directory.  They also registered their device in Active Directory so that we know we can trust it, and the user.  Hmm.. that’s two things that we’re trusting.  Is this what we might call “second factor authentication”?

Yep.

What changed in AD to support it?

ADFS in Windows Server 2012 R2 supports more than just the permitted (or denied) user in ADFS claims.  We’ve added “multiple factors”, including user, device, location, and authentication data.  Authorization claim rules have a greater variety of claim types. 

”in AD FS in Windows Server® 2012 R2, you can enforce multi-factor access control based on user identity or group membership, network location, and device (whether it is workplace joined)”

For more information:

Summary

The idea here is that Microsoft has expanded Active Directory in Windows Server 2012 R2 to support tracking devices that are “registered” (not joined) to the domain.  With those trusted devices we have further technology to grant authenticated access to our trusted users; even using multiple forms of information (multifactor authentication) to grant secured access to applications and data.  We allow users to sign-in one time and continue to have access to multiple apps and resources, from wherever they are (thank you ADFS).  And we even have a Web Application Proxy to allow that trusted access directly to internal resources as well.

---

Here are some other topics relating to “What’s New” in Windows Server 2012 R2 and Active Directory:

And of course, if you haven’t had a chance to try it out, you can download the evaluation of Windows Server 2012 R2 HERE.

---

What do you think?  Is Microsoft doing the right thing to add support in Active Directory and supporting technologies to allow any user, any device, from anywhere to be able to get work done?  Please add to the comments if you have an opinion, a question, or any sort of off-the-wall comment.

  • Good to see your valuable post here, I would like to cross check how the user's device is going to connect to Web Application Proxy ..? Is the Web Application Proxy is the separate role and need to deploy on a separate box either in DMZ or at gateway of any organization which serve the functionality to connect the BYOD devices with multifactor auth..is it acting like other reverse proxy ISA/TMG for any webmail application..

  • Yea am loving it :)

  • Rajeev - Yes, the Web Application Proxy is acting as a reverse proxy which can also serve as your ADFS proxy.  For more information, check read this overview: technet.microsoft.com/.../dn280944.aspx

  • I have to admit I am very impressed with what Microsoft has done witn Windows Server 2012. All the management apps are great!

  • Awesome sauce!

  • You have no idea how much I wish the consumerization of IT would go the way of Blackberry. I work in healthcare and this makes management a nightmare. Nothing we run would support using the proxy solution, but the idea of registering devices is interesting.

  • Great overview Kevin.  The one question that comes to mind is how do we manage and mitigate the risk associated with the personal devices that are connecting to corporate applications and data?   If a personal device is infected with Malware and other viruses, what is being done to protect the corporate environment to ensure the corporate credentials are not being compromised.

  • Hey Charles!  :)

    That's a great question. (read: "I don't know the answer or how that's addressed"). I'm going to ask around; but I have to imagine there is protection there. I'll get back to you.

  • Seems overly complicated, 3rd party solutions seem to solve this much more elegantly. Why build a full-blown ADFS solution just to manage a couple of mobile phones. Also exchange and sharepoint can support 3rd party devices out of the box. And there a a ton of dependencies to take care of before you can implement this.

Blog - Post Feedback Form(CAPTCHA)
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment