What’s New for Active Directory in Server 2012 R2?

http://mschnlnine.vo.llnwd.net/d1/inetpub/kevinremde/KROmniture.htmActive Directory.  You know it.  You love it.  You’ve loved it since it made its introduction back in Windows 2000 Server.  Over 90 percent of the world’s business IT relies on Active Directory for local user and machine management, authentication, policy application, and directory services. 

And with every new version of a Windows Server product, we make improvements and add new functionality that either directly impacts Active Directory, or indirectly impacts (read: enables) other new functionality on behalf of your users, applications, and managed resources.  So naturally we couldn’t do a series of “Why Windows Server 2012 R2” articles without discussing it.

If there were an overall theme on top of the updates in Active Directory in Windows Server 2012 R2, I would have to say it’s the new capabilities to support the “Consumerization of IT” and “BYOD”. 

From this TechNet Document:

“One of the most prevalent IT industry trends at the moment is the proliferation of consumer devices in the workplace.  Employees and partners want to access protected corporate data from their personal devices, from checking email to the consumption of advanced business applications.  IT administrators in organizations, while wanting to enable this level of productivity, would like to continue to ensure that they can manage risk and govern the use of corporate resources.”

To support this notion of giving our employees the ability to get their work done from their personal devices, of course there has been new functionality added to Active Directory to support it.  But before I get ahead of myself, why don’t I list out the 4 key value propositions – the main things you get that are new, and enabled by new capabilities in Active Directory:

1. Workplace Join – Allow a user to associate their personal device with the company directory
2. Single Sign-On from those devices now associated with the directory, granting them access to corporate data and applications
3. Securely authenticate for and connect to company applications and data from anywhere (with an Internet connection), and
4. Manage the risk of those users who work from and access data from anywhere.

NOTE: These each are very big topics in their own right.  So, rather than doing an exhaustive write-up on each one, I’ll summarize the capabilities and benefits here, point out what specifically has changed in Active Directory to support it, and then point you to more complete documentation and user guides for further study if you wish.

Join the Workplace

What is it?

As a company employee who has his/her own device, and with the blessing of the company I work for (who is really interested in allowing me to be mobile and productive on whatever device I have), I want to be able to get stuff done.  So I will “join” my device to the “workplace”.

“Isn’t that like joining the domain?”

Yes.  Well, sort of.  But more correctly, NO.  It’s not going to be a domain-joined device in the way that we’ve been managing devices since Windows NT.  In this case, we’re registering the device with the domain so that it (and its owner) will be trusted when requesting and running company-secured applications, accessing company-secured data, or otherwise accessing company-secured resources.  When you join a device to the workplace, it becomes “a known device and will provide seamless second factor authentication and single-sign-on to workplace resources and applications.”  And once the device is “known”, IT can leverage that knowledge to also apply additional configurations (example: pushing company VPN connection settings to the device).

What changed in AD to support it?

The main change here was the addition of the Device Registration Service.  The DRS, which is a new part of the Active Directory Federation (ADFS) role, creates a device object in Active Directory, and tracks the associated device’s certificate in order to represent the device’s identity.  

For more information:

• Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications

The SSO (Single Sign-On)

What is it?

Here’s a simple scenario: You have a device that you’re using to connect to a company SharePoint server.  You’ve registered your device with the company (“workplace join”), so your device has a certificate that is known to the directory as being yours; an employee in good standing.  Without SSO, you would be prompted for a login with every application or company SharePoint server you try to access.  But with SSO, you will only be asked one time. 

What changed in AD to support it?

In addition to the Device Registration Service, the Active Directory Federation (ADFS) role allows claims-based authentication to occur based on trusted certificates.  Once the user is authenticated (username + password + trusted device + other factors as needed), the claim then is trusted and, while valid, can be used to launch company applications or access company data. 

For more information:

• Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications

Authentication of users “Anywhere-and-on-Any-Device”

What is it?

Well.. it’s not just enough to be able to sign in once on my non-domain-joined, personal device.  I also want to be able to use it from anywhere.  With nothing more than an internet connection, I should be able to have authenticated, secured access to my company applications data; whether they’re hosted in public cloud locations or on the private corporate network.

What changed in AD to support it?

The Web Application Proxy is a new role service; a new part of the Remote Access role.   Web Application Proxy “provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network. Web Application Proxy preauthenticates access to web applications using Active Directory Federation Services (AD FS), and also functions as an AD FS proxy.“

So, now armed with SSO (facilitated through ADFS), the authenticated user + device can access applications on the corporate network without having to use a VPN connection. 

For more information:

• Web Application Proxy Overview
• Overview: Connect to Applications and Services from Anywhere with Web Application Proxy
• Walkthrough Guide: Connect to Applications and Services from Anywhere with Web Application Proxy

Trusting your “Anywhere-and-on-Any-Device” Users

What is it?

In the end, who are we really trusting?  We have users who have user accounts with passwords in Active Directory.  They also registered their device in Active Directory so that we know we can trust it, and the user.  Hmm.. that’s two things that we’re trusting.  Is this what we might call “second factor authentication”?

Yep.

What changed in AD to support it?

ADFS in Windows Server 2012 R2 supports more than just the permitted (or denied) user in ADFS claims.  We’ve added “multiple factors”, including user, device, location, and authentication data.  Authorization claim rules have a greater variety of claim types. 

”in AD FS in Windows Server® 2012 R2, you can enforce multi-factor access control based on user identity or group membership, network location, and device (whether it is workplace joined)”

For more information:

• Overview: Manage Risk with Multi-Factor Access Control

Summary

The idea here is that Microsoft has expanded Active Directory in Windows Server 2012 R2 to support tracking devices that are “registered” (not joined) to the domain.  With those trusted devices we have further technology to grant authenticated access to our trusted users; even using multiple forms of information (multifactor authentication) to grant secured access to applications and data.  We allow users to sign-in one time and continue to have access to multiple apps and resources, from wherever they are (thank you ADFS).  And we even have a Web Application Proxy to allow that trusted access directly to internal resources as well.

—

Here are some other topics relating to “What’s New” in Windows Server 2012 R2 and Active Directory:

• What’s New in Windows Server 2012 R2
• What’s New in Active Directory in Windows Server 2012 R2
• What’s new in Group Policy in Windows Server 2012 R2
• What’s New in DHCP in Windows Server 2012 R2
• What’s New in DNS Server in Windows Server 2012 R2
• What’s New in File Server Resource Manager in Windows Server 2012 R2
• What’s New in Remote Desktop Services in Windows Server 2012 R2
• What’s New in Certificate Services in Windows Server 2012 R2

And of course, if you haven’t had a chance to try it out, you can download the evaluation of Windows Server 2012 R2 HERE.

—

What do you think?  Is Microsoft doing the right thing to add support in Active Directory and supporting technologies to allow any user, any device, from anywhere to be able to get work done?  Please add to the comments if you have an opinion, a question, or any sort of off-the-wall comment.