To continue my series about Windows Azure Pack, we will take a look today to WAP and Azure Active Directory Authentication. Out of the box, the WAP user management feature is not linked to Active Directory and is using his own user directory/repository. Then you have to manually create and manage your WAP accounts, there is no sync with your Active Directory.
Now the main goal of WAP is to be multitenant and the way to make it possible is to use Microsoft Active Directory Federation Services (ADFS). WAP and ADFS have been covered by Marc Van Eijk:
If you don’t want to install and maintain ADFS, there is an another solution… Azure Active Directory. It’s this topic that I’ll cover in the following series. In my lab, I don’t want to setup an ADFS infrastructure right now, but I want to be able to use my on premise Active Directory Credentials to authenticate to my Windows Azure Pack Portal. The idea is the following:
- Part 1 – Setup a synchronisation between my on premise Active Directory and Windows Microsoft Azure Directory
- Part 2 – Configure Azure Directory as an Identity Provider
- Part 3 – Configure Windows Azure Pack to use Azure Directory
Sync between AD and Azure AD
To use Azure Active Directory, we will need to have an Internet Domain Name available that our users will use to authenticate. Ideally, this Internet Domain Name should match with your Active Directory Domain Name, but this is not mandatory. (See at the end of the post) In my lab, my Active Directory domain name is VNEXTLAB.BE and I’m also owning the VNEXTLAB.BE Internet Domain Name. Thanks to that, I’ll use the same user id ( firstname.lastname@example.org) and password to authentication to Active Directory Domain and my WAP portal.
Now, we need to configure the Internet Domain Name to Azure Active Directory. For that, go to https://manage.windowsazure.com, select Active Director in the service list and finally click on the Directory Name.
Click on the DOMAINS item in the top menu.
Finally, click on the ADD button at the bottom of the page.
We have now to fill in the Internet Domain Name that we will use, in my case VNEXTLAB.BE and click on ADD.
Then Microsoft will ask for a Domain Verification to ensure that we are really owning the domain name that we want to use. This will simply ask us to create a custom DNS record that Azure will check
After a few hours, our domain will be validated and ready to use.
Now, We need to go enable the integration between this new configured domain and Active Directory. For that, simply click on DIRECTORY INTEGRATION at the top of the page, and select ACTIVATED and finally click on the SAVE button at the bottom of the page.
It’s now time to Sync our AD users and passwords (hash) to Windows Azure Directory. For that, we will use the application Windows Azure Active Directory Sync Tool available at the following address: http://go.microsoft.com/fwlink/?LinkID=278924
In my lab, I decided to install this application directly on my domain controller, but you could install it to any computer on your domain.
When download, we start the installation as Administrator.
Simply click on Next.
Accept the Terms.
Specify the installation path.
My recommendation is now to do a sign out/in, when done, we could start the configuration Wizard (A shortcut is available directly on the Desktop). Click on Next.
We need to provide our Microsoft Azure Credentials.
And also our Windows Active Directory Credentials.
Ensure that the box is not check as we don’t need this feature.
There we need to check the box ENABLE PASSWORD SYNC. (FYI, I will not cover the security question in this blog, there is enough subject about it on internet)
The installation is now complete.
We could directly start the Synchronization process.
In the EventLog, we could see that the Sync started.
We could now sign in again to Azure to ensure that our on premise Active Directory account has been well synced.
Now, if you Internet Domain Name is not the same than the one that you are using to your Active Directory, there is 2 solutions:
- Add a new user domain name suffix to all your users. (I don’t think that’s the best idea)
- Change the domain name used by default by Azure Directory to the one we just added. For that, go to DOMAINS, select the domain and click on the CHANGE PRIMARY button.
We now have a sync in place between our on premise Active Directory and Microsoft Azure Active Directory. J
This is ending the first part on this blog series on Windows Azure Pack and Active Directory Authentication.