Tuesday, June 4, 2013

DirSync Password Synchronization

The latest version of the Windows Azure Active Directory (WAAD) Sync Tool, also known as DirSync, has just been released.

Besides supporting Windows Server 2012, this new version provides the much anticipated Password Sync feature, which enables users to log into their Azure Active Directory services (such as Office 365, InTune, CRM Online, etc.) using the same password as they use to log into their on-premises network.

However, this should not be seen as a replacement for ADFS. Rather, it is an alternative for organizations that find it sufficient to have users using the same password in Office 365 as in the on-premises Active Directory. ADFS provides many other features that this tool does not, one of them being Single-Sign On (SSO) where users only need to authenticate once when they are logged on to a domain-joined client machine. With this new tool, and without ADFS, users will get prompted for credentials when accessing Office 365 resources even if they are on a domain-joined machine. The advantage is that the username and passwords are the same, and when users update their credentials on Active Directory, the password will get synchronized to WAAD. This tool does not provide SSO because there is no token sharing/exchange in the Password Sync based process.

How Password Sync Works
The Active Directory Domain Service stores passwords in form of a hash value representation of the actual user password. The Password hash cannot be used to login to an on-premises network and it is also designed so that it cannot be reversed in order to gain access to the user’s plaintext password. To synchronize a password, the Directory Sync tool extracts the user password hash from the on-premises Active Directory. Additional security processing is applied to the password hash before it is synchronized to the Azure Active Directory Authentication service. The actual data flow of the password synchronization process is similar to the synchronization of user data such as DisplayName or Email Addresses.

Passwords are synchronized more frequently than the standard Directory Sync window for other attributes. Passwords are synchronized on a per-user basis and are generally synchronized in chronological order. When a user’s password is synchronized from the on-premises AD to the cloud, the existing cloud password will be overwritten.

When the Password Sync feature is first enables in DirSync, it will perform an initial synchronization of the passwords of all in-scope users from the on-premises Active Directory to Azure Active Directory. You cannot explicitly define the set of users that will have their passwords synchronized to the cloud. Subsequently, when an on-premises user changes their password, the Password Sync feature will detect and synchronize the changed password, most often in a matter of minutes. The Password Sync feature will automatically retry failed user password syncs. If an error occurs during an attempt to synchronize a password the error is logged in event viewer.

The synchronization of a password has no impact on currently logged on users. If a user that is logged into a cloud service also changes their on-premise password, the cloud service session will continue uninterrupted. As soon as the cloud service session expires, the user has to re-authenticate using the new password.

Security Considerations
When synchronizing passwords using the password sync feature, the plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services. Additionally, there is no requirement on the on-premises Active Directory to store the password in a reversibly encrypted format. A digest of the Windows Active Directory password hash is used for the transmission between the on-premises AD and Azure Active Directory. The digest of the password hash cannot be used to access resources in the customer's on-premises environment.

Password Policy Considerations
There are 2 types of password policies that are affected by enabling password sync:

  • Password Complexity Policy: when you enable password sync, the password complexity policies configured in the on-premises Active Directory override any complexity policies that may be defined in the cloud for synchronized users;
  • Password Expiration Policy: if a user is in the scope of the password sync feature, the cloud account password is set to "Never Expire". This means that it is possible for a user's password to expire in the on-premises environment, but they can continue to log into cloud services using this expired password. The cloud password will be updated the next time the user changes the password in the on-premises environment.

Enabling Password Sync
Password Sync is enabled when running the Directory Sync tool Configuration Wizard. When prompted by the Wizard, select the “Enable Password Sync” checkbox. This process will trigger a full synchronization which generally takes longer than other sync cycles to complete.

NOTE: DirSync is supported on Windows Server 2008 SP1 and higher. However, the Password Sync feature will not function correctly if DirSync is installed on an OS older than Windows Server 2008 R2 SP1 (Windows Server 2008 R2 SP1 itself is supported).
The new version of DirSync (v1.0.6385.0012) can be downloaded from your respective Office 365 Admin portal or from here.

No comments:

Post a Comment