Mastering Identity and Access Management with Microsoft Azure
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Test and verify your new Azure AD Domain Services

To test the Domain Services, we complete the following tasks:

  1. Install a virtual Windows Server in your Azure IaaS environment by using a deployment template (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-join-windows-vm-template):
VM deployment configuration
  1. Install the administrative tools for Active Directory and DNS on the newly joined server:
Install-WindowsFeature RSAT-ADDS,DNS-Server-Tools
  1. Connect to Active Directory Users and Computers (dsa.msc) and the Group Policy Management console to verify your configuration:
Azure AD Domain Services structure including synchronized objects
  1. Next, we need to create a DNS HOST (A) record for our test application:
  1. Now, we can install a basic IIS configuration, used to handle the Kerberos part. For this, you need to install the IIS components, choose the Kerberos authentication feature, and activate it on the default website. Only Windows Authentication needs to be activated:
IIS Authentication configuration for Kerberos example application
  1. Next, we will install and configure the Azure AD App Proxy connector to provide the application to your users. We use the following cmdlets to configure the needed, resource-based KCD feature:
# inovitcloudlabs represents the computer name
$ConnectorComputerAccount = Get-ADComputer -Identity inovitcloudlabs
Set-ADComputer inovitcloudlabs -PrincipalsAllowedToDelegateToAccount $ConnectorComputerAccount
setspn -S HTTP/kerb.inovitlabs.ch inovitlabs\inovitcloudlabs
  1. Next, we will activate and configure the Azure AD App Proxy. To make it simple, we disable the IE Enhanced Security Configuration so that we don't need to provide any IE Security Zone configurations, just for the lab:
Server Manager IE Enhanced Security Configuration
  1. Next, we need to download the connector and install it on the server:
Application Proxy agent download and configuration

To configure the connector on the server, you need to provide a user with global administrator rights.

  1. After installing and configuring the connector, we will add our example app:
Azure AD App Proxy Connector group configuration options
  1. Next, we configure our example app as shown:
Kerberos example configuration
  1. Next, we configure the Integrated Windows Authentication (IWA) option:
Application IWA configuration

Finally, we assign some users or groups and test the application at https://myapps.microsoft.com. As a result, you should see the IIS test page. We provided a sample Kerberos-based application to Azure AD Domain Services and used the Azure AD App Proxy functionality.

本周热推:
Kali Linux Wireless Penetration Testing CookbookPractical Network ScanningVMware vSphere Security CookbookKali Linux Intrusion and Exploitation CookbookAndroid Application Security Essentials
上一章目录下一章