Originally posted in Lucians blog over @ lucian.blog.


The final installment in the long series that’s taken me allot longer to get around to writing then initially I had thought. However, I hope it’s worth the wait and the solution that has been proven works well for you. Before I get into the technical aspects of the final piece of this MFA implementation puzzle, I’d like to make a quick shout out to all the awesome consultants at Kloud Solutions who helped both in the technical implementation but also with the initial design and work required to see this solution through- a big thank you!

In the previous blog post I went through essentially what an internal configuration of MFA would look like with everything ready for the ADAL component that was previously under NDA and preview only availability, is now generally available for testing. So let me quickly delve into that ADAL in Office 2013 and Office 365 component before an in-depth guide on how to utilize Microsoft InTune and System Centre Configuration Manager as a means to deliver SSL certificates to users and use those certificates as your second factor of authentication! Exciting as its been a long build up to get to this point with several moments where I was questioning whether this would work in the real world.. lets start..

Active Directory Authentication Library- modern authentication

As mentioned in part 3 of this series, MFA with SSL certificates can be configured quite quickly and available as an effective means of MFA via ADFS, the main implementation of ADFS is for Office 365 hybrid implementations. What was missing with the ability to use ADAL in Office 356 for MFA and connectivity via mainstream clients like Office 2013, specifically Outlook 2013 connecting to Exchange Online. The in-preview service required a lengthy registration process through connect.microsoft.com that took me 4-5 weeks to go through the approval process before we were able to gain access to the preview. However, as of March 23, Microsoft has made the preview available to all tenants! Great news!- for anyone wanting to test this out, not so great for me having to wait that long.

So what’s involved and how do you leverage ADAL in your Office 365 tenant? You still need to register your Office 365 tenant to enable to public preview, again through the connect site, and follow through the process as mentioned in the March 23 blog post on the official Office 365 blog.

After you’ve registered for the preview and you’re tenant has been activated, there is only the simplest of changes required on the user side. From November 2014, ADAL started to be enabled across multiple clients on multiple platforms through general updates made by Microsoft usually through Patch Tuesday or simply via an update to the client through the relevant app store.

Enabling the client

For the purposes of this blog series I’m concentrating on Office 2013 as this is the main client users access Office 365 services- like Exchange Online. We now have the Office 365 tenant enabled through the preview so lets make 4 changes on out Office 2013 client workstations to utilize modern authentication. How are we going to do this? You guessed right- changes to the registry!

To enable modern authentication:

REGISTRY KEY TYPE VALUE
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Debug\TCOTrace REG_DWORD 3

To disable modern authentication:

REGISTRY KEY TYPE VALUE
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 0
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1

That’s it! Seems simple huh? However, simply enabling this on the client won’t enable the tenant, so don’t expect any magic to happen without signing up for the preview.

Epilogue

From the outset I thought I’d put together a nice series of reads about multi-factor authentication from what it was in relation to the Microsoft Cloud to ways to leverage the difference platforms from Microsoft for a great MFA solution. During the journey I’ve delved into allot more information that I thought was necessary and all in all it was way to much to shorten into 4 blog posts without causing some peoples noses to bleed.

What I also wanted to achieve with this series was to outline a solution that leverages Microsoft System Centre Configuration Manager and InTune to deploy SSL certificates to your external and mobile devices to use as the second factor of authentication in the MFA process. Unfortunately this in and of itself is the most technical piece in the puzzle and to make it more difficult there isn’t much in the way of process online.

To keep this post relatively concise and to finalise the core of this series- I’ve added a final ‘MFA Epilogue’ in a new post available here: Multi-Factor Authentication, Office 365, ADFS v3.0 and SSLs via InTune.

I hope this has been a worthwhile read and with time and practice I’ll get my head around this blogging thing and maybe get the content out quicker and even more concise.

Cheers,

Lucian

Category:
ADFS, Identity and Access Management, Office 365
Tags:
, , , ,

Join the conversation! 2 Comments

  1. […] Earlier this year, Office 2013 Modern Authentication using the Active Directory Authentication Library (ADAL) moved to public preview. The steps to take part in the preview and to prepare the Office 2013 software are well documented, particularly by one of my fellow Kloudies (see Lucian’s blog here). […]

    Reply
  2. Hi Lucian,

    I was able to configure MFA but running into some issues. When I use app internally which is when the traffic is going straight to the adfs hlb the cert auth works fine. IE automatically picks up the user cert and I do not see any prompt and chrome prompts to choose one. However on internet when traffic is coming from internet to my F5 load balancer and then to adfs wap nothing left loads ip after selection of cert. Wireshark shows that client keeps on retrying and ultimately server gives it a reset connection. Can you suggest?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: