topic Re: User-ID with Azure AD in General Topics

User-ID with Azure AD

jharlow — Tue, 23 Jan 2018 21:50:24 GMT

We currently use User-ID with an on-premise Active Directory server. We are planning on moving to Azure AD (not to be confused with AD services in Azure). Are there any plan on getting User-ID to work with AzureAD (web Auth)? What other options can I use to continue to use User-ID if we do not have Active Directory on premise? Thanks.

Re: User-ID with Azure AD

reaper — Wed, 24 Jan 2018 10:01:40 GMT

There are several options:

-captive portal with ntlm,

-forwarding authentication logs to an on-prem UserID agent running as syslog collector,

-API

-GlobalProtect (inside the network it will not set up vpn but will simply function as a userID client)

Re: User-ID with Azure AD

jharlow — Wed, 24 Jan 2018 18:39:43 GMT

If we were to pull all of our domain controllers from on-premise, wouldnt that kill the first two options? GlobalProtect might be the only option but frown on as it is something that we will have to install. What APIs are you referring to?

Re: User-ID with Azure AD

Brandon_Wertz — Wed, 24 Jan 2018 19:14:21 GMT

@jharlow When @reaper talks about NTLM auth via CP he's referring to the firewall utilizing the NTLM protocol to to query a user's web browser for the credentials. When the browser provides credentials back those credentials are then checked against which ever directory you specify and then retained in cache also based on your specified duration.

If that "behind the screens" negotiation isn't successful users will get a browser pop-up asking the user for creds.

One thing to keep in mind you'll need to ensure the firewall's IP is in IE's local Intranet configuration so IE will pass creds to the FW via the automated NTLM process.

Re: User-ID with Azure AD

reaper — Thu, 25 Jan 2018 10:10:51 GMT

NTLM would simply ensure transparent authentication for the users if available/possible (pretty exclusive to windows) but in the backend 'normal' authentication methods can be used for which the AD does not to be on-prem

Syslogs can be sent out of the AD for succesfull authentication events and an on-prem User-ID agent can capture these and create user-IP mappings

XML API would require a lot of scripting, but it's doable : Send User Mappings to User-ID Using the XML API

Re: User-ID with Azure AD

jharlow — Thu, 25 Jan 2018 14:39:19 GMT

I see the option under User-ID for NTLM (currently unchecked). Simply checking this is all that is needed? You mentioned it grabs the credentials from the browser, but if the user's machine is no longer on a local premise AD (simply connected via AzureAD through Windows 10), will there be credentials to grab? Let's assume the individual is prompted, however often will this take place (session cookie, restart of browser, PC restart, etc.) And lastly, since yes, NTLM is a Windows thing, how will Mac's and iOS devices handle this process? Will they simply get prompted to login and if so, the same last question applies (length of time).

I sent a request to support about AzureAD. This really needs to be added as there are more of us looking to move to Azure and less on-premise. Maybe PA version 11. 🙂

Re: User-ID with Azure AD

reaper — Thu, 25 Jan 2018 14:57:21 GMT

you'll also need to create a captive portal (aythentication) policy that is set to 'browser challenge'

it sends the browser a challenge, the browser will provide these (logged in user creds) if it trusts the firewall (needs to trust the certificate or via a pac file)

the browser or user is prompted when the configurable timeout occurs, so if ntlm works nicely you could have the browser re-queried every hour, if you need to resort to a webform, you could set the timeout to 4 hours or more, as not to bug users too much

you can have captive portal give the user a cookie, in case their IP changes that cookie can be presented instead of needing to authenticate

I wrote a bunch of stuff in this article: Getting Started: User-ID which you may find helpful

let me know if there's anything missing 🙂

Re: User-ID with Azure AD

Brandon_Wertz — Thu, 25 Jan 2018 17:21:54 GMT

I will re-itterate a Windows OS will not pass NTLM credentials to the firewall without modifiation to the client.

https://support.microsoft.com/en-us/kb/943280

"WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a website is in a zone that allows credentials to be sent automatically.

If no proxy is configured, WinHTTP sends credentials only to local intranet sites.

Note If the URL contains no period in the servers name, such as in the following example, the server is assumed to be on a local intranet site:

http://sharepoint/davshare

If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.

Note A server can be indicated for proxy bypass through either the bypass list or the proxy configuration script.

In this situation, you are either denied access or prompted to enter your credentials when the website asks for credentials. Even when this occurs, the security zone settings are ignored."

The NTLM challenges will be coming from the firewall. An IP address. This is going to be assumed to be an "Internet" based NTLM challenge request and as such the Windows client will not pass creds to the IP which is coming from the firewall.

The Windows KB indicates the proper registry setting to modify to bypass this security setting.

Re: User-ID with Azure AD

Brandon_Wertz — Thu, 25 Jan 2018 17:27:00 GMT

Looks like the KB points out a Win7 registry setting.

Win10 is in this directory:

browse to...
Computer
Admin Templates
windows components
internet explorer
Internet control panel
security page
on the right - open
Site to Zone Assignment List
Enable it and click SHOW
enter the IP address as the Value Name
the Value should be 1 for Intranet zone