Deciding between AD FS and AADSync with Password Sync for Office 365 authentication can be a confusing topic for customers moving to the Cloud. Often one of the greatest challenges is to provide as little disruption to the end users as possible by not requiring them to create and maintain a new password. When moving to Office 365, one of the simplest ways to extend the user directory to the Cloud is through the Windows Azure Active Directory Sync Tool (DirSync).
The DirSync tool runs on Windows Server on the organization’s network, and synchronizes objects from the local directory to the Cloud. DirSync provides a starting point for authentication to the Cloud using either Federated Single Sign-In (AD FS) or Password Hash sync for Same Sign-In. The DirSync tool is common to both of these services.
Using DirSync with Password Hash sync provides a simplified architecture to allow end users to authenticate to Cloud resources using their local Active Directory passwords. The DirSync tool can run on an existing Windows Server or on a dedicated server. However, organizations may be concerned that passwords are flowing across these connections. The password sync does NOT sync passwords. It actually syncs the hash of the password, so no passwords travel across the connections and there are no notable security risks involved with password sync.
Another concern exists about password expiration policies and passwords getting out of sync. In fact, if you enable password sync with the DirSync connector, the Windows Azure Active Directory instance then disables password expiration policies in the Cloud and leaves all password expiration up to the settings in the customer’s local instance of Active Directory Domain Services (AD DS). So the only time an individual may receive a password expiration warning is when their local AD DS password is about to expire or already has expired.
This provides the organization with a Same Sign On experience, which means that when a user attempts to access a resource in Office 365, they will be prompted for authentication: a username and password. However, the username and password are the same as their normal, everyday Active Directory Domain Services (AD DS) username and password.
If the customer wants a true Single Sign On (SSO) experience, they will need to deploy a federated solution: Active Directory Federated Services (AD FS) in combination with Windows Azure AD sync. Then, after a user logs on to the PC, there are no subsequent authentication prompts to access Office 365 resources.
When deploying AD FS, it is recommended to place two AD FS Proxy servers in the organization’s DMZ in a load-balanced configuration, and two AD FS servers within the local network—also in a load-balanced configuration. Providing redundancy to the AD FS Infrastructure is highly recommended for AD FS implementations. Due to the dependency on access to cloud resources, it relies heavily on authentication to the local ADFS Infrastructure.
Here are some points to consider when deciding between Password Sync and AD FS:
Using Same Sign On, customers can avoid the additional server hardware costs, configuration and network complexity that is required for Single Sign On. Customers should consider their requirements for authentication to the Cloud carefully and remember that AADSync (DirSync) will be required for both scenarios. The ability to implement AD FS at a later time exists should the customer determine their organization requirements have changed.
Written by Pedro Hijar, Senior Project Engineer.
Contact us today to learn more.