You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Windows authentication - Kerberos constrained delegation with Azure Active Directory
20
18
21
-
Kerberos Constrained Delegation (KCD) provides constrained delegation between resources and is based on Service Principle Names. It requires domain administrators to create the delegations and is limited to a single domain. Resource-based KCD is often used as a way of providing Kerberos authentication for a web application that has users in multiple domains within an Active Directory forest.
19
+
Based on Service Principle Names, Kerberos Constrained Delegation (KCD) provides constrained delegation between resources. It requires domain administrators to create the delegations and is limited to a single domain. You can use resource-based KCD to provide Kerberos authentication for a web application that has users in multiple domains within an Active Directory forest.
22
20
23
21
Azure Active Directory Application Proxy can provide single sign-on (SSO) and remote access to KCD-based applications that require a Kerberos ticket for access and Kerberos Constrained Delegation (KCD).
24
22
25
-
You enable SSO to your on-premises KCD applications that use integrated Windows authentication (IWA) by giving Application Proxy connectors permission to impersonate users in Active Directory. The Application Proxy connector uses this permission to send and receive tokens on the users' behalf.
23
+
To enable SSO to your on-premises KCD applications that use integrated Windows authentication (IWA), give Application Proxy connectors permission to impersonate users in Active Directory. The Application Proxy connector uses this permission to send and receive tokens on the users' behalf.
26
24
27
-
## Use when
25
+
## When to use KCD
28
26
29
-
There is a need to provide remote access, protect with pre-authentication, and provide SSO to on-premises IWA applications.
27
+
Use KCD when there's a need to provide remote access, protect with pre-authentication, and provide SSO to on-premises IWA applications.
30
28
31
29
32
30
33
31
## Components of system
34
32
35
-
***User**: Accesses legacy application served by Application Proxy.
36
-
33
+
***User**: Accesses legacy application that Application Proxy serves.
37
34
***Web browser**: The component that the user interacts with to access the external URL of the application.
38
-
39
35
***Azure AD**: Authenticates the user.
40
-
41
-
***Application Proxy service**: Acts as reverse proxy to send request from the user to the on-premises application. It sits in Azure AD. Application Proxy can also enforce any conditional access policies.
42
-
43
-
***Application Proxy connector**: Installed on-premises on Windows servers to provide connectivity to the application. Returns the response to Azure AD. Performs KCD negotiation with Active Directory, impersonating the user to get a Kerberos token to the application.
44
-
36
+
***Application Proxy service**: Acts as reverse proxy to send requests from the user to the on-premises application. It sits in Azure AD. Application Proxy can enforce conditional access policies.
37
+
***Application Proxy connector**: Installed on Windows on premises servers to provide connectivity to the application. Returns the response to Azure AD. Performs KCD negotiation with Active Directory, impersonating the user to get a Kerberos token to the application.
45
38
***Active Directory**: Sends the Kerberos token for the application to the Application Proxy connector.
46
-
47
39
***Legacy applications**: Applications that receive user requests from Application Proxy. The legacy applications return the response to the Application Proxy connector.
48
40
49
41
## Implement Windows authentication (KCD) with Azure AD
50
42
51
-
*[Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md)
43
+
Explore the following resources to learn more about implementing Windows authentication (KCD) with Azure AD.
44
+
45
+
*[Kerberos-based single sign-on (SSO) in Azure Active Directory with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md) describes prerequisites and configuration steps.
46
+
* The [Tutorial - Add an on-premises app - Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md) helps you to prepare your environment for use with Application Proxy.
47
+
48
+
## Next steps
52
49
53
-
*[Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md)
50
+
*[Azure Active Directory authentication and synchronization protocol overview](auth-sync-overview.md) describes integration with authentication and synchronization protocols. Authentication integrations enable you to use Azure AD and its security and management features with little or no changes to your applications that use legacy authentication methods. Synchronization integrations enable you to sync user and group data to Azure AD and then user Azure AD management capabilities. Some sync patterns enable automated provisioning.
51
+
*[Understand single sign-on with an on-premises app using Application Proxy](../app-proxy/application-proxy-config-sso-how-to.md) describes how SSO allows your users to access an application without authenticating multiple times. SSO occurs in the cloud against Azure AD and allows the service or Connector to impersonate the user to complete authentication challenges from the application.
52
+
*[SAML single sign-on for on-premises apps with Azure Active Directory Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-on-premises-apps.md) describes how you can provide remote access to on-premises applications that are secured with SAML authentication through Application Proxy.
title: Passwordless authentication with Azure Active Directory
3
+
description: Microsoft Azure Active Directory (Azure AD) enables integration with passwordless authentication protocols that include certificate-based authentication, passwordless security key sign-in, Windows Hello for Business, and passwordless sign-in with Microsoft Authenticator.
4
+
services: active-directory
5
+
author: janicericketts
6
+
manager: martinco
7
+
ms.service: active-directory
8
+
ms.workload: identity
9
+
ms.subservice: fundamentals
10
+
ms.topic: conceptual
11
+
ms.date: 03/01/2023
12
+
ms.author: jricketts
13
+
ms.custom: template-concept
14
+
---
15
+
# Passwordless authentication with Azure Active Directory
16
+
17
+
Microsoft Azure Active Directory (Azure AD) enables integration with the following passwordless authentication protocols.
18
+
19
+
-[Overview of Azure AD certificate-based authentication](../authentication/concept-certificate-based-authentication.md): Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate directly with X.509 certificates against their Azure AD for applications and browser sign-in. This feature enables customers to adopt phishing resistant authentication and authenticate with an X.509 certificate against their Public Key Infrastructure (PKI).
20
+
-[Enable passwordless security key sign-in](../authentication/howto-authentication-passwordless-security-key.md): For enterprises that use passwords and have a shared PC environment, security keys provide a seamless way for workers to authenticate without entering a username or password. Security keys provide improved productivity for workers, and have better security. This article explains how to sign in to web-based applications with your Azure AD account using a FIDO2 security key.
21
+
-[Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/hello-overview.md): Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN.
22
+
-[Enable passwordless sign-in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md): Microsoft Authenticator can be used to sign in to any Azure AD account without using a password. Microsoft Authenticator uses key-based authentication to enable a user credential that is tied to a device, where the device uses a PIN or biometric. Windows Hello for Business uses a similar technology. Microsoft Authenticator can be used on any device platform, including mobile. Microsoft Authenticator can be used with any app or website that integrates with Microsoft Authentication Libraries.
A standard Remote Desktop Services (RDS) deployment includes various [Remote Desktop role services](/windows-server/remote/remote-desktop-services/Desktop-hosting-logical-architecture) running on Windows Server. The RDS deployment with Azure Active Directory (Azure AD) Application Proxy has a permanent outbound connection from the server running the connector service. Other deployments leave open inbound connections through a load balancer. This authentication pattern allows you to offer more types of applications by publishing on-premises applications through Remote Desktop Services. It also reduces the attack surface of their deployment by using Azure AD Application Proxy.
19
+
A standard Remote Desktop Services (RDS) deployment includes various [Remote Desktop role services](/windows-server/remote/remote-desktop-services/Desktop-hosting-logical-architecture) running on Windows Server. The RDS deployment with Azure Active Directory (Azure AD) Application Proxy has a permanent outbound connection from the server that is running the connector service. Other deployments leave open inbound connections through a load balancer.
22
20
23
-
## Use when
21
+
This authentication pattern allows you to offer more types of applications by publishing on premises applications through Remote Desktop Services. It reduces the attack surface of their deployment by using Azure AD Application Proxy.
24
22
25
-
You need to provide remote access and protect your Remote Desktop Services deployment with pre-authentication.
23
+
## When to use Remote Desktop Gateway Services
24
+
25
+
Use Remote Desktop Gateway Services when you need to provide remote access and protect your Remote Desktop Services deployment with pre-authentication.
***User**: Accesses RDS served by Application Proxy.
32
-
33
32
***Web browser**: The component that the user interacts with to access the external URL of the application.
34
-
35
33
***Azure AD**: Authenticates the user.
34
+
***Application Proxy service**: Acts as reverse proxy to forward request from the user to RDS. Application Proxy can also enforce any Conditional Access policies.
35
+
***Remote Desktop Services**: Acts as a platform for individual virtualized applications, providing secure mobile and remote desktop access. It provides end users with the ability to run their applications and desktops from the cloud.
36
36
37
-
***Application Proxy service**: Acts as reverse proxy to forward request from the user to RDS. Application Proxy can also enforce any Conditional Access policies.
37
+
## Implement Remote Desktop Gateway services with Azure AD
38
38
39
-
***Remote Desktop Services**: Acts as a platform for individual virtualized applications, providing secure mobile and remote desktop access, and providing end users the ability to run their applications and desktops from the cloud.
39
+
Explore the following resources to learn more about implementing Remote Desktop Gateway services with Azure AD.
40
40
41
-
## Implement Remote Desktop Gateway services with Azure AD
41
+
*[Publish Remote Desktop with Azure Active Directory Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md) describes how Remote Desktop Service and Azure AD Application Proxy work together to improve productivity of workers who are away from the corporate network.
42
+
* The [Tutorial - Add an on-premises app - Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md) helps you to prepare your environment for use with Application Proxy.
42
43
43
-
*[Publish remote desktop with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md)
44
+
## Next steps
44
45
45
-
*[Add an on-premises application for remote access through Application Proxy in Azure AD](../app-proxy/application-proxy-add-on-premises-application.md)
46
+
*[Azure Active Directory authentication and synchronization protocol overview](auth-sync-overview.md) describes integration with authentication and synchronization protocols. Authentication integrations enable you to use Azure AD and its security and management features with little or no changes to your applications that use legacy authentication methods. Synchronization integrations enable you to sync user and group data to Azure AD and then user Azure AD management capabilities. Some sync patterns enable automated provisioning.
47
+
*[Remote Desktop Services architecture](/windows-server/remote/remote-desktop-services/Desktop-hosting-logical-architecture.md) describes configurations for deploying Remote Desktop Services to host Windows apps and desktops for end-users.
0 commit comments