To understand what Federation can do for your organization, you must first understand trusts. Federation services (including Active Directory Federation Services [AD FS]) are just trusts on steroids. Understanding what a trust can do for your organization will help you understand why we use Federation.
Understanding Trusts
Trust relationships make it easier to share security information and network resources between domains. Standard transitive two- way trusts are automatically created between the domains in a tree and between each of the trees in a forest. When configuring trusts, you need to consider two main characteristics:
Transitive Trusts By default, Active Directory trusts are transitive trusts. The simplest way to understand transitive relationships is through this example: If Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C. If you need to apply a tighter level of security, trusts can be configured as intransitive.
One- Way vs. Two- Way Trusts can be configured as one- way or two- way relationships. The default operation is to create two- way trusts or bidirectional trusts. This makes it easier to manage trust relationships by reducing the trusts you must create. In some cases, however, you might decide against two- way trusts. In one- way relationships, the trusting domain allows resources to be shared with the trusted domain but not the other way around.
When domains are added together to form trees and forests, an automatic transitive two- way trust is created between them. Although the default trust relationships work well for most organizations, there are some reasons you might want to manage trusts manually:
■ You may want to remove trusts between domains if you are absolutely sure you do not want resources to be shared between domains.
■ Because of security concerns, you may need to keep resources isolated.
In addition to the default trust types, you can configure the following types of special trusts:
External Trusts You use external trusts to provide access to resources that cannot use a forest trust. In some cases, external trusts could be your only option. External trusts are always nontransitive, but they can be established in a one- way or a two-w ay configuration.
Default SID Filtering on External Trusts When you set up an external trust, remember that it is possible for hackers to compromise a domain controller in a trusted domain. If this trust is compromised, a hacker can use the security identifier (SID) history attribute to associate SIDs with new user accounts, granting themselves unauthorized rights (this is called an elevation- of- privileges attack). To help prevent this type of attack, Windows Server 2022 automatically enables SID filter quarantining on all external trusts. SID filtering allows the domain controllers in the trusting domain (the domain with the resources) to remove all SID history attributes that are not members of the trusted domain.
Realm Trusts Realm trusts are similar to external trusts. You use them to connect to a non- Windows domain that uses Kerberos authentication. Realm trusts can be transitive or nontransitive, one- way or two- way.
Cross- Forest Trusts Cross- forest trusts are used to share resources between forests. They have been used since Windows Server 2000 domains and cannot be nontransitive, but you can establish them in a one- way or a two- way configuration. Authentication requests in either forest can reach the other forest in a two- way cross- forest trust. If you want one forest to trust another forest, you must set it (at a minimum) to at least the forest function level of Windows Server 2003.
Selective Authentication vs. Forest-w ide Authentication Forest- wide authentication on a forest trust means that users of the trusted forest can access all the resources of the trusting forest as long as they have the appropriate permissions. Selective authentication means that users cannot authenticate to a domain controller or resource server in the trusting forest unless they are explicitly allowed to do so.
Shortcut Trusts In some cases, you may actually want to create direct trusts between two domains that implicitly trust each other. Such a trust is sometimes referred to as a shortcut trust, and it can improve the speed at which resources are accessed across many different domains. Let’s say you have a forest, as shown in Figure 10.11.
FIGURE 10.11 Example of a forest
Users in the NY.us.WillPanek.com domain can access resources in the London .uk.WillPanek.com domain, but the users must authenticate using the parent domains to gain access (NY.us.WillPanek.com to us.WillPanek.com to WillPanek.com to uk.WillPanek.com to finally reach London.uk.WillPanek.com). This process can be slow. You can set up a one- way trust from London.uk.WillPanek.com (trusting domain) to NY.us.WillPanek.com (trusted domain) so that the users can access the resources directly.
Perhaps the most important aspect to remember regarding trusts is that creating them only allows you to share resources between domains. The trust does not grant any permissions between domains by itself. Once a trust has been established, however, system administrators can easily assign the necessary permissions.
Understanding Federation
So now that you understand trusts, it’s easier to understand Federation because Federation is just a group of domains that have an established trust. These domains can be between sites or between separate organizations.
Remember, even though it’s your company on Azure, Azure is owned by Microsoft. So, you are technically setting up a trust between your company and Microsoft’s network (onmicrosoft.com).
When you set up Federation, you can set the trust level to whatever your organization needs for its users. You do not need to just give open access to everyone. Also, Federation is just the mechanism to allow access across the trust. You still need to set up users’ permissions to your resources.
When you use Federation to set up authentication and authorization between your onsite network and Azure AD, all user authentications happen onsite. This gives your organization better levels of access control.