Directory Sync and Password Sync Cookbook – part 1 – Overview and SSO Decisions

Hi, Andrzej (KAZM) here with some stuff about Directory Sync and Password Sync – enjoy 😉

  1. Directory Sync and Password Sync Cookbook – part 1 – Overview and SSO Decisions
  2. Directory Sync and Password Sync Cookbook – part 2 – Preparation
  3. Directory Sync and Password Sync Cookbook – part 3 – UPN Sync Scenarios
  4. Directory Sync and Password Sync Cookbook – part 4 – Installation
  5. Directory Sync and Password Sync Cookbook – part 5 – Configuration and Operations
  6. Directory Sync and Password Sync Cookbook – part 6 – Troubleshooting
  7. Directory Sync and Password Sync Cookbook – part 7 – Important FAQ

Password Sync is an alternate solution to ADFS SSO (Active Directory Federated Services Single Sign On). With ADFS SSO, only Windows Azure Active Directory (WAAD) Synchronization tool called Directory Synchronization (DirSync) is used to synchronize users to Microsoft Office 365 (O365). Having federated domain in the cloud, users are authenticating through ADFS servers directly to Active Directory where their accounts and passwords are kept.

Password Sync is a feature of DirSync tool and does not need ADFS infrastructure to be running – it synchronizes both users’ accounts along with users’ passwords to O365. That means that authentication takes place in the cloud (not in AD) and users are not redirected to Active Directory (as they do when ADFS’s in place). For better understanding, please take a quick look on Microsoft Directory Sync with Password Sync Scenario TechNet site.

So in short, Password Sync does password synchronization. Well, not exactly passwords, but passwords hashes are synced, so passwords are never sent in a plain text (reversed form) nor known to Microsoft. Actually, you can read more about How Secure is DirSync with Password Synchronization? by Alan Byrne.

One can recognize some pros and cons of having ADFS over Password Sync. Just quick bullets about questions you can think of to be asked to you/your client:

  1. Review your requirements and business plans for the next year (are you going to migrate entirely to Office365?, etc.).
  2. Think and compare DirSync with Password Sync vs. ADFS over your requirements. Some advantages and disadvantages of ADFS and Password Sync are presented below
    1. ADFS
      1. Requires additional infrastructure, efforts to implement and preparation, f.e.:
        1. Load Balanced ADFS Servers (in case one of them crashes, you lose access to your federated assets, so they’d better be load-balanced),
        2. Load Balanced ADFS Proxy (In Windows Server 2012 R2 called Web Application Proxy) Servers (those are required to be standing in DMZ and act as a proxy to/from ADFS servers),
        3. Public SSL certificate (Thawte, GoDaddy, VeriSign, Entrust, etc.) needs to be bought for ADFS communication certificate. SAN certificate in case you want to use Device Registration Service in W2K12 R2. Wildcard is also fine.
      2. Infrastructure is another point of failure and needs to be managed (administrative overhead),
      3. Can give you better experience for SSO (users logged in on premise domain in corporate network are not asked to re-enter their passwords). Visit ADFS/SSO versus Password Sync End User Experience for Office 365 page for more information,
      4. Can be used to implement more federation-dependent tools and features, f.e.:
        1. Usage of Workplace Join feature,
        2. You can federate with Microsoft Access Control Service (free Microsoft service) and login using Facebook, Windows LiveID (sorry, Microsoft Account – Your Windows Live ID is your Microsoft account), Google or Yahoo.
      5. Can control client access filtering based on Active Directory attributes sent in security tokens,
      6. Has better support for Multi Factor Authentication (MFA).
    2. Password Sync
      1. Good option to choose when migrating entirely to the cloud – just leave no physical servers on premise behind you,
      2. Authentication takes place in O365, users are not redirected to login in AD through ADFS servers,
      3. Costs you less effort to implement,
      4. Once set, should not cause big problems in future,
      5. Users have to change their passwords in Active Directory and cannot change them online,
      6. Supports single forest scenarios only (as for now – December 2013).
Category: Knowledge Base

Leave a Reply