Many organizations have started to adopt Cloud services such as Exchange Online and Azure AD, and as the use of Cloud services increases, security procedures are also improving.
Not having to worry about on-premises Exchange storage and redundancy is often reason enough for companies to make the leap. However, the shift to the cloud also introduces security concerns, as any integrated applications must now connect to Exchange Online over the internet, rather than directly to the on-premises Exchange environment.
Exchange Online Basic Authentication is Shutting Down – Cengiz YILMAZ
This means that even other on-premises applications and scripts will need to reach out to the cloud to connect to a user’s mailbox. For years, Microsoft allowed Basic Authentication in Exchange Online, meaning all that was required was a username and password. However, as a way to increase security, Microsoft announced plans to discontinue the ability to connect to Exchange Online with Basic Authentication and instead begin requiring OAuth 2.0 (also known as Modern Authentication). OAuth is an open standard used by many applications and websites that can grant access to other system information but without giving them a password.
Starting September 1, 2022, Microsoft finally started to phase out Basic Authentication and invited all tenant admins to turn on Modern Authentication for their users.
What is Basic Authentication?
For years, Windows (and other systems) have relied on protocols such as CHAP, NTLM, and Kerberos, which do not work particularly well over the Internet. Authentication for Internet resources typically uses Basic Authentication, which has the advantage of being very simple. The username and password are in a single header field, in plain text, base64 kodlamasında yer alıyordu. Bu nedenle, başlıkları şifrelemek (Atasözünü unutmayın: SSL korumalı olmayan bir web sitesinde ASLA kimlik doğrulaması yapmayın :)) ve kullanıcının kimlik bilgilerini korumak için Temel Kimlik Doğrulama’nın SSL ile birleştirilmesi gerekiyordu. Ancak, HTTPS kullanıldığında bile, Temel Kimlik Doğrulaması için hala bir dizi güvenlik açığı vardır. İlk olarak, kimlik doğrulama üstbilgisi her istekle birlikte gönderilir, bu nedenle kimlik bilgilerini yakalama fırsatı neredeyse sınırsızdır. İkincisi, parola tarayıcıda önbelleğe alınacak (ve muhtemelen kalıcı olarak saklanacak) ve uzlaşma için başka bir yüzey oluşturacaktır. Ek olarak, temel kimlik doğrulamasının tüm temeli, Microsoft’un ortadan kaldırmaya çalıştığı çok basit ve arkaik bir kullanıcı adı parola mimarisine dayanmaktadır.
Additionally, basic authentication doesn’t support multiple permission levels. In other words, if someone gets access to your username and password, they have the keys to the kingdom. In today’s perfect world, the best security practice would be to only allow access to the data and resources an app needs to function.
What is Modern Authentication?
Modern Kimlik Doğrulama, tek bir kimlik doğrulama yöntemi değil, bunun yerine bulut tabanlı kaynakların güvenlik duruşunu geliştirmeyi amaçlayan birkaç farklı protokolden oluşan bir kategoridir. Modern Kimlik Doğrulama protokollerine örnek olarak SAML, WS-Federation ve OAuth verilebilir. Her biri yürütmelerinde farklı olsa da, hepsi klasik kullanıcı adı şifre yönteminden uzaklaşmayı ve bunun yerine belirteç tabanlı taleplere güvenmeyi amaçlamaktadır.
So while the user can still provide a username and password, it is used to authenticate with an identity provider to generate a token for access. This token has more specific information (in the form of a request) that specifies what the requester does and does not have access to. Tokens also expire and can be revoked, so there is more ability to manage access.
A good analogy is to compare access to one’s home to a hotel room. When you unlock the front door of your house, you walk in and have access to everything; all the bedrooms, the kitchen, the bathrooms, and the little-used exercise room. When you’re given a keycard at a hotel, it will let you into the front door, your room, perhaps the VIP lounge, and the little-used exercise room. However, because of the way the keycard is coded, you won’t be able to access other guests’ rooms, the linen closet, or employee-only areas. The hotel keycard may also have other features, such as time-based access to certain areas (for example, the swimming pool is off-limits after 9 p.m.). Most importantly, the keycard can be permanently disabled by the hotel if you inevitably forget to return it at checkout.
In the cloud, these tokens help manage access to individual resources. These can include Microsoft resources or third-party applications tied to the user’s Office 365 identity. This extensibility is perhaps the most compelling part of this architecture. If you’ve ever used your Facebook or Google account to access other websites or applications, you’ve already experienced the concept.
These tokens can contain information about more than just your user account, including details like current computer or current location, enabling one of Microsoft’s best security tools. Conditional Access allows an organization to create rules that restrict access based on location or device. For example, an organization can choose not to allow access from certain countries or personal devices.
You might be thinking, “Yeah, but I still have to enter a username and password,” but that requirement may be disappearing. With technologies like Seamless Single Sign-On, Windows Hello, and passwordless authentication with the Microsoft Authenticator app, the number of instances where you actually need to enter your password has been greatly reduced. Personally, I can count on one hand the number of times I’ve had to type in my password over the last month.
Basic Authentication
Windows (and other systems) rely on protocols such as CHAP, NTLM, and Kerberos, which do not work particularly well over the Internet. Authentication for Internet resources typically uses Basic Authentication, which has the advantage of being very simple. The username and password were contained in a single header field, in plain text, base64 encoded. Therefore, Basic Authentication had to be combined with SSL to encrypt the headers.
Modern Authentication
tek bir kimlik doğrulama yöntemi değil, bunun yerine bulut tabanlı kaynakların güvenlik duruşunu geliştirmeyi amaçlayan birkaç farklı protokolden oluşan bir kategoridir. Modern Kimlik Doğrulama protokollerine örnek olarak SAML, WS-Federation ve OAuth verilebilir. Her biri yürütmelerinde farklı olsa da, hepsi klasik kullanıcı adı şifre yönteminden uzaklaşmayı ve bunun yerine belirteç tabanlı taleplere güvenmeyi amaçlamaktadır. Bu nedenle, kullanıcı hala bir kullanıcı adı ve parola sağlayabilirken (şimdilik; aşağıya daha fazla bakın), erişim için bir belirteç oluşturmak üzere bir kimlik sağlayıcıyla kimlik doğrulaması yapmak için kullanılır. Bu belirteç, istek sahibinin ne yaptığını ve neye erişimi olmadığını belirten daha spesifik bilgilere (talep biçiminde) sahiptir.
What changes when I use modern authentication?
While modern authentication is about client and server communication, the steps taken during the configuration of the MA are, evoSTS (a Security Token Service used by Azure AD) causes it to be set as the Authentication Server for the on-premises Skype for Business and Exchange server.
The change in evoSTS allows your on-premises servers to leverage OAuth (token issuance) to authorize your clients, and also allows your on-premises servers to use security methods commonly used in the cloud (such as Multi-Factor Authentication). Additionally, evoSTS, issues tokens that allow users to request access to resources without providing their password as part of the request. No matter where your users are hosted (online or on-premises) and no matter which location hosts the required resource, once modern authentication is configured, EvoSTS will become the core of authorizing users and clients.
What doesn't change?
Whether you are in a split-domain hybrid structure or using Skype for Business and Exchange server on-premises, first of all, all users within the company In a hybrid implementation of modern authentication, Lyncdiscoveryand AutoDiscovery's both point to your on-premises server.
All scenarios for on-premises servers involve setting up modern authentication on-premises (there is actually a list of supported topologies for Skype for Business) so that the server responsible for authentication and authorization is in the Microsoft Cloud (Azure AD's security token service called 'evoSTS') and updating Azure AD about the URLs or namespaces used by your Skype for Business or Exchange on-premises installation. Therefore, on-premise servers assume dependency on Microsoft Cloud. Carrying out this action, hybrid can be thought of as configuring authentication.
“Modern Authentication Neleri Değiştirir” üzerine bir yorum