Windows login for external user using Smartcard

[minhaj-dell]

Azure documentation issue guidance

Thanks for opening an issue in the Azure technical documentation repository.

We use GitHub issues as the primary channel for customer and community feedback about the Azure documentation.

Creating an issue

We prefer that you create documentation feedback issues using the Feedback link on the published article - the feedback control on the doc page creates an issue that contains all the article details so you can focus on the feedback part.

You can also create a feedback issue here in the repo. If you do this, please make sure your issue lists:

• [ ] The relevant Azure service or technology.
• [ ] A link to the published documentation article that you have feedback about.
• [ ] Clear, specific feedback that the author can act on.

Pull requests and article contributions

If you know the change that is needed in an article, we encourage you to submit the changes directly using a pull request. If the change is large, or if you want to contribute an entire article, follow these guidelines:

• [ ] Don't surprise us with a big pull request or a pull request with a new article! Submit an issue that describes the details of the proposed large change or new article.
• [ ] Include the service or technology area.

We'll route the issue to the appropriate content team for review and discussion.

Tech support and product feedback

If you would like to contact Microsoft about other things, such as product feedback or tech support, please review these guidelines:

• If you need technical support using Azure, the paid and free support options are described here: https://azure.microsoft.com/support/options/.

• Each article in the Azure technical documentation contains a product feedback button - it's best to submit product feedback directly from a relevant article. Otherwise, you can submit product feedback for most Azure products in the following product feedback forum: https://feedback.azure.com/forums/34192--general-feedback.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: ba868b78-f9a5-ec37-f8fc-f386d7d6c137
• Version Independent ID: 02f46536-6674-69cc-18ec-05be500b8baf
• Content: Azure AD Connect: User sign-in
• Content Source: articles/active-directory/connect/active-directory-aadconnect-user-signin.md
• Service: active-directory
• GitHub Login: @billmath
• Microsoft Alias: billmath

[minhaj-dell]

Dell - Internal Use - Confidential

Federation related document above shows that for a user external to the domain to login using smart card, Admin has to expose a web proxy. The way I understand this is that user would need to login to windows locally (with SC) and then login to this web proxy using smart card again to gain access to AAD. Is this correct? Is there a way to configure windows login to authenticate through web proxy either always or at least while external to the network? Are there more articles regarding this available? The relevant information from the article documented below:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-user-signin The Federation that uses a new or existing farm with AD FS in Windows Server 2012 R2 section. Below I've copied what it says in case you have difficulty finding it! With federated sign-in, your users can sign in to Azure AD-based services with their on-premises passwords. While they're on the corporate network, they don't even have to enter their passwords. By using the federation option with AD FS, you can deploy a new or existing farm with AD FS in Windows Server 2012 R2. If you choose to specify an existing farm, Azure AD Connect configures the trust between your farm and Azure AD so that your users can sign in. If you're deploying a new farm, you need: •A Windows Server 2012 R2 server for the federation server. •A Windows Server 2012 R2 server for the Web Application Proxy. •A .pfx file with one SSL certificate for your intended federation service name. For example: fs.contoso.com. If you're deploying a new farm or using an existing farm, you need: •Local administrator credentials on your federation servers. •Local administrator credentials on any workgroup servers (not domain-joined) that you intend to deploy the Web Application Proxy role on. •The machine that you run the wizard on to be able to connect to any other machines that you want to install AD FS or Web Application Proxy on by using Windows Remote Management.

[YutongTie-MSFT]

@minhaj-dell Thanks for the feedback! We are currently investigating and will update you shortly.

[SaurabhSharma-MSFT]

@minhaj-dell That is not correct and you don't have to do that. Purpose of federated sign-in is to get you authenticated through the on-premise ADFS server and application proxy resides on-premises network which allows ADFS to be accessible from external users. Please refer to other documentations:

• Integrate your on-premises directories with Azure Active Directory

• Azure AD Connect and federation

[minhaj-dell]

@SurabhSharma thanks, I did review these links but don't have full clarification. So I understand AD FS being important, with Web proxy I envision following: 1) User loads WAP page 2) Enters pin for smartcard 3) WAP redirects to AD FS 4) ADFS authenticates with AD and gets TGT 5) ADFS redirects to AAD with TGT. 6) AAD returns access token 7) ADFS generates another token in response to the token received from AAD and sends it to the end user for access to AAD.

Is above correct?

If this is the case then to load the WAP page (1st step above) user had to be already logged into windows. And that's what I was asking. So the step one for outside the domain login is to 1) locally login into windows. 2) load the WAP page and so on.

Unless I can configure Winlogin to directly access the WAP or expose AD FS to outside world, I don't see how else this would works?

[SaurabhSharma-MSFT]

@minhaj-dell I am not able to understand what exactly you mean by WAP page ? Web Application Proxy is used to provide access to applications outside of the corporate network. It works like this -

1. User tries to access the application using the web-browser.
2. The application delegates authentication to Azure Active Directory (AAD)
3. AAD redirects the client to the identity provider (In this case ADFS) that is authoritative for the account via Web Application Proxy Server,
4. Once the user has been authenticated, ADFS issues a Security Token to the user or device which is presented to AAD in Azure.
5. AAD accepts the security token received as prrof that the user has been authenticated and sends a security token to applications allowing the user to access the application. Hope this helps to clarify your doubts.

[minhaj-dell]

@SaurabhSharma-MSFT Thanx that was useful. However, I am trying to understand how an organization can support Smartcard for logging into windows. The scenario you described clarifies my misconception which was actually based on captured traffic that someone on the internet had shared. However what about logging into windows? When the user is off prem how does this work with Smartcard? It seems windows would log the user into windows on cached credentials without being able to access AD. The user would then access WAP and your sequence would continue from there, correct?
So if I was to write a Credential provider for windows it would work very differently between password and SC. In case of password I can be in pure Azure setup and directly send credentials to AAD and receive a token. In SC case I guess I'd need to always access WAP which would eventually return back an access token?

[SaurabhSharma-MSFT]

@minhaj-dell Logging into windows is different from the current concept of AD. It is based on the local user account available on the computer which can include a domain joined user if your computer is joined to a domain. Smart Card is used to authenticate your identity when you need to join to your corporate network from outside the premises.

[minhaj-dell]

@SaurabhSharma-MSFT ok thanks I understand.