search

microsoft / service-fabric

Service Fabric is a distributed systems platform for packaging, deploying, and managing stateless and stateful distributed applications and containers at large scale.
https://docs.microsoft.com/en-us/azure/service-fabric/
MIT License
3.03k stars 401 forks source link

Question-Service fabric securing with onprem active directory group #164

Open nareshkhatri81 opened 6 years ago

nareshkhatri81 commented 6 years ago

Is there way to secure SFx with on-prem active directory group ?

Thanks Naresh

rishirsinha commented 6 years ago

@Rajeetmailto:rajeetn@microsoft.com please respond. Get Outlook for iOShttps://aka.ms/o0ukef

From: Naresh Khatri notifications@github.com Sent: Wednesday, June 27, 2018 3:53:35 PM To: Microsoft/service-fabric Cc: Subscribed Subject: [Microsoft/service-fabric] Question-Service fabric securing with onprem active directory (#164)

How does service fabric connects with onprem active directory ? Does it uses ldap protocol or oauth ? Is there way to secure SFx with active directory group ?

Thanks Naresh

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoft%2Fservice-fabric%2Fissues%2F164&data=02%7C01%7Crsinha%40microsoft.com%7Cba57fa1be0bc4e31a60808d5dc180ac7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636656918177920325&sdata=WEBSmri4oxYhEg0PW7SaMfDERDdOuF3vwyYklaT8UnU%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKzNrH6ybGgix1S1Sql90TZpfemw5DTdks5uA10ngaJpZM4U5cxD&data=02%7C01%7Crsinha%40microsoft.com%7Cba57fa1be0bc4e31a60808d5dc180ac7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636656918177920325&sdata=r7x59obsfTJ76lpI%2FOe8aTJ2FQYzbQfgAY4PNOeSjto%3D&reserved=0.

nareshkhatri81 commented 6 years ago

@rishirsinha @rajeet i was able to setup individual client identities and it worked with windows integrated authentication with SFx. My next question is does it support AD group for authentication/authorization ? so instead of putting list of users during cluster creation in configuration file. we specify AD group which would be having list of users and machine accounts/service accounts/gmsa etc.

Thanks, Naresh Khatri

rishirsinha commented 6 years ago

Client identities can be any AD object. The auth is handled by windows security providers.

nareshkhatri81 commented 6 years ago

@rishirsinha when doing lookup for AD Groups, SF seems to be looking at domain which SF servers are in. for example (1) worker1.domain1.com (2) worker2.domain1.com (3) worker3.domain1.com

so in this case SF will do lookup for group at domain1.com in AD. is it possible to specify lookup to be done at different domain like domain2.com. Correct me if my understanding of SF is wrong.

In SF cluster inside one of VM i can do lookup of groups inside domain2.com if i change location to domain2.com. by default it do search in domain1.com.

Thanks, Naresh Khatri