New documentation and tool support for authenticating to Google Cloud from an Active Directory environment

When an on-premises application needs to access Google Cloud, it’s tempting to just let it use a service account key. But if the application runs in an Active Directory environment, there’s a better alternative – we can let it use its domain credentials and “exchange” them against Google credentials. That doesn’t even require custom code anymore. Continue »

Remotely joining VM instances to Active Directory using IAP Desktop 2.31

The first thing we often do after creating a new Windows VM on Google Cloud is join the VM to Active Directory. With the latest IAP Desktop release, that got a little easier. Continue »

Authenticating to Google Cloud using Integrated Windows Authentication, workload identity federation, and SAML-POST

Previously, we explored two ways of authenticating to Google Cloud using Kerberos and NTLM credentials. Both ways involved authenticating to AD FS using Integrated Windows Authentication, and then using workload identity federation. But there’s a third way that we haven’t cover yet – and it involves using the SAML HTTP-POST binding. Continue »

Authenticating to Google Cloud when all we have are Kerberos or NTLM credentials

When an application needs to access Google Cloud APIs, it needs credentials. On Google Cloud, we can attach a service account to the underlying compute resource to let the application obtain credentials. On AWS and Azure, we can achieve something to the same effect by using workload identity federation. But what about on-premises? Continue »

Using AD FS access tokens for workload identity federation

Workload identity federation supports OpenID Connect, so it should be compatible with AD FS. But until recently, workload identity federation didn’t work with AD FS-issued access tokens – only ID tokens worked properly. What was the issue there? Continue »

Obtaining a SAML 2.0 assertion from AD FS by using WS-Trust and Integrated Windows Authentication

Using Integrated Windows Authentication (IWA) to authenticate to AD FS not only works for OAuth. We can also use IWA to get SAML 2.0 assertions. Continue »

Obtaining AD FS access tokens using the client credentials grant and Integrated Windows Authentication

When an application needs to authenticate to AD FS, we don’t have to use a client secret. Instead, we can let the application use its existing Kerberos or NTLM credentials to authenticate. Continue »

Deploying AD FS without domain admin privileges

By default, installing AD FS requires domain admin access to Active Directory. But it’s possible to deploy AD FS in environments where we don’t have these privileges, like Google Cloud’s Managed Service for Microsoft Active Directory. Continue »

Automatically joining a VM to Active Directory on Google Cloud

Cloud computing is all about being able to dynamically scale, provision, and decommission resources or entire environments on demand. But the idea that infrastructure is dynamic clashes with some assumptions Active Directory is built around, and creates a challenge if you run Windows workloads in the cloud. Continue »

22 best practices for running Active Directory on Google Cloud

Twenty years have passed since Microsoft released Windows 2000 and introduced Active Directory to the market. The excitement about Active Directory has certainly ebbed since then – but at the same time, it is difficult to overstate the impact that Active Directory has had on the IT market. Continue »