Alibaba Cloud Bastionhost and Azure AD Integration

This article demonstrates how to integrate Alibaba Cloud Bastionhost to Azure AD so that users can log in to Bastionhost using accounts from Azure AD.

By Ken Xu, Alibaba Cloud Solution Architect

Alibaba Cloud Bastionhost provides a unified, efficient, and secure platform that provides cloud-based O&M, access control, and operation audit. It supports authentication using local Bastionhost authentication, RAM authentication, AD authentication, and LDAP authentication.

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service, which helps users to sign in and access resources in external and internal resources such as Microsoft 365 and apps on user's corporate network and intranet.

This tutorial helps to demonstrate how to integrate Alibaba Cloud Bastionhost to Azure AD through Azure AD Domain Service's secure LDAP. After the configuration, users will be able to log in to Alibaba Cloud Bastionhost using accounts from Azure AD.

The figure below illustrates the solution architecture.

1. Log in to the Azure console, create an Azure Active Directory or use the default AD tenant.

2. Create an Azure AD Domain Services (AD DS). AD DS provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. You can use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

3. You also need to create a resource group to manage the security of the resources, and make sure the DNS domain name is the same as your AD tenant URL.

4. Under Networking, choose from either an existing network or create a new one.

5. It will take a while (about 30mins) for the Domain services to deploy.

6. After the domain services go live, proceed to the secure LDAP console.

7. Enable Secure LDAP. You need to upload the secure LDAP certificate here. To generate the certificate you can follow the steps in the following link: https://docs.microsoft.com/en-gb/azure/active-directory-domain-services/tutorial-configure-ldaps

8. After Secure LDAP is enabled, you will be prompted to enable the inbound security in the security group. Please do so in the security group inbound security rules page. Make sure port 636 is enabled. Please note the new rule will take a while to take effect.

9. To test the domain service, go to domain service properties, find the secure LDAP external IP, and telnet it from your machine (with port 636). It should not give you any error once connected.

10. Next, create a service account (admin) for secure LDAP.

11. Assign the service account with the correct roles.

12. Please note that the account created has not been activated yet. You need to log in to Azure using the newly created account ID. The console will prompt you to reset the password. After successfully logging in, the account is ready to use. This step is not in the official Azure user guide, and oftentimes people miss this step, causing them to not be able to authenticate from Alibaba Cloud Bastionhost.

13. Now you can go to the Bastionhost console in Alibaba Cloud.

14. Navigate to System Settings > LDAP Authentication and connect to the Azure Domain Service Secure LDAP. Please note that Server Address is the secure LDAP external IP found in Azure console; Base DN and Account will depend based on your domain name of your Domain services.

15. Click on Test Connection and then Update if the connection is successful. Then go back to Azure and create a tester account. Again, you need to activate the account by logging in to Azure.