A John Craddock Hands-on Masterclass:
Implementing and troubleshooting authentication and authorisation protocols 

As we move into a world of digital transformation where resources are ubiquitously distributed, authentication and authorisation become the primary mechanisms to protect valuable resources. No longer are our environments constrain within our network boundaries, we need to stretch out and embrace disparate systems. These systems may include both providers and consumers of identity.

The key to success is through the efficacious implementation of the appropriate authentication and authorisation protocols to support our ecosystems. Only through a deep understanding of the protocols involved will you be able to validate and troubleshoot your systems.

Come to this 5-day masterclass and learn how to work with and troubleshoot:

  • WS-Federation
  • SAML-P
  • OpenID Connect
  • OAuth 2.0
  • REST API access
  • Windows Kerberos authentication and Kerberos Constrained Delegation

The class will provide you with a thorough grounding in the different protocols and show you how to configure, test and troubleshoot. Applications/resources will be running on IIS, and the primary identity provider will be Azure AD, you will also learn how to integrate with other identity providers.

You will work with a range of troubleshooting tools including Fiddler, Wireshark, Postman, browser development tools and more…

If you want to resolve issues quickly, this masterclass is a must. All too often we have seen issues take days to fix whereas with the correct tools and techniques it could have been resolved in minutes. After this class, you will be in an exemplary position to dramatically reduce resolution times. 

Pre-requisites and overlap with the John Craddock Identity masterclass

This class will use Azure AD and an on-premises AD as the primary sources of Identity, there will be a small amount of overlap with the identity masterclass where you will need to configure an Azure AD and Azure AD Connect. The class will only give a sparse explanation of the management aspects of Azure AD with the focus on configuring and troubleshooting authentication and authorisation for resource access. Application registration and configuration will be covered in detail. 

If you have not attended the masterclass, please make sure you are familiar with Azure AD concepts and terminology before attending this class. The class is for experienced administrators.


More details

Creating a deep-dive course is always challenging. The challenge is throwing people in at the deep end, but no so deep that they drown! The course will introduce all concepts in a fairly terse and fact-packed basis before diving deep. For some of you the intros will act as a revision and consolidation exercise, for others the intros may reveal new concepts. The key to making the masterclass work for you is:

If you need more explanation about any of the topics, your job is to ask. Please remember there is no such thing as a silly question, only silly answers.



This hands-on masterclass does what it says on the tin “Hands-On”, there are over 25 hands-on labs to strengthen and augment your learning. Along the way you will be introduced to a variety of troubleshooting tools. The labs are run in the cloud and after the masterclass you will have access to the cloud labs for a further two months. We also give you a build document that shows you how to build the labs in your own VMs and supply you with all the class websites and scripts.

Course is filling rapidly, secure your seat today

Time & Date

4th – 8th March 2019

09.00 – 17.00 CET

Central Oslo, exact venue TBD



32 990,- eks. VAT. per person

Inquiry and sign-up



Complete program

Caveat: As the class is still under development there may be some changes to the day-by-day running order as shown below.


The course will start with an introduction to identity and authentication/authorization protocol. Even if you switch to federated protocols there will inevitably be applications using Windows Authentication that you will need to integrate. To perform that integration requires Kerberos authentication. In this first day you will integrate, configure and troubleshoot Kerberos for variety of situations. Some of the scenarios are decidedly tricky and you will be challenged by cross-forest implementations. Even if you don’t have a requirement for Kerberos, in your environment, the tools and techniques that you will learn will work across all protocols.

Hands-on include:

  • Tracing Windows Authentication
  • Baseline captures with Wireshark
  • Troubleshooting with Wireshark
  • Investigating Kerberos delegation

We will start with examination of Kerberos Protocol transition which is used by the Azure AD application proxy. You will then create an Azure AD tenant and install Azure AD Connect to synchronise identities from on-premises to the cloud. Using you Kerberos knowledge you will investigate SSO for cloud identities sources from on-premises and publish a Windows authentication app through the Azure AD application proxy. You will investigate the protocols used by the proxy to authenticate users and then learn about Open ID Connect and OAuth2.0.

Hands-on include:

  • Investigating Protocol transition
  • Creating and Azure AD
  • Installing and configuring Azure AD Connect
  • Validating Seamless SSO
  • Publishing and troubleshooting a Windows auth app
  • Tracing Azure AD Proxy authentication
  • Installing, configuring and troubleshooting an OpenID Connect / OAuth 2.0 app




Day three and four is all about consolidating your knowledge on OpenID Connect and OAuth 2.0. Microsoft are introducing new behaviours for the protocol with the Azure AD V2 endpoints and you will learn about the changes. You will learn all the details of publishing both V1 and V2 apps. At the end of the day we will shift gear and you will learn how to support applications using forms authentication into your Azure AD SSO environment.

Hands-on include:

  • Remotely tracing back-channel traffic
  • Testing token validation with Fiddler breakpoints
  • Testing and troubleshooting with Postman
  • Investigating consent with the V1 endpoints
  • Deploying an app that uses the V2 endpoints
  • Investigating consent with the V2 endpoints
  • Publishing an OpenID Connect / OAuth 2.0 app through the proxy
  • Installing & publishing a forms auth app with SSO



You will install, configure and troubleshoot applications using WS-Federation and SAML protocols. And we will conclude with examining the options for sharing apps with users who are external to your organization.

Hands-on include:

  • Installing, configuring and troubleshooting a WS-Federation app
  • Installing, configuring and troubleshooting a SAML app
  • B2B federation with Google
  • B2B access Windows auth applications