Using the same credential (username and password) to access your corporate resources and cloud based services ensures that users don’t have to remember different credentials. It reduces the chances that they forget how to sign in and has the benefit of reducing the involvement of help desk for password reset events.
While many organizations are comfortable with using Azure AD Password synchronization to provide users with a single credential to access on-premises and cloud services, other organizations require that passwords, even in a hashed form, do not leave their internal organizational boundary.
Azure AD pass-through authentication provides a simple solution for these customers. It ensures that password validation for Azure AD services is performed against their on-premises Active Directory. Passwords can be validated without the need for complex network infrastructure or for the on-premises passwords to exist in the cloud in any form.
When combined with the Single Sign on option, users do not need to type their password to sign in to Azure AD or other cloud services. This feature provides these customers with a truly integrated experience on their corporate machines.
Pass-through authentication can be configured with Azure AD Connect and utilizes a simple on-premises agent that listens for password validation requests. The agent can be easily deployed to multiple machines to provide high availability and load balancing. Since all communications are outbound only, there is no requirement for a DMZ or for the connector to be installed in a DMZ. The machine requirements for the connector are as follows:
· Windows Server 2012 R2 or higher
· Joined to a domain in the forest that users are validated in
Multi-forest environments can be supported if there are trusts between the forests and name suffix routing is correctly configured.
Supported Clients in the preview
Pass-through authentication is supported via web browser-based clients and Office clients that support modern authentication. For clients that are not supported, such as legacy Office clients and Exchange active sync (that is, native email clients on mobile devices), customers are encouraged to use the modern authentication equivalent. These clients not only allow pass-through authentication, but also allow conditional access to be applied, such as multi-factor authentication.
For customers using Windows 10 joined to Azure AD, pass-through authentication is not currently supported. However, customers can utilize password sync as an automatic fallback for Windows 10 in addition for legacy clients.
During the preview, Password synchronization is enabled by default when Pass-through authentication is selected as the sign-in option in Azure AD Connect. This setting can be disabled on the Options page of Azure AD Connect.
How Azure AD Pass-through Authentication works
When a user enters their username and password into the Azure AD sign-in page, Azure AD places the username and password on the appropriate on-premises connector queue for validation. One of the available on-premises connectors then retrieves the username and password and validates it against Active Directory. The validation occurs over standard Windows APIs similar to how Active Directory Federation Services validates password.
The on-premises Domain Controller then evaluates the request and returns a response to the connector, which in turn returns this response to Azure AD. Azure AD then evaluates the response and responds to the user as appropriate, for example by issuing a token or asking for Multifactor Authentication. This diagram shows the various steps:
Azure AD Pass-through prerequisites
Before you can enable and use Azure AD pass-through authentication, you need to have:
· Azure AD Connect
· An Azure AD tenant for which you are a global administrator.
It is recommended that the account is a cloud-only admin account so that you can manage the configuration of your tenant should your on-premises services fail or be unavailable.
· A server running Windows Server 2012 R2 or higher on which to run Azure AD Connect. This machine must be a member of the same forest as the users who are validated.
· If you have more than one forest containing users to be validated with Azure AD, the forests must have trusts between them.
· On-premises UserPrincipalName must be used as the Azure AD username.
· A second server running Windows Server 2012 R2 or higher on which to run a second connector for high availability and load balancing. Instructions are included below on how to deploy this connector.
· If there is a firewall between the connector and Azure AD, make sure that:
· If URL filtering is enabled, ensure that the connector can communicate with the follow URLs:
The connector also makes connection on direct IP connections to the Azure data center IP ranges.
· Ensure that the firewall does not perform SSL inspection as the connector uses client certificates to communicate with Azure AD.
· Ensure the connector can make HTTPS (TCP) requests to Azure AD on the ports below.
If your firewall enforces traffic according to originating users, open these ports for traffic coming from Windows services running as a Network Service. Also, make sure to enable port 8080 for NT Authority\System.
Step by step enabling Pass-through Authentication
Azure AD pass-through authentication is enabled via Azure AD Connect. Enabling pass-through authentication deploys the first connector on the same server as Azure AD connect. When installing Azure AD Connect, select a custom installation and select Pass-through authentication on the sign-in options page.
1. Run the Azure AD Connect Tool. At welcome page chek “I agree to the license terms and privacy” and click Continue.
2. At Express Settings click Customize.
3. At User Sign-In:
Choose Pass-through authentication.
4. At Connect to Azure AD:
Type Azure AD or Office 365 administrator accounts example: admin@<your tenant>.onmicrosoft.com.
Type the password.
5. At Connect Directories:
Type Domain Admin account.
Type the user password.
6. At Azure AD sign-in:
7. At Domain/OU Filtering:
I choose sync selected domains and OUs but you can choose sync all domain and OUs.
I choose Computers OU & Lab OU.
8. At Identifying users:
I choose Users are presented only once across all directories.
9. At Filtering:
I choose synchronize all users and devices.
10. At Optional features:
I choose password writeback & Password synchronization.
11. At Enable Single Sign On:
12. At Ready to configure:
Check “Start the synchronization process when configuration completes”
13. Click Exit.
14. I got an issue when do test the SSO scenario on my client PC.
“For Security purpose, this application requires you to sign in again”
15. After I checked we must add 2 URLs at the Local Intranet Zone on Internet Option Internet Explorer.
16. The second test result SSO is working.