- Configuring SSO between Active Directory and Azure using pass-through authentication - Mon, May 2 2022
- Set up a high availability Hyper-V cluster - Mon, Aug 3 2015
In a hybrid environment, many companies are already implementing a single credentials strategy. Users log in to their Active Directory accounts, and then they can also access public cloud applications such as those from M365.
This is often achieved by a relatively maintenance-intensive AD FS infrastructure. Pass-through authentication offers a simple alternative, which requires only an agent installation on-prem.
Advantages of using pass-through authentication ^
So, what advantages does pass-through authentication offer compared to other technologies, such as Active Directory Federation Services (AD FS)? A few examples will help clarify:
- Pass-through authentication can be easily configured via Azure AD Connect (as a sign-in method).
- The pass-through authentication agents are compact and can be installed on multiple servers in a highly available manner (but not multiple agents on one server).
- The agents only communicate outbound with Azure AD via TCP port 443 (HTTPS requests for feature operations) and port 80 to Azure Active Directory (HTTP requests for downloading CRLs). Further firewall adjustments are not required, since outbound ports 80 and 443 are mostly already allowed.
- Placement in a DMZ is not required.
- Pass-through authentication does not require password hash transfer to the public cloud because authentication is done on-prem against Active Directory.
- If the login account is locked in AD, then the user cannot log in to M365 either.
- Password changes take effect immediately; there is no need to wait for a replication window (two minutes).
- Pass-through authentication works together with MFA and Conditional Access Policies.
- Self-service password reset (SSPR) in the cloud is supported (password writeback).
How pass-through authentication works ^
- In my example, a new user opens their cloud application.
- The request is routed to Azure AD, and the user enters their credentials to log in (response by Azure AD security token service).
- The password is encrypted with the pass-through authentication agent's public key (this is stored in Azure SQL for each registered agent). The encrypted password remains in the service bus queue until the pass-through authentication agent (permanently connected to the queue) receives it. Unlike AD FS, the cloud fetches its credentials and processes them in a queue.
- The pass-through authentication agent receives the username and encrypted password through an outbound connection.
- The agent on the on-prem system processes this login queue and decrypts the password using its private key.
- The credentials are validated against the on-prem AD DS using the Win32 LogonUser API.
- Active Directory then validates the request and acknowledges it as successful, failed, password expired, account locked, or credentials incorrect.
- The pass-through authentication agent forwards this response back to Azure AD.
- An assessment takes place at this point to determine whether this result is related to the log-in request.
- If the result is positive, the user can access the application.
Note: Agents do not communicate with each other but only with the public cloud. Also, there is no load balancing required when using multiple agents. The Windows server running the agents should be hardened.
Configuring pass-through authentication ^
As mentioned earlier, pass-through authentication can be configured quickly using an already installed Azure Active Directory Connect (AAD Connect). The wizard guides you through the necessary steps via the Change user sign-in task.
To begin, you need to connect to Azure AD via my global administrator as usual.
After that, you can select the pass-through authentication login option via the corresponding radio button. Additionally, the box Enable single sign-on is already checked.
If you decide to use single sign-on, then the credentials of the local domain admin have to be verified once.
The configuration for pass-through authentication is already done here. In this case, the password hash synchronization is still active (backup) and can be deactivated later, if required.
Once the configuration is confirmed, the AAD Connect pass-through authentication agent is automatically installed. Alternatively, this can be loaded from the Azure Portal and set up manually on additional servers (server core is not supported).
Now, two additional on-prem services are provided, one is the Azure AD Connect Authentication Agent and the other is Microsoft Azure AD Connect Agent Updater.
In Azure AD, it is possible to verify that the Authentication Agent is communicating properly.