MENU

[Azure AD] Passthrough Authentification and Single Sign On

Posted by Florent Appointaire on January 5, 2017
Share on Facebook0Share on Google+0Share on LinkedIn17Share on Reddit10Tweet about this on Twitter0
5/5 (2)
5/52

Azure Active Directory logo

 

Microsoft releases a new version of Azure AD Connect (previous was called DirSync) that help you to synchronize your on-premises Active Directory to Azure AD. 2 new functionalities appear with this new version:

  • Passthrough authentication => Give you the possibility to validate an account (password, etc.) without ADFS or agent in DMZ.
  • Seamless SSO => Give you the possibility to connect to Microsoft Services (Office365, Azure, etc.) without an ADFS and with SSO.


These functionalities are in preview at this moment, so don’t use them in a production environment  🙂

For more information, it’s here:
https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/introducing-azuread-pass-through-authentication-and-seamless-single-sign-on/

Start from the beginning, with the installation of Azure AD Connect. Download binary here and launch the installation:

Microsoft Azure AD Connect Setup view

When the installation is done, we will start the configuration. Accept the license:

Microsoft Azure AD Connect view

Choose to customize the installation:

Microsoft Azure AD Connect view

Choose if you want to specify a custom installation location, use an existing SQL Server, etc:

Microsoft Azure AD Connect view

In the next page, we will choose our 2 new, PassThrough Authentication and Seamless SSO:

Microsoft Azure AD Connect view

Connect to your Azure AD:

Microsoft Azure AD Connect view

Now, add Active Directory forest that you want to synchronize to Azure AD:

Microsoft Azure AD Connect view

Your domain must be verified to continue:

Microsoft Azure AD Connect view

Choose which OU you want to synchronize with Azure AD:

Microsoft Azure AD Connect view

Choose how to identify uniquely your users:

Microsoft Azure AD Connect view

For a POC, you can select the first option. In production, select a group with user test to synchronize:

Microsoft Azure AD Connect view

If you want to synchronize password, etc. select options associated:

Microsoft Azure AD Connect view

Provide an account who has permission to create a computer object in you AD:

Microsoft Azure AD Connect view

Launch the synchronization:

Microsoft Azure AD Connect view

You can verify the users have been synchronized correctly:

Microsoft Azure AD Connect view

Microsoft Azure view

In your Active Directory, a computer account has been created for the Seamless SSO:

Active Directory Users and computers window

Now, you need to trust 2 URLS that are used for the SSO. You can find these 2 URLs in the attribute tab of the computer object, with attribute servicePrincipalName:

AZUREADSSOACC

Before testing the connection, we will add by GPO these 2 URls to Internet Explorer for the SSO connection. Open gpedit.msc and navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and modify the parameter Site to Zone Assignment List. Add the following 2 URLs, with a value of 1:

Show contents

Do a gpupdate /force on the client/server where you want to try the SSO.

To finish, go to https://portal.office.com with Internet Explorer and provide your email address (must be the same that you use to connect to your client/server). You will not have the time to provide your password that the authentication will be done 🙂

Portal Office view

This new functionality is very interesting because you don’t need ADFS infrastructure anymore, who can be expensive in term of human, maintenance and resources.

Related materials:

 

 

 

 

 

Views All Time
8
Views Today
23

Please rate this

Return to all posts

AWS Artificial Intelligence (AI) Offering New Services
Storage HA on the Cheap: Fixing Synology DiskStation flaky Performance with StarWind Free. Part 1 (Architecture)
The following two tabs change content below.
Florent Appointaire
Florent Appointaire is Microsoft Engineer with 5 years of experience, specialized in Cloud Technologies (Public/Hybrid/Private). He is a freelance consultant in Belgium from the beginning of 2017. He is MVP Cloud and Datacentre Management. He is MCSE Private Cloud and Hyper-V certified. His favorite products are SCVMM, SCOM, Windows Azure pack/Azure Stack and Microsoft Azure.