[Azure AD] Passthrough Authentification and Single Sign On

Posted by Florent Appointaire on January 5, 2017
Share on Facebook0Share on Google+0Share on LinkedIn17Share on Reddit8Tweet about this on Twitter0
4.67/5 (3)

Azure Active Directory logo

Microsoft releases a new version of Azure AD Connect (previous was called DirSync) that help you to synchronize your on-premises Active Directory to Azure AD. 2 new functionalities appear with this new version:

  • Passthrough authentication => Give you the possibility to validate an account (password, etc.) without ADFS or agent in DMZ.
  • Seamless SSO => Give you the possibility to connect to Microsoft Services (Office365, Azure, etc.) without an ADFS and with SSO.

These functionalities are in preview at this moment, so don’t use them in a production environment  🙂

For more information, it’s here:

Start from the beginning, with the installation of Azure AD Connect. Download binary here and launch the installation:

Microsoft Azure AD Connect Setup view

When the installation is done, we will start the configuration. Accept the license:

Microsoft Azure AD Connect view

Choose to customize the installation:

Microsoft Azure AD Connect view

Choose if you want to specify a custom installation location, use an existing SQL Server, etc:

Microsoft Azure AD Connect install required components

In the next page, we will choose our 2 new, PassThrough Authentication and Seamless SSO:

Microsoft Azure AD Connect user sign-in

Connect to your Azure AD:

Microsoft Azure AD Connect view

Now, add Active Directory forest that you want to synchronize to Azure AD:

Microsoft Azure AD Connect your directories

Your domain must be verified to continue:

Microsoft Azure AD sign-in configuration

Choose which OU you want to synchronize with Azure AD:

Microsoft Azure AD Connect Domain and OU filtering

Choose how to identify uniquely your users:

Microsoft Azure AD Connect uniquely identifying your users

For a POC, you can select the first option. In production, select a group with user test to synchronize:

Microsoft Azure AD Connect filter users and devices

If you want to synchronize password, etc. select options associated:

Microsoft Azure AD Connect optional features

Provide an account who has permission to create a computer object in your AD:

Microsoft Azure AD Connect Enable single sigh on

Launch the synchronization:

Microsoft Azure AD Connect ready to configure

You can verify the users have been synchronized correctly:

Microsoft Azure AD Connect configuration complete

Microsoft Azure check out the new portal

In your Active Directory, a computer account has been created for the Seamless SSO:

Active Directory Users and computers window

Now, you need to trust 2 URLs that are used for the SSO. You can find these 2 URLs in the attribute tab of the computer object, with attribute servicePrincipalName:

AZURE AD SSO ACC properties Multi-valued string Editor

Before testing the connection, we will add by GPO these 2 URLs to Internet Explorer for the SSO connection. Open gpedit.msc and navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and modify the parameter Site to Zone Assignment List. Add the following 2 URLs, with a value of 1:

  • https://autologon.microsoftazuread-sso.com
  • https://aadg.windows.net.nsatc.net

Show contents enter the zone assignements

Do a gpupdate /force on the client/server where you want to try the SSO.

To finish, go to https://portal.office.com with Internet Explorer and provide your email address (must be the same that you use to connect to your client/server). You will not have the time to provide your password that the authentication will be done 🙂

Microsoft Portal Office view

This new functionality is very interesting because you don’t need ADFS infrastructure anymore, who can be expensive in terms of human, maintenance, and resources.

Related materials:

Views All Time
Views Today

Please rate this

To download the software products, please, make your choice below. An installer link and a license key will be sent to the e-mail address you’ve specified. If you consider StarWind Virtual SAN but are uncertain of the version, please check the following document Free vs. Paid. The recent build of Release Notes. A totally unrestricted NFR (Not For Resale) version of StarWind Virtual SAN is available for certain use cases. Learn more details here.

Return to all posts

AWS Artificial Intelligence (AI) Offering New Services
Storage HA on the Cheap: Fixing Synology DiskStation flaky Performance with StarWind Free. Part 1 (Architecture)
The following two tabs change content below.
Florent Appointaire
Florent Appointaire is Microsoft Engineer with 5 years of experience, specialized in Cloud Technologies (Public/Hybrid/Private). He is a freelance consultant in Belgium from the beginning of 2017. He is MVP Cloud and Datacentre Management. He is MCSE Private Cloud and Hyper-V certified. His favorite products are SCVMM, SCOM, Windows Azure pack/Azure Stack and Microsoft Azure.