Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

[Azure AD] Passthrough Authentification and Single Sign On

  • January 5, 2017
  • 6 min read
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.

Azure Active Directory logo

Microsoft releases a new version of Azure AD Connect (previous was called DirSync) that help you to synchronize your on-premises Active Directory to Azure AD. 2 new functionalities appear with this new version:

  • Passthrough authentication => Give you the possibility to validate an account (password, etc.) without ADFS or agent in DMZ.
  • Seamless SSO => Give you the possibility to connect to Microsoft Services (Office365, Azure, etc.) without an ADFS and with SSO.

These functionalities are in preview at this moment, so don’t use them in a production environment  🙂

For more information, it’s here:
https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/introducing-azuread-pass-through-authentication-and-seamless-single-sign-on/

Start from the beginning, with the installation of Azure AD Connect. Download binary here and launch the installation:

Microsoft Azure AD Connect Setup view

When the installation is done, we will start the configuration. Accept the license:

Microsoft Azure AD Connect view

Choose to customize the installation:

Microsoft Azure AD Connect view

Choose if you want to specify a custom installation location, use an existing SQL Server, etc:

Microsoft Azure AD Connect install required components

In the next page, we will choose our 2 new, PassThrough Authentication and Seamless SSO:

Microsoft Azure AD Connect user sign-in

Connect to your Azure AD:

Microsoft Azure AD Connect view

Now, add Active Directory forest that you want to synchronize to Azure AD:

Microsoft Azure AD Connect your directories

Your domain must be verified to continue:

Microsoft Azure AD sign-in configuration

Choose which OU you want to synchronize with Azure AD:

Microsoft Azure AD Connect Domain and OU filtering

Choose how to identify uniquely your users:

Microsoft Azure AD Connect uniquely identifying your users

For a POC, you can select the first option. In production, select a group with user test to synchronize:

Microsoft Azure AD Connect filter users and devices

If you want to synchronize password, etc. select options associated:

Microsoft Azure AD Connect optional features

Provide an account who has permission to create a computer object in your AD:

Microsoft Azure AD Connect Enable single sigh on

Launch the synchronization:

Microsoft Azure AD Connect ready to configure

You can verify the users have been synchronized correctly:

Microsoft Azure AD Connect configuration complete

Microsoft Azure check out the new portal

In your Active Directory, a computer account has been created for the Seamless SSO:

Active Directory Users and computers window

Now, you need to trust 2 URLs that are used for the SSO. You can find these 2 URLs in the attribute tab of the computer object, with attribute servicePrincipalName:

AZURE AD SSO ACC properties Multi-valued string Editor

Before testing the connection, we will add by GPO these 2 URLs to Internet Explorer for the SSO connection. Open gpedit.msc and navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and modify the parameter Site to Zone Assignment List. Add the following 2 URLs, with a value of 1:

  • https://autologon.microsoftazuread-sso.com
  • https://aadg.windows.net.nsatc.net

Show contents enter the zone assignements

Do a gpupdate /force on the client/server where you want to try the SSO.

To finish, go to https://portal.office.com with Internet Explorer and provide your email address (must be the same that you use to connect to your client/server). You will not have the time to provide your password that the authentication will be done 🙂

Microsoft Portal Office view

This new functionality is very interesting because you don’t need ADFS infrastructure anymore, who can be expensive in terms of human, maintenance, and resources.

Hey! Found Florent’s insights useful? Looking for a cost-effective, high-performance, and easy-to-use hyperconverged platform?
Taras Shved
Taras Shved StarWind HCI Appliance Product Manager
Look no further! StarWind HCI Appliance (HCA) is a plug-and-play solution that combines compute, storage, networking, and virtualization software into a single easy-to-use hyperconverged platform. It's designed to significantly trim your IT costs and save valuable time. Interested in learning more? Book your StarWind HCA demo now to see it in action!