Azure AD Connect – How to connect your Active Directory Domain to Azure AD ? – Part 2 | Pass-through Authentication

azure-ad-authn-image3

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience – one less password to remember, and reduces IT help desk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users passwords directly against your on-premises Active Directory.

2.png

  1. The user tries to access an application, for example, Outlook Web App.
  2. If the user is not already signed in, the user is redirected to the Azure AD User Sign-in page.
  3. The user enters their username and password into the Azure AD sign in page, and then selects the Sign in button.
  4. Azure AD, on receiving the request to sign in, places the username and password (encrypted by using a public key) in a queue.
  5. An on-premises Authentication Agent retrieves the username and encrypted password from the queue. Note that the Agent doesn’t frequently poll for requests from the queue, but retrieves requests over a pre-established persistent connection.
  6. The agent decrypts the password by using its private key.
  7. The agent validates the username and password against Active Directory by using standard Windows APIs, which is a similar mechanism to what Active Directory Federation Services (AD FS) uses. The username can be either the on-premises default username, usually userPrincipalName, or another attribute configured in Azure AD Connect (known as Alternate ID).
  8. The on-premises Active Directory domain controller (DC) evaluates the request and returns the appropriate response (success, failure, password expired, or user locked out) to the agent.
  9. The Authentication Agent, in turn, returns this response back to Azure AD.
  10. Azure AD evaluates the response and responds to the user as appropriate. For example, Azure AD either signs the user in immediately or requests for Azure Multi-Factor Authentication.
  11. If the user sign-in is successful, the user can access the application.

Key points

  • Effort. For PTA, you need one or more (recommended three) lightweight agents installed on existing servers. These agents must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need outbound access to the Internet and access to your domain controllers. For this reason, it’s not supported to deploy the agents in a perimeter network. Install the agents as close as possible to your Active Directory Domain Controllers to reduce latency. PTA requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests.
  • Cost. Azure AD Connect is free to use and is the tool you use to configure the PTA settings.
  • User experience. To improve users’ sign-in experience, deploy Seamless SSO with Pass-through Authentication. Seamless SSO eliminates unnecessary prompts after users sign in.
  • Hybrid scenarios. Pass-through Authentication enforces the on-premises account policy at the time of sign in. For example, access is denied when an on-premises user’s account state is disabled, locked out, or password expired or falls outside the hours when the user is allowed to sign in. You could also use the Azure AD Smart Lockout feature to protects against brute-force password attacks and prevents the on-premises Active Directory account from being locked out when Pass-through Authentication is being used and an account lockout group policy is set in Active Directory.
  • MFA Considerations. Organizations that require multi-factor authentication with pass-through authentication must use Azure Multi-Factor Authentication (MFA). Those organizations can’t use a third-party or on-premises multi-factor authentication method.
  • Limitations. If you need to detect leaked credentials from the reports in Azure Identify Protection, you will require that password hash synchronization is deployed whether or not you choose pass-through authentication. Also, Pass-through Authentication is not integrated with Azure AD Connect Health.
  • Business continuity. As mentioned, you need to deploy at least two extra pass-through authentication agents. These extras are in addition to the first agent on the Azure AD Connect server. This additional deployment ensures high availability of authentication requests. When you have three agents deployed, one agent can still fail when another agent is down for maintenance. There’s another benefit to deploying password hash synchronization in addition to pass-through authentication. It acts as a backup authentication method when the primary authentication method is no longer available.
  • Manual action in case of failure. You can use password hash synchronization as a backup authentication method for pass-through authentication, when the agents can’t validate a user’s credentials due to a significant on-premises failure. Fail-over to password hash synchronization doesn’t happen automatically and you must use Azure AD Connect to switch the sign-on method manually.

Comparing methods

Consideration Password hash synchronization + Seamless SSO Pass-through Authentication + Seamless SSO Federation with AD FS
Where does authentication happen? In the cloud In the cloud after a secure password verification exchange with the on-premises authentication agent On-premises
What are the on-premises server requirements beyond the provisioning system: Azure AD Connect? None One server for each additional authentication agent Two or more AD FS servers

Two or more WAP servers in the perimeter/DMZ network

What are the requirements for on-premises Internet and networking beyond the provisioning system? None Outbound Internet access from the servers running authentication agents Inbound Internet access to WAP servers in the perimeter

Inbound network access to AD FS servers from WAP servers in the perimeter

Network load balancing

Is there an SSL certificate requirement? No No Yes
Is there a health monitoring solution? Not required Agent status provided by Azure Active Directory admin center Azure AD Connect Health
Do users get single sign-on to cloud resources from domain-joined devices within the company network? Yes with Seamless SSO Yes with Seamless SSO Yes
What sign-in types are supported? UserPrincipalName + password

Windows Integrated Authentication by using Seamless SSO

Alternate login ID

UserPrincipalName + password

Windows Integrated Authentication by using Seamless SSO

Alternate login ID

UserPrincipalName + password

sAMAccountName + password

Windows Integrated Authentication

Certificate and smart card authentication

Alternate login ID

Is Windows Hello for Business supported? Key trust model

Certificate trust model with Intune

Key trust model

Certificate trust model with Intune

Key trust model

Certificate trust model

What are the multifactor authentication options? Azure MFA

Custom Controls with conditional access*

Azure MFA

Custom Controls with conditional access*

Azure MFA

Azure MFA server

Third-party MFA

Custom Controls with conditional access*

What user account states are supported? Disabled accounts
(up to 30-minute delay)
Disabled accounts

Account locked out

Password expired

Sign-in hours

Disabled accounts

Account locked out

Password expired

Sign-in hours

What are the conditional access options? Azure AD conditional access Azure AD conditional access Azure AD conditional access

AD FS claim rules

Is blocking legacy protocols supported? Yes Yes Yes
Can you customize the logo, image, and description on the sign-in pages? Yes, with Azure AD Premium Yes, with Azure AD Premium Yes
What advanced scenarios are supported? Smart password lockout

Leaked credentials reports

Smart password lockout

Where to verify Current User Sign-in settings in your environment 

Verify your current user sign-in settings by logging into the Azure AD portal https://aad.portal.azure.com with a Global Administrator account.

1

Deploy Additional Authentication Agents

Open the Azure Portal, browse to Azure Active Directory, Azure AD Connect and click Pass-through Authentication.

1.png

From the Pass-through Authentication page, click on the Download button. From the Download Agent screen, click on Accept terms and download.

2.png

The download of additional authentication agents will begin. Install the secondary Authentication Agent on a domain-joined server.

NOTE: the first agent is always installed on the Azure AD Connect server itself as part of the configuration changes made in the User Sign In section of the Azure AD Connect tool. Any additional Authentication Agents should be installed on a separate server. It is recommended to have between 2-3 additional Authentication Agents available.

Run the Authentication Agent installation. During the installation you will need to provide credentials of a Global Administrator account.

Once the Authentication Agent is installed you can go back to the Pass-through Authentication Agent health page to check the status of the additional agents.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s