Hey Checkyourlogs fans,

With recent announcements it is now possible to setup cloud based authentication using Active Directory Seamless Single Sign-On. The best part about this is that Azure AD now accepts Kerberos authentication so this means that you can now seamlessly logon from a domain joined device straight into Office 365 and other cloud apps without being prompted twice for credentials. Now, I know all of you are thinking to yourselves you get similar functionality with ADFS and HA Deployments of ADFS today. The issue is that it is cumbersome to setup, deploy, and manage ADFS servers on-premises. If fact what happens if your access to your ADFS Servers goes down? You have problems right.


This is why I love the new Passthrough authentication features from Microsoft. It is simple, easy to setup, and the best part is you get to take full advantage of the extra security provided by Azure AD. Ok wait the best part is it is FREE!


Watch Senior Program Manager Microsoft Identity Services, Swaroop Krishnamurthy, show you a new way you can harness the power of cloud authentication while still keeping your passwords on-premises using Azure Active Directory pass-through authentication and seamless single sign-on capabilities.

You’ll see how Azure AD can now validate securely your passwords against on-premises Active Directory all without the need for expensive on-premises infrastructure and automatically sign your users in while they’re at work.

Don’t believe me have a look at this amazing Microsoft Mechanics show on how all of this works.

Now, on with the show how do you go about setting this up to get some testing done??

  1. Download Microsoft Azure AD Connect and run the installation on your on premises Domain Controller.
    Select Customize


  1. Install the default components leave the extra checkboxes blank.


  1. On the User Sign in tab, Select Pass through authentication and select Enable Signle Sign-On


  1. Connect to Azure AD using your onmicrosoft account


  1. Connect your on premises Active Directory


  1. Choose how you want users to sign into Azure AD normally this is setup using the UPN


  1. Decide on the OU you want to filter synchronization on


  1. Filter based on a specific type of user if you like


  1. You can specific a group of users for filtering if you like.


  1. Under the optional features make sure that you uncheck the optional feature Password Synchronization. We don’t want password hashes going up to Azure AD.


  1. Enter you AD Credentials in this case we used a Domain Admin Account. This is used to create the computer account representing Azure AD


  1. Click on Install


  1. Lastly in order to allow Azure AD to accept Kerberos tickets you need to configure a client side GPO.
    You need to publish these two URL’s to your users Internet Zone Settings.

    https://autologon.microsoftazureread-sso.com

    https://aadg.windows.net.nsatc.net




Here are some more great resources for getting you going:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-start

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-how-it-works

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-faq

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-troubleshoot-sso

Happy Learning,

Dave