AD Connect pass-through authentication & SSSO

This post walks you through two things:

  1. an upgrade of an existing AD Connect installation
  2. converting from ADFS to pass-through authentication
    • Turning off ADFS
    • setting up pass-through authentication and single sign on

Recently Microsoft announced the new Azure AD Pass-Through Authentication and Seamless Single Sign-on. It’s a way of signing in to AAD (Azure AD) and AAD services using on-prem credentials as a reputable replacement to ADFS. This also includes any any third party apps all like Concour or SalesForce as well as custom apps. You can use AAD Premium to setup SAML 2.0 authentication to any custom app that supports claims based authentication. This is essentially ADFS as a service.

Upgrading AD Connect

20161213-ad-connect-upgrade2

This is how I upgraded AD Connect to version 1.1.371.0 released December 2016.

Step one, you need to download the latest version of AD Connect. Upgrading AD Connect to the latest version is fairly painless, you need an AAD account handy which is a Global Admin to be entered during the process, you also need to make sure you’re using a specific user account for install, either by using run as or logged on as an account which is a member of the ADSyncAdmins group. This group could be a local group (on a stand alone server) or an AD group (if AD Connect is installed on a domain controller).

2016-12-14_1033

Converting from ADFS to pass-through authentication

Step one requires you to disable ADFS and remove it from AAD, so that the next time you log into a service in the cloud which backs onto AAD, it won’t redirect you to your ADFS infrastructure for an authentication token.

You disable ADFS on the ADFS server itself by using PowerShell. Don’t forget to run PowerShell ISE as admin.


$domain = 'trusbron.com'
# Sign into AAD
$secpasswd = ConvertTo-SecureString "MyPassword" AsPlainText Force
$LiveCred = New-Object System.Management.Automation.PSCredential ("admin@tenant.onmicrosoft.com", $secpasswd)
Connect-MsolService –Credential $LiveCred
##########################################################################################
################################## ADFS Cmdlets ###################################
##########################################################################################
Import-Module ADFS
# Check to see if you're logged onto the Primary ADFS server, if not logon to the primary ADFS computer
Get-AdfsSyncProperties
# Set the context by adding the FQDN of the ADFS server
Set-MsolAdfscontext Computer ADFSServer.trusbron.Corp # FQDN of the primary ADFS server
# To check all MSOL registered federated domains that are not AAD managed domains e.g. managed or onmicrosoft.com:
Get-MsolDomain | ? {$_.Authentication -ne 'Managed'} | fl *
# To check all MSOL registered domains that are AAD managed domains e.g. not federated or onmicrosoft.com:
Get-MsolDomain | ? {$_.Authentication -eq 'Managed'} | fl *
# To check federation status for a specific MSOL domain
Get-MsolFederationProperty –DomainName $domain
# Convert the domain from Federated to Standard – if you are permanently decommissioning
Convert-MsolDomainToStandard –DomainName $domain SkipUserConversion $false PasswordFile c:\userpasswords.txt
# Convert the domain from Federated to Standard – if you are temporarily switching
Convert-MsolDomainToStandard –DomainName $domain SkipUserConversion $true PasswordFile c:\userpasswords.txt
# Convert the domain from Standard to Federated – supporting multiple domains
Convert-MSOLDomainToFederated DomainName $domain supportmultipledomain
# Convert the domain from Standard to Federated
Convert-MSOLDomainToFederated DomainName $domain

view raw

Enabling & Disabling AAD ADFS.ps1

hosted with ❤ by GitHub

Enabling pass-through authentication

On the AD Connect server, open AD Connect and select Change user sign-in

2016-12-14_1344

Connect to AAD with Global Admin credentials

20161213-ad-connect-user-sign-in

Select both pass-through authentication and Enable single sign on.

2016-12-14_1350

Enter domain admin credentials of the local AD environment on-prem – credentials aren’t stored for later use, this is only used for this single purpose.

2016-12-14_1351

Watch it do it’s thing…..

pass-through-agent-install

Once pass-through authentication has been installed, you can easily test with a client machine by logging into any AAD SaaS web application such as Office 365, just after logging on e.g. https://outlook.office365.com, one of the URLs you will see in the browser will be https://login.microsoftonline.com/common/onpremvalidation/End which is the part where the web application is checking with the pass-through auth agent on-prem whether the password is correct or not.

2016-12-14_1404

Deploying a second pass-through authentication connector

This is done using the command line. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication by installing the Azure AD Application Proxy Connector.

For troubleshooting the AD Connect pass-through authentication agent, go to Troubleshoot Application Proxy

Enabling Single Seamless Sign-On

Single Sign-On is not pure straight through authentication, you still need to enter your username as per this video. By default, browsers do not attempt to send credentials to web servers unless the URL is defined as being in the Intranet zone. So, to get Single Sign-On working, you need to allow both https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net as websites to the local intranet zone. If you have a domain, you can configure this across the board with Group Policy as per the instructions for Single Sign-On.

2016-12-14_1605

Self Service Password Reset (SSPR)

Categories: Azure · PowerShell

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s