This post walks you through two things:
- an upgrade of an existing AD Connect installation
- converting from ADFS to pass-through authentication
- Turning off ADFS
- setting up pass-through authentication and single sign on
Recently Microsoft announced the new Azure AD Pass-Through Authentication and Seamless Single Sign-on. It’s a way of signing in to AAD (Azure AD) and AAD services using on-prem credentials as a reputable replacement to ADFS. This also includes any any third party apps all like Concour or SalesForce as well as custom apps. You can use AAD Premium to setup SAML 2.0 authentication to any custom app that supports claims based authentication. This is essentially ADFS as a service.
Upgrading AD Connect
This is how I upgraded AD Connect to version 1.1.371.0 released December 2016.
Step one, you need to download the latest version of AD Connect. Upgrading AD Connect to the latest version is fairly painless, you need an AAD account handy which is a Global Admin to be entered during the process, you also need to make sure you’re using a specific user account for install, either by using run as or logged on as an account which is a member of the ADSyncAdmins group. This group could be a local group (on a stand alone server) or an AD group (if AD Connect is installed on a domain controller).
Converting from ADFS to pass-through authentication
Step one requires you to disable ADFS and remove it from AAD, so that the next time you log into a service in the cloud which backs onto AAD, it won’t redirect you to your ADFS infrastructure for an authentication token.
You disable ADFS on the ADFS server itself by using PowerShell. Don’t forget to run PowerShell ISE as admin.
Enabling pass-through authentication
On the AD Connect server, open AD Connect and select Change user sign-in
Connect to AAD with Global Admin credentials
Select both pass-through authentication and Enable single sign on.
Enter domain admin credentials of the local AD environment on-prem – credentials aren’t stored for later use, this is only used for this single purpose.
Watch it do it’s thing…..
Once pass-through authentication has been installed, you can easily test with a client machine by logging into any AAD SaaS web application such as Office 365, just after logging on e.g. https://outlook.office365.com, one of the URLs you will see in the browser will be https://login.microsoftonline.com/common/onpremvalidation/End which is the part where the web application is checking with the pass-through auth agent on-prem whether the password is correct or not.
Deploying a second pass-through authentication connector
This is done using the command line. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication by installing the Azure AD Application Proxy Connector.
For troubleshooting the AD Connect pass-through authentication agent, go to Troubleshoot Application Proxy
Enabling Single Seamless Sign-On
Single Sign-On is not pure straight through authentication, you still need to enter your username as per this video. By default, browsers do not attempt to send credentials to web servers unless the URL is defined as being in the Intranet zone. So, to get Single Sign-On working, you need to allow both https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net as websites to the local intranet zone. If you have a domain, you can configure this across the board with Group Policy as per the instructions for Single Sign-On.
Self Service Password Reset (SSPR)
- Sign in to Office 365.
- Go to the Office 365 admin center.
- Choose Settings > Security & privacy.
- Choose the link for the Azure AD admin center.
- The Azure page will be auto-populated with some of your information. …
- Once the Sign up button is active, click it.
My other post will walk you through the user experience what they see.