So today Microsoft released a public preview of Pass-trough authentication Azure AD which allows for SSO against Azure Active Directory without the hazzle of Active Directory Federation Services + Certificates and Public IP addresses. You can download the new version here –> https://www.microsoft.com/en-us/download/details.aspx?id=47594
Now a couple of cool things behind this concept, the Pass-trough authentication module is part of AzureAD Connect but is actually leveraging Azure Application Proxy component which is used by AzureAD to give remote access to web based application externally.
So how does it work?
So first of after the syncronziation is setup, when a user from domain1 want to access something in AzureAD, AzureAD looks at the domain name and sends a challenges the client, via a 401, to provide a Kerberos ticket, connects to Active Directory using the Application Proxy component, verifies the authentication against Active Directory. The client thensends the Kerberos ticket it acquired from Active Directory to the Azure AD.
Now setup of AzureAD connect with this extension is pretty simple, just select Pass-Trough authentication during the wizard and enable Single sign on.
So what kind of browser does this feature support?
Windows 10, 8.1, 8 & 7 with Internet Explorer, Chrome and Firefox, important to note that this feature does not support Azure AD Joined Windows 10 machines, but that is being worked on. You also need to make sure that some port openings are in place so that the Proxy can communicate properly with Azure AD
80 Enable outbound HTTP traffic for security validation such as SSL.
443 Enable user authentication against Azure AD
10100–10120 Enable responses from the connector back to the Azure AD
9352, 5671 Enable communication between the Connector toward the Azure service for incoming requests.
9350 Optional, to enables better performance for incoming requests
8080/443 Enable the Connector bootstrap sequence and Connector automatic update
9090 Enable Connector registration (required only for the Connector registration process)
9091 Enable Connector trust certificate automatic renewal
If you want to test this you need to define the following on Interenet Explorer intranet sites to ensure that it tries to forward the logged in credentials to AzureAD
https://autologon.microsoftazuread-sso.com
https://aadg.windows.net.nsatc.net
Of course for enterprise deployment when it is GA you should define this using Group Policy instead, which can be defined under User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page and select Site to Zone Assignment List.
I’ve also included a small video clip so you can see how it works, and I can confirm that as of now it does it work with automatic activation of Office365 you need to enter the UPN and then it does SSO.
Azure Pass-trough authentication from Marius Sandbu on Vimeo.
Could this replace the ADFS requirement for VDI / SBC implementations? Or do the users have to do this every time, because then it still isn’t easy to use.
They token is cached locally on the machine the VDI users are logged onto, but they would need to refresh the token every 8 days and therefore they would get the same prompt again, same goes for if they log into another server or VDI desktop same prompt again