Yesterday, Microsoft released a new version of Azure AD Connect, dubbed version 1.1.370.0, featuring two new Hybrid Identity features. This morning, Microsoft released an even newer version of Azure AD Connect with version number 1.1.371.0, fixing an issue that customers experienced when upgrading to 1.1.370.0.
Let’s look at the new features in these two versions of Azure AD Connect.
While the below features were introduced with version 1.1.370.0 of Azure AD Connect, you are encouraged to implement 1.1.371.0 of Azure AD Connect for your Hybrid Identity environments.
Azure AD Connect version 1.1.370.0 will not be available to customers through the Azure AD Connect Auto Upgrade feature.
Azure AD Connect now features Pass-through Authentication (PTA) and Seamless Sign-On for corporate desktop, in public preview.
An introduction to Pass-through Authentication
At Ignite 2016, Microsoft positioned Pass-through Authentication (PTA) as an alternative Hybrid Identity scenario between the Password Hash Sync (PHS) approach, and the Active Directory Federation Services (AD FS) approach, in terms of functionality, scalability and control.
It shares many of the advantages with the AD FS scenario in terms of control: both scenarios don’t require ‘passwords in the cloud’ and perform authentication on-premises to meet the ‘one identity’ requirements many organizations have.
On the other hand, it doesn’t require the implementation of an entire AD FS environment next to Azure AD Connect; Enabling Pass-through Authentication in the Azure AD Connect wizard will deploy the Connector on the same server running Azure AD Connect, although you can leverage additional Azure AD Application Proxy Connectors to achieve high availability of the PTA solution.
How Pass-through Authentication works
With Pass-through Authentication enabled and registered, when a user enters the username and password into the Azure AD login page, Azure AD places the username and password on the appropriate on-premises connector queue for validation. One of the available on-premises connectors then retrieves the username and password and validates it against Active Directory. The validation occurs over standard Windows APIs similar to how Active Directory Federation Services validates the password.
The on-premises Domain Controller then evaluates the request and returns a response to the connector, which in turn returns this to Azure AD. Azure AD then evaluates the response and responds to the user as appropriate, for example by issuing a token or asking for Multifactor Authentication.
Requirements to Pass-through Authentication
Pass-through Authentication has some additional requirements, when compared to the other scenarios supported by Azure AD Connect:
- Azure AD Connect needs to be installed on a Windows Server running Windows Server 2012 R2, or above. Additional Azure AD Application Proxy Connectors will also be run on Windows Server 2012 R2, or up;
- The above Windows Server installation needs to be part of the Active Directory Forest you’d want to use Pass-through Authentication with. For additional forests, trusts need to be available to allow for the Kerberos magic performed by Azure AD Connect in this scenario;
- Azure AD Connect needs outbound TCP9090 and TCP9091 traffic allowed towards Azure AD, for Connector traffic specifically, on top of the other allowed ports.
Seamless Single Sign-On
Another feature, exposed in the Azure AD Connect Wizard is labeled Enable single sign on beneath Select this option to enable single sign on for your corporate desktop users: on the User sign-in page.
An introduction to Seamless Single Sign-On
One of the drawbacks to using Password Hash Sync (PHS) or Pass-through Authentication (PTA) as the Hybrid Identity approach, is that, at best, it offers Same Sign-On. For Single Sign-On, AD FS is the preferred approach from a technical point of view.
With Seamless Single Sign-On, another Kerberos rabbit is pulled out of Microsofts high hat. No longer, do users have to type their passwords to access an Azure AD-integrated resource; instead their device can hand over a Kerberos ticket.
Sounds like AD FS? Yes, but no longer do you need AD FS to transform Kerberos tickets to claims tokens; Azure AD Connect shares the Kerberos secret for one (service) object with Azure AD, so your domain-joined devices can talk Kerberos to Azure AD on behalf of the domain user accounts of your colleagues.
Seamless Single Sign-On requirements
When Seamless Sign-On is enabled through the Azure AD Connect wizard, a computer account named AZUREADSSOACCT is created in the on-premises Active Directory Domain Services environment and the Kerberos decryption key for that specific account is shared securely with Azure AD. In addition, two Kerberos service principal names (SPNs) are created to represent the cloud URLs that are used during authentication between the client and Azure AD.
Seamless Single Sign-On has some additional requirements , when compared to the other scenarios supported by Azure AD Connect:
- Seamless Sign-On will only work for colleagues when they use their domain user accounts on domain-joined devices with direct connections to at least one Active Directory Domain Controller;
- The Kerberos end-points in the cloud as part will need to be defined as part of the Intranet zone. You can use the Site to Zone Assignment List Group Policy setting under User Configuration, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel, Security Page to achieve this for domain user accounts in scope for the following two urls:
- Seamless Single Sign-On is only supported for Internet Explorer and Chrome on Windows 7, Windows 8, Windows 8.1 and Windows 10 devices. If users in your organization use Edge, than configuring either the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11 Group Policy settings for Edge can be used to make the above urls open in Internet Explorer instead of Edge, depending on your situation.
This is version 1.1.371.0 of Azure AD Connect.
You can download Azure AD Connect here.
The download weighs 78,1 MB.
If the Automatic Updating functionality hasn’t already upgraded your Azure AD Connect installation to version 1.1.371.0, you can download and install this version of Azure AD Connect above.
If you’ve managed to install version 1.1.370.0 of Azure AD Connect manually and aren’t expecting a new version for another month or so, please download and install version 1.1.371.0 of Azure AD Connect.