Print this Post

Public Preview: Azure Active Directory Connect pass-through authentication

Imagine if you could set up single sign-on for your online services with just the check of a box, and allow all of your users to authenticate to services such as Office 365 automatically.  Imagine you could do this without the complexity of ADFS and the many hours of planning and implementation that go along with it.

On Wednesday, Microsoft announced the public preview of Azure Active Directory Connect pass-through authentication.  This new method of authentication allows for a single sign-on (SSO) experience without the need for Active Directory Federation Services (ADFS).

What is Active Directory Federation Services (ADFS)?

If you’re not familiar with it, ADFS allows external services (such as Office 365 or DropBox) to authenticate users by sending the auth request to your organization’s internal Active Directory (AD).  In effect, this provides a single sign-on experience since users never need to login to these external federated services.  In order to accomplish SSO using ADFS in this manner, there are multiple redundancies which are required.  In addition to running multiple domain controllers (as we should all be doing anyways), you will need multiple ADFS servers and multiple internet connections with incoming ADFS traffic load balanced.  Not having all of these redundancies creates a single point of failure which can prevent users from authenticating.

Here is an example of a “simple” ADFS implementation:

As you can see, the simplest ADFS implementation is anything but simple.  While there are a lot of advantages to this technology, it is rarely recommended for small or medium sized businesses.  Luckily now we have another option.

Azure Active Directory Connect pass-through authentication

Azure Active Directory Connect pass-through authentication provides a similar single sign-on experience to users without the complexities of implementing ADFS.  This is accomplished by running the latest version of the Azure Active Directory (AAD) Connect software on a domain joined server.  AAD Connect has been used to synchronize local AD user accounts and passwords with Azure AD (often for the purposes of Office 365).  This allows users to authenticate using the same credentials as they use for their local AD network.  Now, there is a new option in AAD Connect which will allow single sign-on using this software. In effect, the AAD Connect software becomes an agent for Azure AD authentication requests.

Using this new method is much simpler since it does not require all of the redundancies needed for ADFS.  Azure Active Directory Connect pass-through authentication also does not require any systems to be in a DMZ.  This means everything can be behind a firewall where it is nice and secure.

Here is a network diagram showing the SSO authentication process using Azure Active Directory Connect pass-through authentication.  In this diagram, AAD Connect is running on a Windows member server.  The Azure Active Directory Connect software can run on any domain member server running Windows 2012 or newer.

Remember, Azure Active Directory Connect pass-through authentication is in “Preview”, which means it is a beta product and SHOULD NOT be used on critical production systems yet.  For more information, see Microsoft’s announcement about Azure Active Directory Connect pass-through authentication.

About the author

Robert Borges

About Robert...

I have been in the IT industry since 1993 focusing mainly in networking. Though I got an early start as an amateur computer enthusiast, and wrote my first database app at age 12, I started my professional career working in the MIS department of one of the largest liquor distributors in the northeast. I started out there as a systems operator on the company’s two mainframe systems. From there I moved into PC support, and help design and implement the company’s first client-server network… This was back in the days of Win NT 3.51. I also worked on my first migration to NT 4.0 back then.

From there I went on to work with Novell 3.x and 4.x along with Windows domains and active directory environments. Working my way up from technician, to specialist, to administrator, and eventually all the way up to Sr. Engineer. I spent many years working for consulting firms, 9 of which I owned and operated my own firm.
Over the years, I have worked with (at an expert level) various versions of: Windows client and server operating systems (including Windows 10 and Windows Server 2016); various virtualization technologies (Hyper-V, VMware, etc.); MS-SQL server 6.5- 2014 R2; Exchange 4-2016, and much more.

I am now vCIO at Spade Technology, Inc. focusing on Information Technology strategy including: cloud computing, IT Infrastructure & Architecture, IT Security, and Cloud Computing platforms & technologies (SaaS, PaaS, and IaaS).

Outside of my day job, I serve as president of the board of Boston User Groups, Inc., as well as IT-Pro User Group. In 2017/2018 Microsoft awarded me the Microsoft MVP (Most Valuable Professional) Award, with a focus of Microsoft Azure cloud, for my efforts in the IT community.

I am in a constant state of learning about new products, and new versions of products. Many of which we end up implementing in lab environments and sometimes for our clients. I have a very broad range of expertise and experience. It is my goal to share some of this experience on this blog to help enrich the IT community.

Permanent link to this article: https://www.robertborges.us/2016/12/cloud-computing/public-preview-azure-active-directory-connect-pass-through-authentication/