Call us:+1 (407) 567-0096
Open a ticket
Chat with us
En De Es

Blog

This website uses cookies

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy.
Read more
Back

Azure AD Connect Single Sign on for Domain joined and Azure AD joined computers

Microsoft has released New Azure AD connect with two new features, Pass Through Authentication and Seamless Sign On, Both of this features are still under preview but can be used. This post is all about the Single Sign On feature and how to use it with domain join or Azure AD join computers.

When password sync configured on office 365, it sync the Active directory password hash to azure active directory and when you are sign in to Office 365, you have to provide the same AD credentials. This is called Same Sign On. So it’s like two authentication systems with same credentials, if you changed the password on local active directory, its sync the password to cloud immediately. So this has removed you from managing two passwords in local AD and Office 365, but still you need to type user name and passwords when accessing Office 365 Portal or Outlook Application using domain join or none domain environments.

With the release of SSO feature in AD connect, users total login experience is changing to single sign on. They are no longer required to put the user name or password to access the Office 365 web portal. Also Outlook app no longer ask for the password and you don’t need to save the password in outlook. 

How SSO works with Azure AD Connect

SSO is a new feature that you have to enable from AD connect tool. After enabling, account called AZUREADSSOACCT is created in the local active directory and the Kerberos decryption key is shared securely with Azure AD. In addition to this two Kerberos service principal names (SPNs) are created to represent the cloud URLs that are used during authentication between the client and Azure AD. This is a onetime process which is happening after you enable SSO.



Authentication process for Domain joined PC’s

  1. When user access a cloud resource, Azure active directory will send a request\ challenge a Kerberos ticket
  2. User device will send the ticket request to local active directory
  3. Active directory first generate the Kerberos ticket for the user and locate the account created by AD connect, and encrypt the Kerberos ticket by that machine account secret, and then pass it to the client
  4. Client return the encrypted Kerberos ticket Azure AD
  5. Azure AD decrypt the ticket using pre shared decryption key and the validate it with user account information which synced by the AD connect, User name ect.
  6. After successfully validated, if multi factor or other validation enabled, Azure AD will challenge those requests, else it will provide the access to the Cloud resource 

Authentication for None Domain but Azure AD joined PC

  1. If you have windows 10 devices you can get this Seamless SSO experience by doing the Azure AD join. Azure AD will handle the authentication process and experience is same as the domain join.
  2. Download the latest version of AD Connect tool
  3. If you are already having the latest version, you can reconfigure it with the SSO feature or you have uninstall the current version and install the latest version.
  4. Logon as a domain administrator before installing the AD Connect
  5. Select custom installation and then tick Password Synchronization and Enable Single Sign On





  6. Click configure to finish the setup 

Enable Modern Authentication

Modern authentication is required to enable from Office 365 tenant to experience the single sign on in Microsoft Outlook application. Also it enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.

By default Modern authentication is enabled to SharePoint Online. Exchange online and Skype for business is switched off. To use SSO feature you have to enable this from PowerShell.

Enable Modern Authentication for Exchange Online

  1. Connect to the Exchange Online PowerShell
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirection
    Import-PSSession $Session
    https://technet.microsoft.com/library/jj984289(v=exchg.160).aspx

  2. Run the following command in the PowerShell
    Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

  3. Use the following command to verify the change

    Get-OrganizationConfig | Format-Table -Auto Name,OAuth*


Enable Modern Authentication for Skype for Business

  1. Connect to Skype for Business Online using PowerShell

    $credential = Get-Credential
    $session = New-CsOnlineSession -Credential $credential
    Import-PSSession $session

  2. Check modern authentication enabled or not

    Get-CsOAuthConfiguration | select *Adal*

  3. Enable Modern authentication

    Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

In the client side, Modern authentication is enabled for Office 2016. You can use that version without any changes, but if you are using Office 2013 there is a registry key that you need to change.

 

Client Experience Domain Joined PC

Prerequisites

  • Domain joined computer
  • Login to the user which the Office 365 license assigned
  • Connectivity to the DC (Corporate network)
  • Define the Kerberos end-points in the cloud as part of the browsers Intranet zone.

Add end points to the Intranet Zone

Following two URL’s need to be added to the intranet zone of the browser. Best way to do this is to create a group policy and deploy from the domain.

https://autologon.microsoftazuread-sso.com

https://aadg.windows.net.nsatc.net

  1. Create a group policy and add the two URL’s to the following policy
    User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page and select Site to Zone Assignment List.


  2. Enable the policy and add the value as 1