How to install Azure Active Directory Pass-through Authentication (PTA)

In this Article, we will see how to install Azure AD Pass-through Authentication (PTA) along with Seamless Single Sign-on (SSSO)

Please check the article for Overview of Azure AD Pass-Through Authentication

What is required to configure Pass -through Authentication:

1. Need one Windows Server machine with Server 2012 R2 or Server 2016

2. Internet connectivity to the Server Machine

a. If the network configured with Proxy for the internet connectivity. the server should get bye-passed access to the internet.

b.  Microsoft PTA DNS Namespaces *.msappproxy.net and *.servicebus.windows.net should be whitelisted in the Proxy if the proxy is configured. if the proxy is not capable to whitelist the URLs, need to whitelist Azure Datacenter IP Ranges 

c.  Microsoft URLs : mscrl.microsoft.com:80crl.microsoft.com:80ocsp.msocsp.com:80, and www.microsoft.com:80 should be whitelisted for the Certificate validations and revocation validations of Microsoft products and applications.

d. Port 443 and Port 80 outbound traffic should be allowed towards Azure AD.. Ideally these ports are genreric ports and there is no block rules by default. if your firewall blocking, it needs to be allowed for the Authentication Agents(Authentication agent is nothing but the server which is configured with Pass-through package).

if the able prerequisites are checked and ready to begin, follow the below steps to configure,

Note: In the below installation steps Seamless Single Sign-on (SSSO) also selected to get the feature suite configured for the best Sign-on Experience for the Corporate Intranet Users. If you donot want this to be configured, you can uncheck SSSO options.

login to Portal.azure.com   –> Azure Active Directory (Azure AD) — Azure AD Connect

by default, it will be in Disabled state.

1

Click on Pass-through Authentication

2

Check the Verify Your Configuration which are mandatory things required to further install

3

As per the note provided by Microsoft, the PTA configuration will impact all managed domains in your tenant. Once validated, click on Download & Install Additional Pass-Through Authentication Connector(s)5

you can find the Windows Installer Package in your download folder or the path you have mentioned to save the file

6Click on Install

7

In the Welcome Page, check I agree option and click on Continue

8

Click on Customize. By default Use Express Settings wherein the PTA is not there with express settings which enable only Directory synchronizations.

9

Select Use an existing Service account and enter the service account or domain account of your On-premises directory and click on Install. you can specify custom sync groups if you need for your domains.

10 11

Now, you can see User sign-in methods which are supported by the Microsoft(URL need to be) for Office 365 and Azure work loads.

Select Pass-through authentication and Enable single sign-on  and click on Next

12You can see the recommendation for the cloud only global administrator requirements. Click on Next

13

Enter Global administrator of the tenant and click on Next

By default, Cloud only Global administrator will get UPN as name@domainname.onmicrosoft.com.

14

Click on Add directory and add the domains and forest to sync

15 16

Click Next once active directory domains selected,

18 19

you can keep User name selection as UserPrincipalName (UPN) and click on Next

if you do not want to use UPN, you can select the other attributes based on your organization for the username for the login process. ideally, UPN is the best one as it is used across for all the applications and services.

20

In the domain and OU Filtering, you can customize the syncing attributes to cloud.

In my case, I have grouped all the users in the single OU and selected that particular OU to avoid the pollution in the Azure Active directory.21

Select the defaults and click on Next,

22

 

Select Synchronize all users and devices and  click on Next 23

uncheck Password Synchronization option as we are going to user PTA for authentication.

24

Enter On-premises Domain administrator credentials to Enable single sign-on and click on Next

25 26 27

Select Start the synchronization process when configuration completes and click on Install to begin the installation. You can select the sync options depends on your requirements,

28 29

configuration has completed successfully. 30

How to validate Pass-through authentication configuration: 

To verify what we installed, click on Azure AD Connect Icon31

Click on Configure32

Select  View current configuration and click on Next

33

IN the review page, you can see what all you have configured in the Azure AD Connect server

34

Now you can see the full Sync got initiated and completed synchronization. Full sync will take time based on your forest / domain size and attributes which are selected to sync to cloud.

35

In the Azure Portal, you can see now both Seamless single sign-on and Pass-through authentications are showing the status Enabled.

36

 

you can validate the Authentication agent status in the agents pane

37

In On-premises directory, you can see a Azure AD computer object got created. it is dummy one for the Pass-through authentication.38

Please check the article for Overview of Azure AD Pass-Through Authentication

Leave a Reply

Your email address will not be published. Required fields are marked *