In this Article, we will see how to install Azure AD Pass-through Authentication (PTA) along with Seamless Single Sign-on (SSSO)
What is required to configure Pass -through Authentication:
1. Need one Windows Server machine with Server 2012 R2 or Server 2016
2. Internet connectivity to the Server Machine
a. If the network configured with Proxy for the internet connectivity. the server should get bye-passed access to the internet.
b. Microsoft PTA DNS Namespaces *.msappproxy.net and *.servicebus.windows.net should be whitelisted in the Proxy if the proxy is configured. if the proxy is not capable to whitelist the URLs, need to whitelist Azure Datacenter IP Ranges
c. Microsoft URLs : mscrl.microsoft.com:80, crl.microsoft.com:80, ocsp.msocsp.com:80, and www.microsoft.com:80 should be whitelisted for the Certificate validations and revocation validations of Microsoft products and applications.
d. Port 443 and Port 80 outbound traffic should be allowed towards Azure AD.. Ideally these ports are genreric ports and there is no block rules by default. if your firewall blocking, it needs to be allowed for the Authentication Agents(Authentication agent is nothing but the server which is configured with Pass-through package).
if the able prerequisites are checked and ready to begin, follow the below steps to configure,
Note: In the below installation steps Seamless Single Sign-on (SSSO) also selected to get the feature suite configured for the best Sign-on Experience for the Corporate Intranet Users. If you donot want this to be configured, you can uncheck SSSO options.
login to Portal.azure.com –> Azure Active Directory (Azure AD) — Azure AD Connect
by default, it will be in Disabled state.
Click on Pass-through Authentication
Check the Verify Your Configuration which are mandatory things required to further install
As per the note provided by Microsoft, the PTA configuration will impact all managed domains in your tenant. Once validated, click on Download & Install Additional Pass-Through Authentication Connector(s)
you can find the Windows Installer Package in your download folder or the path you have mentioned to save the file
In the Welcome Page, check I agree option and click on Continue
Click on Customize. By default Use Express Settings wherein the PTA is not there with express settings which enable only Directory synchronizations.
Select Use an existing Service account and enter the service account or domain account of your On-premises directory and click on Install. you can specify custom sync groups if you need for your domains.
Now, you can see User sign-in methods which are supported by the Microsoft(URL need to be) for Office 365 and Azure work loads.
Select Pass-through authentication and Enable single sign-on and click on Next
Enter Global administrator of the tenant and click on Next
By default, Cloud only Global administrator will get UPN as firstname.lastname@example.org.
Click on Add directory and add the domains and forest to sync
Click Next once active directory domains selected,
you can keep User name selection as UserPrincipalName (UPN) and click on Next
if you do not want to use UPN, you can select the other attributes based on your organization for the username for the login process. ideally, UPN is the best one as it is used across for all the applications and services.
In the domain and OU Filtering, you can customize the syncing attributes to cloud.
Select the defaults and click on Next,
uncheck Password Synchronization option as we are going to user PTA for authentication.
Enter On-premises Domain administrator credentials to Enable single sign-on and click on Next
Select Start the synchronization process when configuration completes and click on Install to begin the installation. You can select the sync options depends on your requirements,
How to validate Pass-through authentication configuration:
Select View current configuration and click on Next
IN the review page, you can see what all you have configured in the Azure AD Connect server
Now you can see the full Sync got initiated and completed synchronization. Full sync will take time based on your forest / domain size and attributes which are selected to sync to cloud.
In the Azure Portal, you can see now both Seamless single sign-on and Pass-through authentications are showing the status Enabled.
you can validate the Authentication agent status in the agents pane