Change Azure AD Connect sign-in from ADFS to Pass-through authentication

Dec 2

Written by:
Sunday, December 2, 2018 7:06 PM  RssIcon

How does sign-in on a web browser with Seamless SSO work?

Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) will automatically signs in users when they are on their corporate desktops that are connected to your corporate network.

 

image

 

The main steps for this switch are:

 

1.) revert the authentication back from “federated” to “standard” for my domain

2.) stop / disable the ADFS service

3.) check Azure AD Connect user sign-in configuration (in Azure) / see an example of an alert e-mail

4.) update to the latest Azure AD Connect version

5.) change user sign-in

6.) remove ADFS role

7.) configure Group Policy settings

8.) check Authentication Agent status and install additional “Authentication Agent”

 

 

These steps in detail:

 

1. revert the authentication back from “federated” to “standard” for my domain

I run this command on my ADFS server where all the necessary modules are installed:

 

$msolcred = get-credential

connect-msolservice -credential $msolcred

Set-MsolDomainAuthentication -Authentication Managed -DomainName gibel.org

 

clip_image002

after that the domain “gibel.org” is of authentication type “Managed”

when you log on to office 365 / azure you get the “normal” login prompt and are not redirected to the federation server

clip_image003

 

2. stop / disable the ADFS service

you can stop and then disable the adfssrv by PowerShell or with the services mmc snap-in

clip_image005

at the end the service has the following state

clip_image007

when you want to logon to office 365 / azure with a federated account (@gibel.org) , after you have disabled ADFS and not reverted the authentication back from “Federated” to “Manged” you will get this 503 error:

clip_image009

 

3. check Azure AD Connect user sign-in configuration (in Azure) / see an example of an alert e-mail

Now, all three sign-in types are disabled in the “Azure AD Connect” section

clip_image011

I also get warning e-mails, that ADFS is not running any more

clip_image013

to get rid of this alert messages, you have to open “Azure AD Connect Health”, select the “AD FS services” section and press <Delete> to remove this ADFS health check

clip_image015

 

4. update to the latest Azure AD Connect version

Before the update I had version 1.1.751.0 and will update now to the current version (December 2018) 1.2.68.0

download the latest version here: https://www.microsoft.com/en-us/download/details.aspx?id=47594

execute the downloaded file “AzureADConnect.msi” for an in-place upgrade

clip_image016

In the “Connect to Azure AD” step enter your Azure AD global administrator account credentials

clip_image018

The configuration / update should finish successful with the following message:

clip_image020

At the end, the following version is installed:

clip_image022

 

5. change user sign-in

start Azure AD Connect

clip_image023

clip_image025

select “Change user sign-in”

clip_image027

the next step is the most important one for the switch to the “Pass-through authentication” with single sign-on enabled

Select the “Pass-through” option and enable the single sign-on checkbox

clip_image029

clip_image031

clip_image033

clip_image035

Get the list of Active Directory forests on which Seamless SSO has been enabled

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#step-2-get-the-list-of-active-directory-forests-on-which-seamless-sso-has-been-enabled

clip_image037

reboot the server where “Azure AD Connect” is installed

 

6.) remove ADFS role

on the on premise Federation server remove the “Active Directory Federation Services” role

clip_image039

clip_image041

 

7. configure Group Policy settings

I created a new GPO and linked it on the domain level

clip_image042

clip_image044

All the details for this policy you can find in the following link:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#step-3-roll-out-the-feature

 

8. check Authentication Agent status and install additional “Authentication Agent”

clip_image046

the orange exclamation mark tells you, that it’s recommended to have additional Authentication Agents

clip_image048

When you click on this “Pass-through authentication” link, you get the info, where an “authentication agent” is installed

clip_image050

when you press “Download” you get the msi to install the agent on additional servers – in my environment on a DC

clip_image052

after the installation

clip_image054

you can see, that you have 2 agents

in detail:

clip_image056

 

 

Now with a domain joined client (and the right GPO assigned) and a browser that is capable of Kerberos authentication, your SSO works.

You have to enter your username press <next> and are authenticated without entering a password

clip_image057

 

 

overview of web browsers - capable Kerberos authentication:

clip_image059

source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

 

Helpful links:

Azure AD Connect: Upgrade from a previous version to the latest

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version#in-place-upgrade

 

Azure AD Connect: Version release history

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

 

Azure Active Directory Seamless Single Sign-On: Quick start

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start