Pass-Through Authentication is the new authentication for the cloud based applications such as Exchange Online (EXO), Skype for business Online and so on and all you on-premises applications.
Along with Seamless Single Sign-on (SSSO), provides better user login experience. This is an alternative option for the Azure AD Password Hash Synchronization.
How Pass-through Authentication (PTA) work?
When user tries to authenticate, user login request goes to the Azure AD and the Azure AD pass the authentication request to the Authentication agent.. Authentication Agent sends the request to the Windows Active Directory for Kerberos token in the encrypted. The token is getting forwarded to the Azure AD and it is getting decrypted and validated. Post validation the requested application access provided to the user.
Benefits of the Pass-through authentication (PTA):
1. Users will get the better sign-in Experience.
When users is in the Corporate network and tenant is configured with Seamless Single Sign-on (SSSO), they no need to enter the passwords at all using the browsers. for more details, refer the article, Azure Active Seamless Single Sign-on : Technical deep dive
2. Can be installed in the Backbone Network
No need install in the DMZ network for the external users to authenticate as Azure AD is passing the request for the Backbone Authentication Agent in the decrypted format. Hence there is no special ports are required. Only Ports 443 and 80 is required for outbound traffic towards the Azure AD.
3. Can be deployed quickly and easy to maintain:
Azure AD Connect as Pass-through authentication agent can be installed in less than five minutes and agent will get activated immediately. all the authentication agents are auto updated, No need to keep checking the versions and updates.
4. Can be configured with High Availability
You can install in multiple servers with Authentication agent package and make them as high available. so if any one server goes down, another server will take care of the authenticate process
5. No public Certificates are required
Since the agents are installed in the Backbone, you no need buy any third party certificates and does not required to spend any cost for the servers as it can be installed in the simple VM and can be activated.
Passwords are not getting stored in the Cloud in any form. Since the agents are doing only outbound connections towards Azure AD, you no need to install in the Perimeter Network (DMZ).
7. Can be used for the Azure Conditional Access policies and Multi Factor Authentication (MFA) and by filtering out brute force password attacks (Smart Lockout).
8. Users can change / reset the passwords using the self-service password management jobs in the cloud. hence users no need to reach the IT Help-desk for the password reset.
How Seamless Single Sign-in Work?
Seamless SSO is enabled using Azure AD Connect as shown here. While enabling the feature, the following steps occur:
- A computer account named
AZUREADSSOACC(which represents Azure AD) is created in your on-premises Active Directory (AD).
- The computer account’s Kerberos decryption key is shared securely with Azure AD.
- In addition, two Kerberos service principal names (SPNs) are created to represent two URLs that are used during Azure AD sign-in
How to enable the SSSO for the users?
To roll out the feature to your users, you need to add the following Azure AD URLs to the users’ Intranet zone settings by using Group Policy in Active Directory:
For more details on rolling out SSSO,Please refer the article
What happens when the SSSO Fails?
Seamless SSO is opportunistic, If it fails, the sign-in experience falls back to its regular behavior – which means that the user needs to enter their password to sign in.
Pass-Through Authentication (PTA) Limitations:
Azure AD PTA is free feature and no need to pay for any Azure AD Editions. It is available across all the tenants. currently it is not supported for the Microsoft Azure Germany Cloud and the Germany Government Cloud tenants